diff --git a/SECURITY.md b/SECURITY.md index 70043a97a1..f3150f04e8 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -33,4 +33,4 @@ Disclosures will contain an overview, details about the vulnerability, a fix tha We will coordinate publishing disclosures and security releases in a way that is realistic and necessary for end users. We prefer to fully disclose the vulnerability as soon as possible once a user mitigation is available. -Disclosures will always be published in a timely manner after a release is published that fixes the vulnerability. \ No newline at end of file +Disclosures will always be published in a timely manner after a release is published that fixes the vulnerability. diff --git a/core/server/policies.go b/core/server/policies.go index bb18aa8ee2..e5ed4b254a 100644 --- a/core/server/policies.go +++ b/core/server/policies.go @@ -5,6 +5,7 @@ import ( "encoding/json" "errors" "fmt" + "math" "strconv" "strings" "time" @@ -44,14 +45,20 @@ func getPolicyParamValue(param pacv2beta2.PolicyParameters, policyID string) (*a value := wrapperspb.String(strValue) anyValue, err = anypb.New(value) case "integer": - intValue, convErr := strconv.Atoi(string(param.Value.Raw)) + intValue, convErr := strconv.ParseInt(string(param.Value.Raw), 10, 32) if convErr != nil { err = convErr break } + if intValue < math.MinInt32 || intValue > math.MaxInt32 { + err = fmt.Errorf("integer value out of int32 range") + break + } value := wrapperspb.Int32(int32(intValue)) anyValue, err = anypb.New(value) case "boolean": + // fixes CWE-190 CWE-681 + // https://github.com/weaveworks/weave-gitops/security/code-scanning/3886 boolValue, convErr := strconv.ParseBool(string(param.Value.Raw)) if convErr != nil { err = convErr diff --git a/package.json b/package.json index 8c31eb5d13..a8042056ee 100644 --- a/package.json +++ b/package.json @@ -50,11 +50,14 @@ "@material-ui/core": "^4.12.4", "@material-ui/icons": "^4.11.2", "@material-ui/lab": "^4.0.0-alpha.58", + "ansi-styles": "^6.2.1", + "commander": "^11.0.0", "cross-spawn": "^7.0.5", "d3": "^7.6.1", "d3-dag": "^0.11.5", "history": "^5.0.0", "http-proxy-middleware": "^2.0.3", + "install": "^0.13.0", "jest-canvas-mock": "^2.4.0", "jest-fail-on-console": "^3.0.1", "jest-worker": "^27.5.1", @@ -74,8 +77,7 @@ "react-toastify": "^9.1.2", "remark-gfm": "^3.0.1", "styled-components": "^5.3.0", - "yaml": "^2.2.2", - "commander": "^11.0.0" + "yaml": "^2.2.2" }, "jest": { "preset": "ts-jest", diff --git a/pkg/validate/validate.go b/pkg/validate/validate.go index 246e357284..e5782344d3 100644 --- a/pkg/validate/validate.go +++ b/pkg/validate/validate.go @@ -8,6 +8,7 @@ import ( "io" "os" "path/filepath" + "strings" "sync" "github.com/hashicorp/go-cleanhttp" @@ -284,7 +285,12 @@ func untar(destDir string, r io.Reader) (retErr error) { } // the target location where the dir/file should be created - target := filepath.Join(destDir, header.Name) + // fixes CWE-22 by cleaning the path + cleanedName := filepath.Clean(header.Name) + if strings.Contains(cleanedName, "..") { + return fmt.Errorf("invalid file path: %s", header.Name) + } + target := filepath.Join(destDir, cleanedName) // the following switch could also be done using fi.Mode(), not sure if there // a benefit of using one vs. the other. diff --git a/website/yarn.lock b/website/yarn.lock index bd48dfe135..be1a1eeecb 100644 --- a/website/yarn.lock +++ b/website/yarn.lock @@ -5540,10 +5540,10 @@ multicast-dns@^7.2.5: dns-packet "^5.2.2" thunky "^1.0.2" -nanoid@^3.3.6: - version "3.3.6" - resolved "https://registry.yarnpkg.com/nanoid/-/nanoid-3.3.6.tgz#443380c856d6e9f9824267d960b4236ad583ea4c" - integrity sha512-BGcqMMJuToF7i1rt+2PWSNVnWIkGCU78jBG3RxO/bZlnZPK2Cmi2QaffxGO/2RvWi9sL+FAiRiXMgsyxQ1DIDA== +nanoid@^3.3.8: + version "3.3.8" + resolved "https://registry.yarnpkg.com/nanoid/-/nanoid-3.3.8.tgz#b1be3030bee36aaff18bacb375e5cce521684baf" + integrity sha512-WNLf5Sd8oZxOm+TzppcYk8gVOgP+l58xNy58D0nbUnOxOWRWvlcCV4kUF7ltmI6PsrLl/BgKEyS4mqsGChFN0w== negotiator@0.6.3: version "0.6.3" diff --git a/yarn.lock b/yarn.lock index 3e801cc9b9..0a323134fd 100644 --- a/yarn.lock +++ b/yarn.lock @@ -3724,6 +3724,11 @@ ansi-styles@^5.0.0: resolved "https://registry.npmjs.org/ansi-styles/-/ansi-styles-5.2.0.tgz" integrity sha512-Cxwpt2SfTzTtXcfOlzGEee8O+c+MmUgGrNiBcXnuWxuFJHe6a5Hz7qwhwe5OgaSYI0IJvkLqWX1ASG+cJOkEiA== +ansi-styles@^6.2.1: + version "6.2.1" + resolved "https://registry.yarnpkg.com/ansi-styles/-/ansi-styles-6.2.1.tgz#0e62320cf99c21afff3b3012192546aacbfb05c5" + integrity sha512-bN798gFfQX+viw3R7yrGWRqnrN2oRkEkUjjl4JNn4E8GxxbjtG3FbrEIIY3l8/hrwUwIeCZvi4QuOTP4MErVug== + anymatch@^3.0.3: version "3.1.2" resolved "https://registry.npmjs.org/anymatch/-/anymatch-3.1.2.tgz" @@ -5787,6 +5792,11 @@ inline-style-parser@0.1.1: resolved "https://registry.npmjs.org/inline-style-parser/-/inline-style-parser-0.1.1.tgz" integrity sha512-7NXolsK4CAS5+xvdj5OMMbI962hU/wvwoxk+LWR9Ek9bVtyuuYScDN6eS0rUm6TxApFpw7CX1o4uJzcd4AyD3Q== +install@^0.13.0: + version "0.13.0" + resolved "https://registry.yarnpkg.com/install/-/install-0.13.0.tgz#6af6e9da9dd0987de2ab420f78e60d9c17260776" + integrity sha512-zDml/jzr2PKU9I8J/xyZBQn8rPCAY//UOYNmR01XwNwyfhEWObo2SWfSl1+0tm1u6PhxLwDnfsT/6jB7OUxqFA== + internal-slot@^1.0.3: version "1.0.3" resolved "https://registry.npmjs.org/internal-slot/-/internal-slot-1.0.3.tgz" @@ -7897,9 +7907,9 @@ nano-time@1.0.0: big-integer "^1.6.16" nanoid@^3.3.6: - version "3.3.6" - resolved "https://registry.npmjs.org/nanoid/-/nanoid-3.3.6.tgz" - integrity sha512-BGcqMMJuToF7i1rt+2PWSNVnWIkGCU78jBG3RxO/bZlnZPK2Cmi2QaffxGO/2RvWi9sL+FAiRiXMgsyxQ1DIDA== + version "3.3.8" + resolved "https://registry.yarnpkg.com/nanoid/-/nanoid-3.3.8.tgz#b1be3030bee36aaff18bacb375e5cce521684baf" + integrity sha512-WNLf5Sd8oZxOm+TzppcYk8gVOgP+l58xNy58D0nbUnOxOWRWvlcCV4kUF7ltmI6PsrLl/BgKEyS4mqsGChFN0w== natural-compare@^1.4.0: version "1.4.0"