Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: audit errors around nanoid #4242

Merged
merged 6 commits into from
Dec 11, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion SECURITY.md
Original file line number Diff line number Diff line change
Expand Up @@ -33,4 +33,4 @@ Disclosures will contain an overview, details about the vulnerability, a fix tha

We will coordinate publishing disclosures and security releases in a way that is realistic and necessary for end users.
We prefer to fully disclose the vulnerability as soon as possible once a user mitigation is available.
Disclosures will always be published in a timely manner after a release is published that fixes the vulnerability.
Disclosures will always be published in a timely manner after a release is published that fixes the vulnerability.
9 changes: 8 additions & 1 deletion core/server/policies.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ import (
"encoding/json"
"errors"
"fmt"
"math"
"strconv"
"strings"
"time"
Expand Down Expand Up @@ -44,14 +45,20 @@ func getPolicyParamValue(param pacv2beta2.PolicyParameters, policyID string) (*a
value := wrapperspb.String(strValue)
anyValue, err = anypb.New(value)
case "integer":
intValue, convErr := strconv.Atoi(string(param.Value.Raw))
intValue, convErr := strconv.ParseInt(string(param.Value.Raw), 10, 32)
if convErr != nil {
err = convErr
break
}
if intValue < math.MinInt32 || intValue > math.MaxInt32 {
err = fmt.Errorf("integer value out of int32 range")
break
}
value := wrapperspb.Int32(int32(intValue))
anyValue, err = anypb.New(value)
case "boolean":
// fixes CWE-190 CWE-681
// https://github.com/weaveworks/weave-gitops/security/code-scanning/3886
boolValue, convErr := strconv.ParseBool(string(param.Value.Raw))
if convErr != nil {
err = convErr
Expand Down
6 changes: 4 additions & 2 deletions package.json
Original file line number Diff line number Diff line change
Expand Up @@ -50,11 +50,14 @@
"@material-ui/core": "^4.12.4",
"@material-ui/icons": "^4.11.2",
"@material-ui/lab": "^4.0.0-alpha.58",
"ansi-styles": "^6.2.1",
"commander": "^11.0.0",
"cross-spawn": "^7.0.5",
"d3": "^7.6.1",
"d3-dag": "^0.11.5",
"history": "^5.0.0",
"http-proxy-middleware": "^2.0.3",
"install": "^0.13.0",
"jest-canvas-mock": "^2.4.0",
"jest-fail-on-console": "^3.0.1",
"jest-worker": "^27.5.1",
Expand All @@ -74,8 +77,7 @@
"react-toastify": "^9.1.2",
"remark-gfm": "^3.0.1",
"styled-components": "^5.3.0",
"yaml": "^2.2.2",
"commander": "^11.0.0"
"yaml": "^2.2.2"
},
"jest": {
"preset": "ts-jest",
Expand Down
8 changes: 7 additions & 1 deletion pkg/validate/validate.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ import (
"io"
"os"
"path/filepath"
"strings"
"sync"

"github.com/hashicorp/go-cleanhttp"
Expand Down Expand Up @@ -284,7 +285,12 @@ func untar(destDir string, r io.Reader) (retErr error) {
}

// the target location where the dir/file should be created
target := filepath.Join(destDir, header.Name)
// fixes CWE-22 by cleaning the path
cleanedName := filepath.Clean(header.Name)
if strings.Contains(cleanedName, "..") {
return fmt.Errorf("invalid file path: %s", header.Name)
}
target := filepath.Join(destDir, cleanedName)

// the following switch could also be done using fi.Mode(), not sure if there
// a benefit of using one vs. the other.
Expand Down
8 changes: 4 additions & 4 deletions website/yarn.lock
Original file line number Diff line number Diff line change
Expand Up @@ -5540,10 +5540,10 @@ multicast-dns@^7.2.5:
dns-packet "^5.2.2"
thunky "^1.0.2"

nanoid@^3.3.6:
version "3.3.6"
resolved "https://registry.yarnpkg.com/nanoid/-/nanoid-3.3.6.tgz#443380c856d6e9f9824267d960b4236ad583ea4c"
integrity sha512-BGcqMMJuToF7i1rt+2PWSNVnWIkGCU78jBG3RxO/bZlnZPK2Cmi2QaffxGO/2RvWi9sL+FAiRiXMgsyxQ1DIDA==
nanoid@^3.3.8:
version "3.3.8"
resolved "https://registry.yarnpkg.com/nanoid/-/nanoid-3.3.8.tgz#b1be3030bee36aaff18bacb375e5cce521684baf"
integrity sha512-WNLf5Sd8oZxOm+TzppcYk8gVOgP+l58xNy58D0nbUnOxOWRWvlcCV4kUF7ltmI6PsrLl/BgKEyS4mqsGChFN0w==

[email protected]:
version "0.6.3"
Expand Down
16 changes: 13 additions & 3 deletions yarn.lock
Original file line number Diff line number Diff line change
Expand Up @@ -3724,6 +3724,11 @@ ansi-styles@^5.0.0:
resolved "https://registry.npmjs.org/ansi-styles/-/ansi-styles-5.2.0.tgz"
integrity sha512-Cxwpt2SfTzTtXcfOlzGEee8O+c+MmUgGrNiBcXnuWxuFJHe6a5Hz7qwhwe5OgaSYI0IJvkLqWX1ASG+cJOkEiA==

ansi-styles@^6.2.1:
version "6.2.1"
resolved "https://registry.yarnpkg.com/ansi-styles/-/ansi-styles-6.2.1.tgz#0e62320cf99c21afff3b3012192546aacbfb05c5"
integrity sha512-bN798gFfQX+viw3R7yrGWRqnrN2oRkEkUjjl4JNn4E8GxxbjtG3FbrEIIY3l8/hrwUwIeCZvi4QuOTP4MErVug==

anymatch@^3.0.3:
version "3.1.2"
resolved "https://registry.npmjs.org/anymatch/-/anymatch-3.1.2.tgz"
Expand Down Expand Up @@ -5787,6 +5792,11 @@ [email protected]:
resolved "https://registry.npmjs.org/inline-style-parser/-/inline-style-parser-0.1.1.tgz"
integrity sha512-7NXolsK4CAS5+xvdj5OMMbI962hU/wvwoxk+LWR9Ek9bVtyuuYScDN6eS0rUm6TxApFpw7CX1o4uJzcd4AyD3Q==

install@^0.13.0:
version "0.13.0"
resolved "https://registry.yarnpkg.com/install/-/install-0.13.0.tgz#6af6e9da9dd0987de2ab420f78e60d9c17260776"
integrity sha512-zDml/jzr2PKU9I8J/xyZBQn8rPCAY//UOYNmR01XwNwyfhEWObo2SWfSl1+0tm1u6PhxLwDnfsT/6jB7OUxqFA==

internal-slot@^1.0.3:
version "1.0.3"
resolved "https://registry.npmjs.org/internal-slot/-/internal-slot-1.0.3.tgz"
Expand Down Expand Up @@ -7897,9 +7907,9 @@ [email protected]:
big-integer "^1.6.16"

nanoid@^3.3.6:
version "3.3.6"
resolved "https://registry.npmjs.org/nanoid/-/nanoid-3.3.6.tgz"
integrity sha512-BGcqMMJuToF7i1rt+2PWSNVnWIkGCU78jBG3RxO/bZlnZPK2Cmi2QaffxGO/2RvWi9sL+FAiRiXMgsyxQ1DIDA==
version "3.3.8"
resolved "https://registry.yarnpkg.com/nanoid/-/nanoid-3.3.8.tgz#b1be3030bee36aaff18bacb375e5cce521684baf"
integrity sha512-WNLf5Sd8oZxOm+TzppcYk8gVOgP+l58xNy58D0nbUnOxOWRWvlcCV4kUF7ltmI6PsrLl/BgKEyS4mqsGChFN0w==

natural-compare@^1.4.0:
version "1.4.0"
Expand Down
Loading