fix: audit errors around nanoid (#4242)

weaveworks · Dec 11, 2024 · 57c438f · 57c438f
1 parent 794ad1a
commit 57c438f
Show file tree

Hide file tree

Showing 6 changed files with 37 additions and 12 deletions.
diff --git a/SECURITY.md b/SECURITY.md
@@ -33,4 +33,4 @@ Disclosures will contain an overview, details about the vulnerability, a fix tha
 
 We will coordinate publishing disclosures and security releases in a way that is realistic and necessary for end users.
 We prefer to fully disclose the vulnerability as soon as possible once a user mitigation is available.
-Disclosures will always be published in a timely manner after a release is published that fixes the vulnerability.
+Disclosures will always be published in a timely manner after a release is published that fixes the vulnerability.
diff --git a/core/server/policies.go b/core/server/policies.go
@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"math"
 	"strconv"
 	"strings"
 	"time"
@@ -44,14 +45,20 @@ func getPolicyParamValue(param pacv2beta2.PolicyParameters, policyID string) (*a
 		value := wrapperspb.String(strValue)
 		anyValue, err = anypb.New(value)
 	case "integer":
-		intValue, convErr := strconv.Atoi(string(param.Value.Raw))
+		intValue, convErr := strconv.ParseInt(string(param.Value.Raw), 10, 32)
 		if convErr != nil {
 			err = convErr
 			break
 		}
+		if intValue < math.MinInt32 || intValue > math.MaxInt32 {
+			err = fmt.Errorf("integer value out of int32 range")
+			break
+		}
 		value := wrapperspb.Int32(int32(intValue))
 		anyValue, err = anypb.New(value)
 	case "boolean":
+		// fixes CWE-190 CWE-681
+		// https://github.com/weaveworks/weave-gitops/security/code-scanning/3886
 		boolValue, convErr := strconv.ParseBool(string(param.Value.Raw))
 		if convErr != nil {
 			err = convErr

diff --git a/package.json b/package.json
@@ -50,11 +50,14 @@
     "@material-ui/core": "^4.12.4",
     "@material-ui/icons": "^4.11.2",
     "@material-ui/lab": "^4.0.0-alpha.58",
+    "ansi-styles": "^6.2.1",
+    "commander": "^11.0.0",
     "cross-spawn": "^7.0.5",
     "d3": "^7.6.1",
     "d3-dag": "^0.11.5",
     "history": "^5.0.0",
     "http-proxy-middleware": "^2.0.3",
+    "install": "^0.13.0",
     "jest-canvas-mock": "^2.4.0",
     "jest-fail-on-console": "^3.0.1",
     "jest-worker": "^27.5.1",
@@ -74,8 +77,7 @@
     "react-toastify": "^9.1.2",
     "remark-gfm": "^3.0.1",
     "styled-components": "^5.3.0",
-    "yaml": "^2.2.2",
-    "commander": "^11.0.0"
+    "yaml": "^2.2.2"
   },
   "jest": {
     "preset": "ts-jest",

diff --git a/pkg/validate/validate.go b/pkg/validate/validate.go
@@ -8,6 +8,7 @@ import (
 	"io"
 	"os"
 	"path/filepath"
+	"strings"
 	"sync"
 
 	"github.com/hashicorp/go-cleanhttp"
@@ -284,7 +285,12 @@ func untar(destDir string, r io.Reader) (retErr error) {
 		}
 
 		// the target location where the dir/file should be created
-		target := filepath.Join(destDir, header.Name)
+		// fixes CWE-22 by cleaning the path
+		cleanedName := filepath.Clean(header.Name)
+		if strings.Contains(cleanedName, "..") {
+			return fmt.Errorf("invalid file path: %s", header.Name)
+		}
+		target := filepath.Join(destDir, cleanedName)
 
 		// the following switch could also be done using fi.Mode(), not sure if there
 		// a benefit of using one vs. the other.

diff --git a/website/yarn.lock b/website/yarn.lock
@@ -5540,10 +5540,10 @@ multicast-dns@^7.2.5:
     dns-packet "^5.2.2"
     thunky "^1.0.2"
 
-nanoid@^3.3.6:
-  version "3.3.6"
-  resolved "https://registry.yarnpkg.com/nanoid/-/nanoid-3.3.6.tgz#443380c856d6e9f9824267d960b4236ad583ea4c"
-  integrity sha512-BGcqMMJuToF7i1rt+2PWSNVnWIkGCU78jBG3RxO/bZlnZPK2Cmi2QaffxGO/2RvWi9sL+FAiRiXMgsyxQ1DIDA==
+nanoid@^3.3.8:
+  version "3.3.8"
+  resolved "https://registry.yarnpkg.com/nanoid/-/nanoid-3.3.8.tgz#b1be3030bee36aaff18bacb375e5cce521684baf"
+  integrity sha512-WNLf5Sd8oZxOm+TzppcYk8gVOgP+l58xNy58D0nbUnOxOWRWvlcCV4kUF7ltmI6PsrLl/BgKEyS4mqsGChFN0w==
 
 [email protected]:
   version "0.6.3"

diff --git a/yarn.lock b/yarn.lock
@@ -3724,6 +3724,11 @@ ansi-styles@^5.0.0:
   resolved "https://registry.npmjs.org/ansi-styles/-/ansi-styles-5.2.0.tgz"
   integrity sha512-Cxwpt2SfTzTtXcfOlzGEee8O+c+MmUgGrNiBcXnuWxuFJHe6a5Hz7qwhwe5OgaSYI0IJvkLqWX1ASG+cJOkEiA==
 
+ansi-styles@^6.2.1:
+  version "6.2.1"
+  resolved "https://registry.yarnpkg.com/ansi-styles/-/ansi-styles-6.2.1.tgz#0e62320cf99c21afff3b3012192546aacbfb05c5"
+  integrity sha512-bN798gFfQX+viw3R7yrGWRqnrN2oRkEkUjjl4JNn4E8GxxbjtG3FbrEIIY3l8/hrwUwIeCZvi4QuOTP4MErVug==
+
 anymatch@^3.0.3:
   version "3.1.2"
   resolved "https://registry.npmjs.org/anymatch/-/anymatch-3.1.2.tgz"
@@ -5787,6 +5792,11 @@ [email protected]:
   resolved "https://registry.npmjs.org/inline-style-parser/-/inline-style-parser-0.1.1.tgz"
   integrity sha512-7NXolsK4CAS5+xvdj5OMMbI962hU/wvwoxk+LWR9Ek9bVtyuuYScDN6eS0rUm6TxApFpw7CX1o4uJzcd4AyD3Q==
 
+install@^0.13.0:
+  version "0.13.0"
+  resolved "https://registry.yarnpkg.com/install/-/install-0.13.0.tgz#6af6e9da9dd0987de2ab420f78e60d9c17260776"
+  integrity sha512-zDml/jzr2PKU9I8J/xyZBQn8rPCAY//UOYNmR01XwNwyfhEWObo2SWfSl1+0tm1u6PhxLwDnfsT/6jB7OUxqFA==
+
 internal-slot@^1.0.3:
   version "1.0.3"
   resolved "https://registry.npmjs.org/internal-slot/-/internal-slot-1.0.3.tgz"
@@ -7897,9 +7907,9 @@ [email protected]:
     big-integer "^1.6.16"
 
 nanoid@^3.3.6:
-  version "3.3.6"
-  resolved "https://registry.npmjs.org/nanoid/-/nanoid-3.3.6.tgz"
-  integrity sha512-BGcqMMJuToF7i1rt+2PWSNVnWIkGCU78jBG3RxO/bZlnZPK2Cmi2QaffxGO/2RvWi9sL+FAiRiXMgsyxQ1DIDA==
+  version "3.3.8"
+  resolved "https://registry.yarnpkg.com/nanoid/-/nanoid-3.3.8.tgz#b1be3030bee36aaff18bacb375e5cce521684baf"
+  integrity sha512-WNLf5Sd8oZxOm+TzppcYk8gVOgP+l58xNy58D0nbUnOxOWRWvlcCV4kUF7ltmI6PsrLl/BgKEyS4mqsGChFN0w==
 
 natural-compare@^1.4.0:
   version "1.4.0"