Skip to content

Commit 57c438f

Browse files
authored
fix: audit errors around nanoid (#4242)
1 parent 794ad1a commit 57c438f

File tree

6 files changed

+37
-12
lines changed

6 files changed

+37
-12
lines changed

SECURITY.md

+1-1
Original file line numberDiff line numberDiff line change
@@ -33,4 +33,4 @@ Disclosures will contain an overview, details about the vulnerability, a fix tha
3333

3434
We will coordinate publishing disclosures and security releases in a way that is realistic and necessary for end users.
3535
We prefer to fully disclose the vulnerability as soon as possible once a user mitigation is available.
36-
Disclosures will always be published in a timely manner after a release is published that fixes the vulnerability.
36+
Disclosures will always be published in a timely manner after a release is published that fixes the vulnerability.

core/server/policies.go

+8-1
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@ import (
55
"encoding/json"
66
"errors"
77
"fmt"
8+
"math"
89
"strconv"
910
"strings"
1011
"time"
@@ -44,14 +45,20 @@ func getPolicyParamValue(param pacv2beta2.PolicyParameters, policyID string) (*a
4445
value := wrapperspb.String(strValue)
4546
anyValue, err = anypb.New(value)
4647
case "integer":
47-
intValue, convErr := strconv.Atoi(string(param.Value.Raw))
48+
intValue, convErr := strconv.ParseInt(string(param.Value.Raw), 10, 32)
4849
if convErr != nil {
4950
err = convErr
5051
break
5152
}
53+
if intValue < math.MinInt32 || intValue > math.MaxInt32 {
54+
err = fmt.Errorf("integer value out of int32 range")
55+
break
56+
}
5257
value := wrapperspb.Int32(int32(intValue))
5358
anyValue, err = anypb.New(value)
5459
case "boolean":
60+
// fixes CWE-190 CWE-681
61+
// https://github.com/weaveworks/weave-gitops/security/code-scanning/3886
5562
boolValue, convErr := strconv.ParseBool(string(param.Value.Raw))
5663
if convErr != nil {
5764
err = convErr

package.json

+4-2
Original file line numberDiff line numberDiff line change
@@ -50,11 +50,14 @@
5050
"@material-ui/core": "^4.12.4",
5151
"@material-ui/icons": "^4.11.2",
5252
"@material-ui/lab": "^4.0.0-alpha.58",
53+
"ansi-styles": "^6.2.1",
54+
"commander": "^11.0.0",
5355
"cross-spawn": "^7.0.5",
5456
"d3": "^7.6.1",
5557
"d3-dag": "^0.11.5",
5658
"history": "^5.0.0",
5759
"http-proxy-middleware": "^2.0.3",
60+
"install": "^0.13.0",
5861
"jest-canvas-mock": "^2.4.0",
5962
"jest-fail-on-console": "^3.0.1",
6063
"jest-worker": "^27.5.1",
@@ -74,8 +77,7 @@
7477
"react-toastify": "^9.1.2",
7578
"remark-gfm": "^3.0.1",
7679
"styled-components": "^5.3.0",
77-
"yaml": "^2.2.2",
78-
"commander": "^11.0.0"
80+
"yaml": "^2.2.2"
7981
},
8082
"jest": {
8183
"preset": "ts-jest",

pkg/validate/validate.go

+7-1
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ import (
88
"io"
99
"os"
1010
"path/filepath"
11+
"strings"
1112
"sync"
1213

1314
"github.com/hashicorp/go-cleanhttp"
@@ -284,7 +285,12 @@ func untar(destDir string, r io.Reader) (retErr error) {
284285
}
285286

286287
// the target location where the dir/file should be created
287-
target := filepath.Join(destDir, header.Name)
288+
// fixes CWE-22 by cleaning the path
289+
cleanedName := filepath.Clean(header.Name)
290+
if strings.Contains(cleanedName, "..") {
291+
return fmt.Errorf("invalid file path: %s", header.Name)
292+
}
293+
target := filepath.Join(destDir, cleanedName)
288294

289295
// the following switch could also be done using fi.Mode(), not sure if there
290296
// a benefit of using one vs. the other.

website/yarn.lock

+4-4
Original file line numberDiff line numberDiff line change
@@ -5540,10 +5540,10 @@ multicast-dns@^7.2.5:
55405540
dns-packet "^5.2.2"
55415541
thunky "^1.0.2"
55425542

5543-
nanoid@^3.3.6:
5544-
version "3.3.6"
5545-
resolved "https://registry.yarnpkg.com/nanoid/-/nanoid-3.3.6.tgz#443380c856d6e9f9824267d960b4236ad583ea4c"
5546-
integrity sha512-BGcqMMJuToF7i1rt+2PWSNVnWIkGCU78jBG3RxO/bZlnZPK2Cmi2QaffxGO/2RvWi9sL+FAiRiXMgsyxQ1DIDA==
5543+
nanoid@^3.3.8:
5544+
version "3.3.8"
5545+
resolved "https://registry.yarnpkg.com/nanoid/-/nanoid-3.3.8.tgz#b1be3030bee36aaff18bacb375e5cce521684baf"
5546+
integrity sha512-WNLf5Sd8oZxOm+TzppcYk8gVOgP+l58xNy58D0nbUnOxOWRWvlcCV4kUF7ltmI6PsrLl/BgKEyS4mqsGChFN0w==
55475547

55485548
55495549
version "0.6.3"

yarn.lock

+13-3
Original file line numberDiff line numberDiff line change
@@ -3724,6 +3724,11 @@ ansi-styles@^5.0.0:
37243724
resolved "https://registry.npmjs.org/ansi-styles/-/ansi-styles-5.2.0.tgz"
37253725
integrity sha512-Cxwpt2SfTzTtXcfOlzGEee8O+c+MmUgGrNiBcXnuWxuFJHe6a5Hz7qwhwe5OgaSYI0IJvkLqWX1ASG+cJOkEiA==
37263726

3727+
ansi-styles@^6.2.1:
3728+
version "6.2.1"
3729+
resolved "https://registry.yarnpkg.com/ansi-styles/-/ansi-styles-6.2.1.tgz#0e62320cf99c21afff3b3012192546aacbfb05c5"
3730+
integrity sha512-bN798gFfQX+viw3R7yrGWRqnrN2oRkEkUjjl4JNn4E8GxxbjtG3FbrEIIY3l8/hrwUwIeCZvi4QuOTP4MErVug==
3731+
37273732
anymatch@^3.0.3:
37283733
version "3.1.2"
37293734
resolved "https://registry.npmjs.org/anymatch/-/anymatch-3.1.2.tgz"
@@ -5787,6 +5792,11 @@ [email protected]:
57875792
resolved "https://registry.npmjs.org/inline-style-parser/-/inline-style-parser-0.1.1.tgz"
57885793
integrity sha512-7NXolsK4CAS5+xvdj5OMMbI962hU/wvwoxk+LWR9Ek9bVtyuuYScDN6eS0rUm6TxApFpw7CX1o4uJzcd4AyD3Q==
57895794

5795+
install@^0.13.0:
5796+
version "0.13.0"
5797+
resolved "https://registry.yarnpkg.com/install/-/install-0.13.0.tgz#6af6e9da9dd0987de2ab420f78e60d9c17260776"
5798+
integrity sha512-zDml/jzr2PKU9I8J/xyZBQn8rPCAY//UOYNmR01XwNwyfhEWObo2SWfSl1+0tm1u6PhxLwDnfsT/6jB7OUxqFA==
5799+
57905800
internal-slot@^1.0.3:
57915801
version "1.0.3"
57925802
resolved "https://registry.npmjs.org/internal-slot/-/internal-slot-1.0.3.tgz"
@@ -7897,9 +7907,9 @@ [email protected]:
78977907
big-integer "^1.6.16"
78987908

78997909
nanoid@^3.3.6:
7900-
version "3.3.6"
7901-
resolved "https://registry.npmjs.org/nanoid/-/nanoid-3.3.6.tgz"
7902-
integrity sha512-BGcqMMJuToF7i1rt+2PWSNVnWIkGCU78jBG3RxO/bZlnZPK2Cmi2QaffxGO/2RvWi9sL+FAiRiXMgsyxQ1DIDA==
7910+
version "3.3.8"
7911+
resolved "https://registry.yarnpkg.com/nanoid/-/nanoid-3.3.8.tgz#b1be3030bee36aaff18bacb375e5cce521684baf"
7912+
integrity sha512-WNLf5Sd8oZxOm+TzppcYk8gVOgP+l58xNy58D0nbUnOxOWRWvlcCV4kUF7ltmI6PsrLl/BgKEyS4mqsGChFN0w==
79037913

79047914
natural-compare@^1.4.0:
79057915
version "1.4.0"

0 commit comments

Comments
 (0)