Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Address security issues #1589

Merged
merged 6 commits into from
Oct 1, 2024
Merged

Address security issues #1589

merged 6 commits into from
Oct 1, 2024

Conversation

ryanmelt
Copy link
Member

@ryanmelt ryanmelt commented Sep 29, 2024
edited
Loading

Addresses:
GHSL-2024-127
GHSL-2024-128
GHSL-2024-129

@codecov Codecov
Copy link

codecov bot commented Sep 29, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 28.66450% with 219 lines in your changes missing coverage. Please review.

Project coverage is 76.80%. Comparing base (29eecf3) to head (f789329).
Report is 9 commits behind head on main.

Files with missing lines Patch % Lines
...s-cmd-tlm-api/app/controllers/tables_controller.rb 8.33% 44 Missing ⚠️
...t-runner-api/app/controllers/scripts_controller.rb 23.21% 43 Missing ⚠️
...cmd-tlm-api/app/controllers/activity_controller.rb 23.80% 16 Missing ⚠️
...-cmd-tlm-api/app/controllers/plugins_controller.rb 0.00% 16 Missing ⚠️
...cmd-tlm-api/app/controllers/reaction_controller.rb 0.00% 16 Missing ⚠️
...-cmd-tlm-api/app/controllers/targets_controller.rb 21.05% 15 Missing ⚠️
...-cmd-tlm-api/app/controllers/trigger_controller.rb 0.00% 12 Missing ⚠️
...-cmd-tlm-api/app/controllers/storage_controller.rb 0.00% 9 Missing ⚠️
...lm-api/app/controllers/trigger_group_controller.rb 0.00% 9 Missing ⚠️
...cmd-tlm-api/app/controllers/timeline_controller.rb 12.50% 7 Missing ⚠️
... and 13 more
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1589      +/-   ##
==========================================
- Coverage   77.03%   76.80%   -0.24%     
==========================================
  Files         613      613              
  Lines       46056    46307     +251     
  Branches      803      805       +2     
==========================================
+ Hits        35480    35564      +84     
- Misses      10489    10655     +166     
- Partials       87       88       +1
Flag Coverage Δ
frontend 55.99% <ø> (+0.24%) ⬆️
python 84.59% <ø> (+<0.01%) ⬆️
ruby-api 47.62% <25.26%> (-1.39%) ⬇️
ruby-backend 82.82% <72.72%> (-0.02%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

jmthomas
jmthomas reviewed Sep 29, 2024
View reviewed changes
Copy link
Member

@jmthomas jmthomas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good with a lot of changes. Not sure if there's something we can do about the remaining issues here. Does this cover both CVEs?

openc3-cosmos-cmd-tlm-api/app/controllers/application_controller.rb Outdated
value = arg.encode(Encoding::UTF_8, invalid: :replace, undef: :replace, replace: "�").strip.tr("\u{202E}%$|:;/\t\r\n\\", "-")
end
if value != arg
render(json: { status: 'error', message: "Invalid parameter #{param_list[index]}" }, status: 400)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this still be param_list[index] or should it be result[index]?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I updated to match other messages.

openc3-cosmos-cmd-tlm-api/app/controllers/storage_controller.rb
@@ -25,6 +25,7 @@

class StorageController < ApplicationController
def buckets
return unless authorization('system')
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a good check but doesn't everyone have system?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, but at least not it requires you to be authenicated. Before even not logged in could get it.

openc3-cosmos-init/plugins/openc3-tool-base/public/js/auth.js
let result = url.pathname
if (url.search) {
result = result + url.search
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What are you accomplishing here? Comment?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This converts to a relative url.

openc3-cosmos-init/plugins/packages/openc3-tool-common/src/tools/base/components/Login.vue Fixed Show resolved Hide resolved
@sonarqubecloud SonarQubeCloud
Copy link

sonarqubecloud bot commented Oct 1, 2024

Quality Gate Passed Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
23.0% Duplication on New Code

See analysis details on SonarCloud

@ryanmelt ryanmelt merged commit 63699a1 into main Oct 1, 2024
27 checks passed
@ryanmelt ryanmelt deleted the address_security branch October 1, 2024 03:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jmthomas jmthomas jmthomas left review comments

@ryan-pratt ryan-pratt Awaiting requested review from ryan-pratt

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ryanmelt @jmthomas