-
Notifications
You must be signed in to change notification settings - Fork 324
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ioctl] fix log entries created from user input #3546
[ioctl] fix log entries created from user input #3546
Conversation
Codecov Report
@@ Coverage Diff @@
## master #3546 +/- ##
==========================================
- Coverage 75.43% 74.07% -1.37%
==========================================
Files 247 253 +6
Lines 22845 23340 +495
==========================================
+ Hits 17233 17288 +55
- Misses 4685 5121 +436
- Partials 927 931 +4
Continue to review full report at Codecov.
|
ioctl/cmd/contract/contractshare.go
Outdated
} | ||
if err := conn.WriteJSON(&response); err != nil { | ||
log.Println("send set response: ", err) | ||
break | ||
} | ||
log.Println("set: " + _givenPath + "/" + setPath) | ||
log.Printf("set: %s/%s\n", _givenPath, easpcapeString(setPath)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why is easpcapeString added here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
user can make many new log entries, this is unsafe. https://github.com/iotexproject/iotex-core/security/code-scanning/10
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good. Could you reproduce this issue locally?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
select branch in codeQL in actions. and run. see the result. this is mine https://github.com/iotexproject/iotex-core/security/code-scanning?query=is%3Aopen+branch%3Ahuof_fix_code_scan
escaped := strings.Replace(str, "\n", "", -1) | ||
return strings.Replace(escaped, "\r", "", -1) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
try `return strings.Replace(escaped, "[\r\n]", "", -1)
…task/config-get * 'task/config-get' of github.com:pocockn/iotex-core: modify test move chanid metrics to chainservice (iotexproject#3544) [ioctl] fix log entries created from user input (iotexproject#3546) add log in rolldposctx (iotexproject#3553) fix uncontrolled data used in path expression (iotexproject#3547) [api] impl. TestGrpcServer_GetServerMeta (iotexproject#3559)
…task/set-config * 'task/set-config' of github.com:pocockn/iotex-core: [test] Disable workingset cache in the benchmark test (iotexproject#3558) [pkg] fix deferring unsafe method "Close" on type "*os.File" (iotexproject#3548) [action] Refactor handleTransfer() (iotexproject#3557) Add MinVersion in tls.Config (iotexproject#3562) [ioctl] Modify file permission as 0600 (iotexproject#3563) [httputil] add ReadHeaderTimeout (iotexproject#3550) [staking] unexport namespace (iotexproject#3551) move chanid metrics to chainservice (iotexproject#3544) [ioctl] fix log entries created from user input (iotexproject#3546) add log in rolldposctx (iotexproject#3553) fix uncontrolled data used in path expression (iotexproject#3547) [api] impl. TestGrpcServer_GetServerMeta (iotexproject#3559) [ioctl] Build action command line into new ioctl (iotexproject#3472) fix potential file inclusion via variable (iotexproject#3549)
* upstream/master: (45 commits) Task: Get config cmd (iotexproject#3552) [ioctl] fix Errors unhandled (iotexproject#3567) fix dir permission and file inclusion (iotexproject#3566) [test] Disable workingset cache in the benchmark test (iotexproject#3558) [pkg] fix deferring unsafe method "Close" on type "*os.File" (iotexproject#3548) [action] Refactor handleTransfer() (iotexproject#3557) Add MinVersion in tls.Config (iotexproject#3562) [ioctl] Modify file permission as 0600 (iotexproject#3563) [httputil] add ReadHeaderTimeout (iotexproject#3550) [staking] unexport namespace (iotexproject#3551) move chanid metrics to chainservice (iotexproject#3544) [ioctl] fix log entries created from user input (iotexproject#3546) add log in rolldposctx (iotexproject#3553) fix uncontrolled data used in path expression (iotexproject#3547) [api] impl. TestGrpcServer_GetServerMeta (iotexproject#3559) [ioctl] Build action command line into new ioctl (iotexproject#3472) fix potential file inclusion via variable (iotexproject#3549) [ioctl] Incorrect conversion between integer types (iotexproject#3522) [action] fix incorrect conversion between integer types (iotexproject#3545) [test] fix TestLoadBlockchainfromDB (iotexproject#3521) ...
Description
fix code scan#7~#10 https://github.com/iotexproject/iotex-core/security/code-scanning/10
Fixes #3526
Type of change
Please delete options that are not relevant.
How Has This Been Tested?
Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration
Test Configuration:
Checklist: