From 475ed810a81846da4fec79a570a364315373b582 Mon Sep 17 00:00:00 2001 From: marcello33 Date: Thu, 3 Nov 2022 09:59:58 +0100 Subject: [PATCH 01/26] dev: add: pos-944 security ci and readme --- .github/workflows/security-ci.yml | 42 +++++++ SECURITY.md | 181 ++---------------------------- 2 files changed, 52 insertions(+), 171 deletions(-) create mode 100644 .github/workflows/security-ci.yml diff --git a/.github/workflows/security-ci.yml b/.github/workflows/security-ci.yml new file mode 100644 index 0000000000..bbc4efb76a --- /dev/null +++ b/.github/workflows/security-ci.yml @@ -0,0 +1,42 @@ +name: Security CI +on: [push, pull_request] + +jobs: + snyk: + name: Snyk + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@master + - name: Run Snyk to check for vulnerabilities + uses: snyk/actions/golang@master + with: + args: --org=${{ secrets.SNYK_ORG }} --severity-threshold=medium + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + snyk-code: + name: Snyk Code + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@master + - name: Run Snyk SAST to check for code vulnerabilities + uses: snyk/actions/golang@master + with: + command: code test + args: --org=${{ secrets.SNYK_ORG }} + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + golangci: + name: lint + runs-on: ubuntu-latest + steps: + - uses: actions/setup-go@v3 + with: + go-version: 1.19 + - uses: actions/checkout@v3 + - name: golangci-lint + uses: golangci/golangci-lint-action@v3 + with: + # Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version + version: latest diff --git a/SECURITY.md b/SECURITY.md index 41b900d5e9..d082838a32 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,175 +1,14 @@ -# Security Policy +# Polygon Technology Security Information -## Supported Versions +## Link to vulnerability disclosure details (Bug Bounty) +- Websites and Applications: https://hackerone.com/polygon-technology +- Smart Contracts: https://immunefi.com/bounty/polygon -Please see [Releases](https://github.com/ethereum/go-ethereum/releases). We recommend using the [most recently released version](https://github.com/ethereum/go-ethereum/releases/latest). +## Languages that our team speaks and understands. +Preferred-Languages: en -## Audit reports +## Security-related job openings at Polygon. +https://polygon.technology/careers -Audit reports are published in the `docs` folder: https://github.com/ethereum/go-ethereum/tree/master/docs/audits - -| Scope | Date | Report Link | -| ------- | ------- | ----------- | -| `geth` | 20170425 | [pdf](https://github.com/ethereum/go-ethereum/blob/master/docs/audits/2017-04-25_Geth-audit_Truesec.pdf) | -| `clef` | 20180914 | [pdf](https://github.com/ethereum/go-ethereum/blob/master/docs/audits/2018-09-14_Clef-audit_NCC.pdf) | -| `Discv5` | 20191015 | [pdf](https://github.com/ethereum/go-ethereum/blob/master/docs/audits/2019-10-15_Discv5_audit_LeastAuthority.pdf) | -| `Discv5` | 20200124 | [pdf](https://github.com/ethereum/go-ethereum/blob/master/docs/audits/2020-01-24_DiscV5_audit_Cure53.pdf) | - -## Reporting a Vulnerability - -**Please do not file a public ticket** mentioning the vulnerability. - -To find out how to disclose a vulnerability in Ethereum visit [https://bounty.ethereum.org](https://bounty.ethereum.org) or email bounty@ethereum.org. Please read the [disclosure page](https://github.com/ethereum/go-ethereum/security/advisories?state=published) for more information about publicly disclosed security vulnerabilities. - -Use the built-in `geth version-check` feature to check whether the software is affected by any known vulnerability. This command will fetch the latest [`vulnerabilities.json`](https://geth.ethereum.org/docs/vulnerabilities/vulnerabilities.json) file which contains known security vulnerabilities concerning `geth`, and cross-check the data against its own version number. - -The following key may be used to communicate sensitive information to developers. - -Fingerprint: `AE96 ED96 9E47 9B00 84F3 E17F E88D 3334 FA5F 6A0A` - -``` ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: SKS 1.1.6 -Comment: Hostname: pgp.mit.edu - -mQINBFgl3tgBEAC8A1tUBkD9YV+eLrOmtgy+/JS/H9RoZvkg3K1WZ8IYfj6iIRaYneAk3Bp1 -82GUPVz/zhKr2g0tMXIScDR3EnaDsY+Qg+JqQl8NOG+Cikr1nnkG2on9L8c8yiqry1ZTCmYM -qCa2acTFqnyuXJ482aZNtB4QG2BpzfhW4k8YThpegk/EoRUim+y7buJDtoNf7YILlhDQXN8q -lHB02DWOVUihph9tUIFsPK6BvTr9SIr/eG6j6k0bfUo9pexOn7LS4SojoJmsm/5dp6AoKlac -48cZU5zwR9AYcq/nvkrfmf2WkObg/xRdEvKZzn05jRopmAIwmoC3CiLmqCHPmT5a29vEob/y -PFE335k+ujjZCPOu7OwjzDk7M0zMSfnNfDq8bXh16nn+ueBxJ0NzgD1oC6c2PhM+XRQCXCho -yI8vbfp4dGvCvYqvQAE1bWjqnumZ/7vUPgZN6gDfiAzG2mUxC2SeFBhacgzDvtQls+uuvm+F -nQOUgg2Hh8x2zgoZ7kqV29wjaUPFREuew7e+Th5BxielnzOfVycVXeSuvvIn6cd3g/s8mX1c -2kLSXJR7+KdWDrIrR5Az0kwAqFZt6B6QTlDrPswu3mxsm5TzMbny0PsbL/HBM+GZEZCjMXxB -8bqV2eSaktjnSlUNX1VXxyOxXA+ZG2jwpr51egi57riVRXokrQARAQABtDRFdGhlcmV1bSBG -b3VuZGF0aW9uIEJ1ZyBCb3VudHkgPGJvdW50eUBldGhlcmV1bS5vcmc+iQIcBBEBCAAGBQJa -FCY6AAoJEHoMA3Q0/nfveH8P+gJBPo9BXZL8isUfbUWjwLi81Yi70hZqIJUnz64SWTqBzg5b -mCZ69Ji5637THsxQetS2ARabz0DybQ779FhD/IWnqV9T3KuBM/9RzJtuhLzKCyMrAINPMo28 -rKWdunHHarpuR4m3tL2zWJkle5QVYb+vkZXJJE98PJw+N4IYeKKeCs2ubeqZu636GA0sMzzB -Jn3m/dRRA2va+/zzbr6F6b51ynzbMxWKTsJnstjC8gs8EeI+Zcd6otSyelLtCUkk3h5sTvpV -Wv67BNSU0BYsMkxyFi9PUyy07Wixgeas89K5jG1oOtDva/FkpRHrTE/WA5OXDRcLrHJM+SwD -CwqcLQqJd09NxwUW1iKeBmPptTiOGu1Gv2o7aEyoaWrHRBO7JuYrQrj6q2B3H1Je0zjAd2qt -09ni2bLwLn4LA+VDpprNTO+eZDprv09s2oFSU6NwziHybovu0y7X4pADGkK2evOM7c86PohX -QRQ1M1T16xLj6wP8/Ykwl6v/LUk7iDPXP3GPILnh4YOkwBR3DsCOPn8098xy7FxEELmupRzt -Cj9oC7YAoweeShgUjBPzb+nGY1m6OcFfbUPBgFyMMfwF6joHbiVIO+39+Ut2g2ysZa7KF+yp -XqVDqyEkYXsOLb25OC7brt8IJEPgBPwcHK5GNag6RfLxnQV+iVZ9KNH1yQgSiQI+BBMBAgAo -AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCWglh+gUJBaNgWAAKCRDojTM0+l9qCgQ2 -D/4udJpV4zGIZW1yNaVvtd3vfKsTLi7GIRJLUBqVb2Yx/uhnN8jTl/tAhCVosCQ1pzvi9kMl -s8qO1vu2kw5EWFFkwK96roI8pTql3VIjwhRVQrCkR7oAk/eUd1U/nt2q6J4UTYeVgqbq4dsI -ZZTRyPJMD667YpuAIcaah+w9j/E5xksYQdMeprnDrQkkBCb4FIMqfDzBPKvEa8DcQr949K85 -kxhr6LDq9i5l4Egxt2JdH8DaR4GLca6+oHy0MyPs/bZOsfmZUObfM2oZgPpqYM96JanhzO1j -dpnItyBii2pc+kNx5nMOf4eikE/MBv+WUJ0TttWzApGGmFUzDhtuEvRH9NBjtJ/pMrYspIGu -O/QNY5KKOKQTvVIlwGcm8dTsSkqtBDSUwZyWbfKfKOI1/RhM9dC3gj5/BOY57DYYV4rdTK01 -ZtYjuhdfs2bhuP1uF/cgnSSZlv8azvf7Egh7tHPnYxvLjfq1bJAhCIX0hNg0a81/ndPAEFky -fSko+JPKvdSvsUcSi2QQ4U2HX//jNBjXRfG4F0utgbJnhXzEckz6gqt7wSDZH2oddVuO8Ssc -T7sK+CdXthSKnRyuI+sGUpG+6glpKWIfYkWFKNZWuQ+YUatY3QEDHXTIioycSmV8p4d/g/0S -V6TegidLxY8bXMkbqz+3n6FArRffv5MH7qt3cYkCPgQTAQIAKAUCWCXhOwIbAwUJAeEzgAYL -CQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ6I0zNPpfagrN/w/+Igp3vtYdNunikw3yHnYf -Jkm0MmaMDUM9mtsaXVN6xb9n25N3Xa3GWCpmdsbYZ8334tI/oQ4/NHq/bEI5WFH5F1aFkMkm -5AJVLuUkipCtmCZ5NkbRPJA9l0uNUUE6uuFXBhf4ddu7jb0jMetRF/kifJHVCCo5fISUNhLp -7bwcWq9qgDQNZNYMOo4s9WX5Tl+5x4gTZdd2/cAYt49h/wnkw+huM+Jm0GojpLqIQ1jZiffm -otf5rF4L+JhIIdW0W4IIh1v9BhHVllXw+z9oj0PALstT5h8/DuKoIiirFJ4DejU85GR1KKAS -DeO19G/lSpWj1rSgFv2N2gAOxq0X+BbQTua2jdcY6JpHR4H1JJ2wzfHsHPgDQcgY1rGlmjVF -aqU73WV4/hzXc/HshK/k4Zd8uD4zypv6rFsZ3UemK0aL2zXLVpV8SPWQ61nS03x675SmDlYr -A80ENfdqvsn00JQuBVIv4Tv0Ub7NfDraDGJCst8rObjBT/0vnBWTBCebb2EsnS2iStIFkWdz -/WXs4L4Yzre1iJwqRjiuqahZR5jHsjAUf2a0O29HVHE7zlFtCFmLPClml2lGQfQOpm5klGZF -rmvus+qZ9rt35UgWHPZezykkwtWrFOwspwuCWaPDto6tgbRJZ4ftitpdYYM3dKW9IGJXBwrt -BQrMsu+lp0vDF+yJAlUEEwEIAD8CGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAFiEErpbt -lp5HmwCE8+F/6I0zNPpfagoFAmEAEJwFCQycmLgACgkQ6I0zNPpfagpWoBAAhOcbMAUw6Zt0 -GYzT3sR5/c0iatezPzXEXJf9ebzR8M5uPElXcxcnMx1dvXZmGPXPJKCPa99WCu1NZYy8F+Wj -GTOY9tfIkvSxhys1p/giPAmvid6uQmD+bz7ivktnyzCkDWfMA+l8lsCSEqVlaq6y5T+a6SWB -6TzC2S0MPb/RrC/7DpwyrNYWumvyVJh09adm1Mw/UGgst/sZ8eMaRYEd3X0yyT1CBpX4zp2E -qQj9IEOTizvzv1x2jkHe5ZUeU3+nTBNlhSA+WFHUi0pfBdo2qog3Mv2EC1P2qMKoSdD5tPbA -zql1yKoHHnXOMsqdftGwbiv2sYXWvrYvmaCd3Ys/viOyt3HOy9uV2ZEtBd9Yqo9x/NZj8QMA -nY5k8jjrIXbUC89MqrJsQ6xxWQIg5ikMT7DvY0Ln89ev4oJyVvwIQAwCm4jUzFNm9bZLYDOP -5lGJCV7tF5NYVU7NxNM8vescKc40mVNK/pygS5mxhK9QYOUjZsIv8gddrl1TkqrFMuxFnTyN -WvzE29wFu/n4N1DkF+ZBqS70SlRvB+Hjz5LrDgEzF1Wf1eA/wq1dZbvMjjDVIc2VGlYp8Cp2 -8ob23c1seTtYXTNYgSR5go4EpH+xi+bIWv01bQQ9xGwBbT5sm4WUeWOcmX4QewzLZ3T/wK9+ -N4Ye/hmU9O34FwWJOY58EIe0OUV0aGVyZXVtIEZvdW5kYXRpb24gU2VjdXJpdHkgVGVhbSA8 -c2VjdXJpdHlAZXRoZXJldW0ub3JnPokCHAQRAQgABgUCWhQmOgAKCRB6DAN0NP5372LSEACT -wZk1TASWZj5QF7rmkIM1GEyBxLE+PundNcMgM9Ktj1315ED8SmiukNI4knVS1MY99OIgXhQl -D1foF2GKdTomrwwC4012zTNyUYCY60LnPZ6Z511HG+rZgZtZrbkz0IiUpwAlhGQND77lBqem -J3K+CFX2XpDA/ojui/kqrY4cwMT5P8xPJkwgpRgw/jgdcZyJTsXdHblV9IGU4H1Vd1SgcfAf -Db3YxDUlBtzlp0NkZqxen8irLIXUQvsfuIfRUbUSkWoK/n3U/gOCajAe8ZNF07iX4OWjH4Sw -NDA841WhFWcGE+d8+pfMVfPASU3UPKH72uw86b2VgR46Av6voyMFd1pj+yCA+YAhJuOpV4yL -QaGg2Z0kVOjuNWK/kBzp1F58DWGh4YBatbhE/UyQOqAAtR7lNf0M3QF9AdrHTxX8oZeqVW3V -Fmi2mk0NwCIUv8SSrZr1dTchp04OtyXe5gZBXSfzncCSRQIUDC8OgNWaOzAaUmK299v4bvye -uSCxOysxC7Q1hZtjzFPKdljS81mRlYeUL4fHlJU9R57bg8mriSXLmn7eKrSEDm/EG5T8nRx7 -TgX2MqJs8sWFxD2+bboVEu75yuFmZ//nmCBApAit9Hr2/sCshGIEpa9MQ6xJCYUxyqeJH+Cc -Aja0UfXhnK2uvPClpJLIl4RE3gm4OXeE1IkCPgQTAQIAKAIbAwYLCQgHAwIGFQgCCQoLBBYC -AwECHgECF4AFAloJYfoFCQWjYFgACgkQ6I0zNPpfagr4MQ//cfp3GSbSG8dkqgctW67Fy7cQ -diiTmx3cwxY+tlI3yrNmdjtrIQMzGdqtY6LNz7aN87F8mXNf+DyVHX9+wd1Y8U+E+hVCTzKC -sefUfxTz6unD9TTcGqaoelgIPMn4IiKz1RZE6eKpfDWe6q78W1Y6x1bE0qGNSjqT/QSxpezF -E/OAm/t8RRxVxDtqz8LfH2zLea5zaC+ADj8EqgY9vX9TQa4DyVV8MgOyECCCadJQCD5O5hIA -B2gVDWwrAUw+KBwskXZ7Iq4reJTKLEmt5z9zgtJ/fABwaCFt66ojwg0/RjbO9cNA3ZwHLGwU -C6hkb6bRzIoZoMfYxVS84opiqf/Teq+t/XkBYCxbSXTJDA5MKjcVuw3N6YKWbkGP/EfQThe7 -BfAKFwwIw5YmsWjHK8IQj6R6hBxzTz9rz8y1Lu8EAAFfA7OJKaboI2qbOlauH98OuOUmVtr1 -TczHO+pTcgWVN0ytq2/pX5KBf4vbmULNbg3HFRq+gHx8CW+jyXGkcqjbgU/5FwtDxeqRTdGJ -SyBGNBEU6pBNolyynyaKaaJjJ/biY27pvjymL5rlz95BH3Dn16Z4RRmqwlT6eq/wFYginujg -CCE1icqOSE+Vjl7V8tV8AcgANkXKdbBE+Q8wlKsGI/kS1w4XFAYcaNHFT8qNeS8TSFXFhvU8 -HylYxO79t56JAj4EEwECACgFAlgl3tgCGwMFCQHhM4AGCwkIBwMCBhUIAgkKCwQWAgMBAh4B -AheAAAoJEOiNMzT6X2oKmUMP/0hnaL6bVyepAq2LIdvIUbHfagt/Oo/KVfZs4bkM+xJOitJR -0kwZV9PTihXFdzhL/YNWc2+LtEBtKItqkJZKmWC0E6OPXGVuU6hfFPebuzVccYJfm0Q3Ej19 -VJI9Uomf59Bpak8HYyEED7WVQjoYn7XVPsonwus/9+LDX+c5vutbrUdbjga3KjHbewD93X4O -wVVoXyHEmU2Plyg8qvzFbNDylCWO7N2McO6SN6+7DitGZGr2+jO+P2R4RT1cnl2V3IRVcWZ0 -OTspPSnRGVr2fFiHN/+v8G/wHPLQcJZFvYPfUGNdcYbTmhWdiY0bEYXFiNrgzCCsyad7eKUR -WN9QmxqmyqLDjUEDJCAh19ES6Vg3tqGwXk+uNUCoF30ga0TxQt6UXZJDEQFAGeASQ/RqE/q1 -EAuLv8IGM8o7IqKO2pWfLuqsY6dTbKBwDzz9YOJt7EOGuPPQbHxaYStTushZmJnm7hi8lhVG -jT7qsEJdE95Il+I/mHWnXsCevaXjZugBiyV9yvOq4Hwwe2s1zKfrnQ4u0cadvGAh2eIqum7M -Y3o6nD47aJ3YmEPX/WnhI56bACa2GmWvUwjI4c0/er3esSPYnuHnM9L8Am4qQwMVSmyU80tC -MI7A9e13Mvv+RRkYFLJ7PVPdNpbW5jqX1doklFpKf6/XM+B+ngYneU+zgCUBiQJVBBMBCAA/ -AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgBYhBK6W7ZaeR5sAhPPhf+iNMzT6X2oKBQJh -ABCQBQkMnJi4AAoJEOiNMzT6X2oKAv0P+gJ3twBp5efNWyVLcIg4h4cOo9uD0NPvz8/fm2gX -FoOJL3MeigtPuSVfE9kuTaTuRbArzuFtdvH6G/kcRQvOlO4zyiIRHCk1gDHoIvvtn6RbRhVm -/Xo4uGIsFHst7n4A7BjicwEK5Op6Ih5Hoq19xz83YSBgBVk2fYEJIRyJiKFbyPjH0eSYe8v+ -Ra5/F85ugLx1P6mMVkW+WPzULns89riW7BGTnZmXFHZp8nO2pkUlcI7F3KRG7l4kmlC50ox6 -DiG/6AJCVulbAClky9C68TmJ/R1RazQxU/9IqVywsydq66tbJQbm5Z7GEti0C5jjbSRJL2oT -1xC7Rilr85PMREkPL3vegJdgj5PKlffZ/MocD/0EohiQ7wFpejFD4iTljeh0exRUwCRb6655 -9ib34JSQgU8Hl4JJu+mEgd9v0ZHD0/1mMD6fnAR84zca+O3cdASbnQmzTOKcGzLIrkE8TEnU -+2UZ8Ol7SAAqmBgzY1gKOilUho6dkyCAwNL+QDpvrITDPLEFPsjyB/M2KudZSVEn+Rletju1 -qkMW31qFMNlsbwzMZw+0USeGcs31Cs0B2/WQsro99CExlhS9auUFkmoVjJmYVTIYOM0zuPa4 -OyGspqPhRu5hEsmMDPDWD7Aad5k4GTqogQNnuKyRliZjXXrDZqFD5nfsJSL8Ky/sJGEMuQIN -BFgl3tgBEACbgq6HTN5gEBi0lkD/MafInmNi+59U5gRGYqk46WlfRjhHudXjDpgD0lolGb4h -YontkMaKRlCg2Rvgjvk3Zve0PKWjKw7gr8YBa9fMFY8BhAXI32OdyI9rFhxEZFfWAfwKVmT1 -9BdeAQRFvcfd+8w8f1XVc+zddULMJFBTr+xKDlIRWwTkdLPQeWbjo0eHl/g4tuLiLrTxVbnj -26bf+2+1DbM/w5VavzPrkviHqvKe/QP/gay4QDViWvFgLb90idfAHIdsPgflp0VDS5rVHFL6 -D73rSRdIRo3I8c8mYoNjSR4XDuvgOkAKW9LR3pvouFHHjp6Fr0GesRbrbb2EG66iPsR99MQ7 -FqIL9VMHPm2mtR+XvbnKkH2rYyEqaMbSdk29jGapkAWle4sIhSKk749A4tGkHl08KZ2N9o6G -rfUehP/V2eJLaph2DioFL1HxRryrKy80QQKLMJRekxigq8greW8xB4zuf9Mkuou+RHNmo8Pe -bHjFstLigiD6/zP2e+4tUmrT0/JTGOShoGMl8Rt0VRxdPImKun+4LOXbfOxArOSkY6i35+gs -gkkSy1gTJE0BY3S9auT6+YrglY/TWPQ9IJxWVOKlT+3WIp5wJu2bBKQ420VLqDYzkoWytel/ -bM1ACUtipMiIVeUs2uFiRjpzA1Wy0QHKPTdSuGlJPRrfcQARAQABiQIlBBgBAgAPAhsMBQJa -CWIIBQkFo2BYAAoJEOiNMzT6X2oKgSwQAKKs7BGF8TyZeIEO2EUK7R2bdQDCdSGZY06tqLFg -3IHMGxDMb/7FVoa2AEsFgv6xpoebxBB5zkhUk7lslgxvKiSLYjxfNjTBltfiFJ+eQnf+OTs8 -KeR51lLa66rvIH2qUzkNDCCTF45H4wIDpV05AXhBjKYkrDCrtey1rQyFp5fxI+0IQ1UKKXvz -ZK4GdxhxDbOUSd38MYy93nqcmclGSGK/gF8XiyuVjeifDCM6+T1NQTX0K9lneidcqtBDvlgg -JTLJtQPO33o5EHzXSiud+dKth1uUhZOFEaYRZoye1YE3yB0TNOOE8fXlvu8iuIAMBSDL9ep6 -sEIaXYwoD60I2gHdWD0lkP0DOjGQpi4ouXM3Edsd5MTi0MDRNTij431kn8T/D0LCgmoUmYYM -BgbwFhXr67axPZlKjrqR0z3F/Elv0ZPPcVg1tNznsALYQ9Ovl6b5M3cJ5GapbbvNWC7yEE1q -Scl9HiMxjt/H6aPastH63/7wcN0TslW+zRBy05VNJvpWGStQXcngsSUeJtI1Gd992YNjUJq4 -/Lih6Z1TlwcFVap+cTcDptoUvXYGg/9mRNNPZwErSfIJ0Ibnx9wPVuRN6NiCLOt2mtKp2F1p -M6AOQPpZ85vEh6I8i6OaO0w/Z0UHBwvpY6jDUliaROsWUQsqz78Z34CVj4cy6vPW2EF4iQIl -BBgBAgAPBQJYJd7YAhsMBQkB4TOAAAoJEOiNMzT6X2oKTjgP/1ojCVyGyvHMLUgnX0zwrR5Q -1M5RKFz6kHwKjODVLR3Isp8I935oTQt3DY7yFDI4t0GqbYRQMtxcNEb7maianhK2trCXfhPs -6/L04igjDf5iTcmzamXN6xnh5xkz06hZJJCMuu4MvKxC9MQHCVKAwjswl/9H9JqIBXAY3E2l -LpX5P+5jDZuPxS86p3+k4Rrdp9KTGXjiuEleM3zGlz5BLWydqovOck7C2aKh27ETFpDYY0z3 -yQ5AsPJyk1rAr0wrH6+ywmwWlzuQewavnrLnJ2M8iMFXpIhyHeEIU/f7o8f+dQk72rZ9CGzd -cqig2za/BS3zawZWgbv2vB2elNsIllYLdir45jxBOxx2yvJvEuu4glz78y4oJTCTAYAbMlle -5gVdPkVcGyvvVS9tinnSaiIzuvWrYHKWll1uYPm2Q1CDs06P5I7bUGAXpgQLUh/XQguy/0sX -GWqW3FS5JzP+XgcR/7UASvwBdHylubKbeqEpB7G1s+m+8C67qOrc7EQv3Jmy1YDOkhEyNig1 -rmjplLuir3tC1X+D7dHpn7NJe7nMwFx2b2MpMkLA9jPPAGPp/ekcu5sxCe+E0J/4UF++K+CR -XIxgtzU2UJfp8p9x+ygbx5qHinR0tVRdIzv3ZnGsXrfxnWfSOaB582cU3VRN9INzHHax8ETa -QVDnGO5uQa+FiQI8BBgBCAAmAhsMFiEErpbtlp5HmwCE8+F/6I0zNPpfagoFAmEAELYFCQyc -mN4ACgkQ6I0zNPpfagoqAQ/+MnDjBx8JWMd/XjeFoYKx/Oo0ntkInV+ME61JTBls4PdVk+TB -8PWZdPQHw9SnTvRmykFeznXIRzuxkowjrZYXdPXBxY2b1WyD5V3Ati1TM9vqpaR4osyPs2xy -I4dzDssh9YvUsIRL99O04/65lGiYeBNuACq+yK/7nD/ErzBkDYJHhMCdadbVWUACxvVIDvro -yQeVLKMsHqMCd8BTGD7VDs79NXskPnN77pAFnkzS4Z2b8SNzrlgTc5pUiuZHIXPIpEYmsYzh -ucTU6uI3dN1PbSFHK5tG2pHb4ZrPxY3L20Dgc2Tfu5/SDApZzwvvKTqjdO891MEJ++H+ssOz -i4O1UeWKs9owWttan9+PI47ozBSKOTxmMqLSQ0f56Np9FJsV0ilGxRKfjhzJ4KniOMUBA7mP -+m+TmXfVtthJred4sHlJMTJNpt+sCcT6wLMmyc3keIEAu33gsJj3LTpkEA2q+V+ZiP6Q8HRB -402ITklABSArrPSE/fQU9L8hZ5qmy0Z96z0iyILgVMLuRCCfQOMWhwl8yQWIIaf1yPI07xur -epy6lH7HmxjjOR7eo0DaSxQGQpThAtFGwkWkFh8yki8j3E42kkrxvEyyYZDXn2YcI3bpqhJx -PtwCMZUJ3kc/skOrs6bOI19iBNaEoNX5Dllm7UHjOgWNDQkcCuOCxucKano= -=arte ------END PGP PUBLIC KEY BLOCK------ -``` +## Polygon security contact details +security@polygon.technology From 963a80fd9b7224c7d1adb1ec1a0d51d46144040e Mon Sep 17 00:00:00 2001 From: marcello33 Date: Thu, 3 Nov 2022 11:33:19 +0100 Subject: [PATCH 02/26] dev: add: pos-944 remove linters as this is included already in build ci --- .github/workflows/security-ci.yml | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/.github/workflows/security-ci.yml b/.github/workflows/security-ci.yml index bbc4efb76a..fcddb46121 100644 --- a/.github/workflows/security-ci.yml +++ b/.github/workflows/security-ci.yml @@ -26,17 +26,3 @@ jobs: args: --org=${{ secrets.SNYK_ORG }} env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - golangci: - name: lint - runs-on: ubuntu-latest - steps: - - uses: actions/setup-go@v3 - with: - go-version: 1.19 - - uses: actions/checkout@v3 - - name: golangci-lint - uses: golangci/golangci-lint-action@v3 - with: - # Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version - version: latest From 026cf3f191da7482eb7a925fcfb37bce3b80df83 Mon Sep 17 00:00:00 2001 From: marcello33 Date: Wed, 9 Nov 2022 17:49:38 +0100 Subject: [PATCH 03/26] dev: chg: pos-947 dependencies upgrade to solve snyk security issues --- go.mod | 4 +++- go.sum | 7 ++++--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/go.mod b/go.mod index 36595ca307..f770311c31 100644 --- a/go.mod +++ b/go.mod @@ -71,7 +71,7 @@ require ( golang.org/x/crypto v0.0.0-20220507011949-2cf3adece122 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10 - golang.org/x/text v0.3.7 + golang.org/x/text v0.3.8 golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba golang.org/x/tools v0.1.12 gonum.org/v1/gonum v0.11.0 @@ -141,3 +141,5 @@ require ( gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect ) + +replace github.com/Masterminds/goutils => github.com/Masterminds/goutils v1.1.1 diff --git a/go.sum b/go.sum index 96fa9d3f04..4403b347d2 100644 --- a/go.sum +++ b/go.sum @@ -31,8 +31,8 @@ github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym github.com/DATA-DOG/go-sqlmock v1.3.3/go.mod h1:f/Ixk793poVmq4qj/V1dPUg2JEAKC73Q5eFN3EC/SaM= github.com/JekaMas/go-grpc-net-conn v0.0.0-20220708155319-6aff21f2d13d h1:RO27lgfZF8s9lZ3pWyzc0gCE0RZC+6/PXbRjAa0CNp8= github.com/JekaMas/go-grpc-net-conn v0.0.0-20220708155319-6aff21f2d13d/go.mod h1:romz7UPgSYhfJkKOalzEEyV6sWtt/eAEm0nX2aOrod0= -github.com/Masterminds/goutils v1.1.0 h1:zukEsf/1JZwCMgHiK3GZftabmxiCw4apj3a28RPBiVg= -github.com/Masterminds/goutils v1.1.0/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU= +github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI= +github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU= github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww= github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y= github.com/Masterminds/sprig v2.22.0+incompatible h1:z4yfnGrZ7netVz+0EDJ0Wi+5VZCSYp4Z0m2dk6cEM60= @@ -667,8 +667,9 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.3.8 h1:nAL+RVCQ9uMn3vJZbV+MRnydTJFPf8qqY42YiA6MrqY= +golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20201208040808-7e3f01d25324/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= From b6ff3da2334999a69369939ea45c6dc59fe018f4 Mon Sep 17 00:00:00 2001 From: marcello33 Date: Thu, 10 Nov 2022 12:57:45 +0100 Subject: [PATCH 04/26] dev: chg: update security-ci --- .github/workflows/security-ci.yml | 31 ++++++++++++++++++++++--------- 1 file changed, 22 insertions(+), 9 deletions(-) diff --git a/.github/workflows/security-ci.yml b/.github/workflows/security-ci.yml index fcddb46121..4d18a683dd 100644 --- a/.github/workflows/security-ci.yml +++ b/.github/workflows/security-ci.yml @@ -3,26 +3,39 @@ on: [push, pull_request] jobs: snyk: - name: Snyk + name: Snyk and Publish runs-on: ubuntu-latest steps: - - uses: actions/checkout@master + - name: Checkout Source + uses: actions/checkout@master - name: Run Snyk to check for vulnerabilities uses: snyk/actions/golang@master - with: - args: --org=${{ secrets.SNYK_ORG }} --severity-threshold=medium + continue-on-error: true env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + args: --org=${{ secrets.SNYK_ORG }} --severity-threshold=medium --sarif-file-output=snyk.sarif + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: snyk.sarif snyk-code: - name: Snyk Code + name: Snyk Code and Publish runs-on: ubuntu-latest + continue-on-error: true steps: - - uses: actions/checkout@master + - name: Checkout Source + uses: actions/checkout@master - name: Run Snyk SAST to check for code vulnerabilities uses: snyk/actions/golang@master - with: - command: code test - args: --org=${{ secrets.SNYK_ORG }} + continue-on-error: true env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + args: --org=${{ secrets.SNYK_ORG }} --sarif-file-output=snyk.sarif + command: code test + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: snyk.sarif From e17b42ee38f24db0be0e39cd39e02ba1680bb64e Mon Sep 17 00:00:00 2001 From: marcello33 Date: Thu, 10 Nov 2022 13:30:04 +0100 Subject: [PATCH 05/26] dev: chg: remove linter to allow replacements for security issues --- .golangci.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.golangci.yml b/.golangci.yml index 89eebfe9fe..33ddb3bae1 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -30,7 +30,7 @@ linters: - gocognit - gofmt # - gomnd - - gomoddirectives + # - gomoddirectives - gosec - makezero - nestif @@ -65,10 +65,10 @@ linters-settings: goimports: local-prefixes: github.com/ethereum/go-ethereum - + nestif: min-complexity: 5 - + prealloc: for-loops: true @@ -79,7 +79,7 @@ linters-settings: # By default list of stable checks is used. enabled-checks: - badLock - - filepathJoin + - filepathJoin - sortSlice - sprintfQuotedString - syncMapLoadAndDelete @@ -185,4 +185,4 @@ issues: max-issues-per-linter: 0 max-same-issues: 0 #new: true - new-from-rev: origin/master \ No newline at end of file + new-from-rev: origin/master From 05554e6e8a691b8fee38d66ceacd6b350927871b Mon Sep 17 00:00:00 2001 From: marcello33 Date: Fri, 11 Nov 2022 08:42:01 +0100 Subject: [PATCH 06/26] dev: add: pos-944 verify path when updating metrics from config --- metrics/metrics.go | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/metrics/metrics.go b/metrics/metrics.go index 1d0133e850..15f2789a27 100644 --- a/metrics/metrics.go +++ b/metrics/metrics.go @@ -6,7 +6,10 @@ package metrics import ( + "errors" + "fmt" "os" + "path/filepath" "runtime" "strings" "time" @@ -71,7 +74,13 @@ func init() { func updateMetricsFromConfig(path string) { // Don't act upon any errors here. They're already taken into // consideration when the toml config file will be parsed in the cli. - data, err := os.ReadFile(path) + canonicalPath, err := verifyPath(path) + if err != nil { + fmt.Println("path not verified: " + err.Error()) + return + } + + data, err := os.ReadFile(canonicalPath) tomlData := string(data) if err != nil { @@ -169,3 +178,14 @@ func CollectProcessMetrics(refresh time.Duration) { time.Sleep(refresh) } } + +func verifyPath(path string) (string, error) { + c := filepath.Clean(path) + + r, err := filepath.EvalSymlinks(c) + if err != nil { + return c, errors.New(fmt.Sprintf("unsafe or invalid path specified: %s", path)) + } else { + return r, nil + } +} From 9112ca4ad59299f0bc0b3da8b6a39c46a3ac31ba Mon Sep 17 00:00:00 2001 From: marcello33 Date: Fri, 11 Nov 2022 08:56:35 +0100 Subject: [PATCH 07/26] dev: add: pos-944 fix linter --- metrics/metrics.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/metrics/metrics.go b/metrics/metrics.go index 15f2789a27..280811514c 100644 --- a/metrics/metrics.go +++ b/metrics/metrics.go @@ -6,7 +6,6 @@ package metrics import ( - "errors" "fmt" "os" "path/filepath" @@ -184,7 +183,7 @@ func verifyPath(path string) (string, error) { r, err := filepath.EvalSymlinks(c) if err != nil { - return c, errors.New(fmt.Sprintf("unsafe or invalid path specified: %s", path)) + return c, fmt.Errorf("unsafe or invalid path specified: %s", path) } else { return r, nil } From 0219da15c17ab377764999d115ea517c150f6a89 Mon Sep 17 00:00:00 2001 From: marcello33 Date: Fri, 11 Nov 2022 09:31:54 +0100 Subject: [PATCH 08/26] dev: add: pos-944 add .snyk policy file / fix snyk code vulnerabilities --- .snyk | 37 ++++++++++++++++++++++++++ build/ci.go | 37 +++++++++++++++----------- cmd/evm/runner.go | 2 +- cmd/faucet/faucet.go | 11 ++++++-- common/path.go | 12 +++++++++ rlp/rlpgen/main.go | 12 +++++++-- scripts/getconfig.go | 11 ++++++-- tests/fuzzers/difficulty/debug/main.go | 10 ++++++- tests/fuzzers/rangeproof/debug/main.go | 12 +++++++-- tests/fuzzers/snap/debug/main.go | 12 +++++++-- tests/fuzzers/stacktrie/debug/main.go | 12 +++++++-- tests/fuzzers/vflux/debug/main.go | 12 +++++++-- 12 files changed, 148 insertions(+), 32 deletions(-) create mode 100644 .snyk diff --git a/.snyk b/.snyk new file mode 100644 index 0000000000..2fa83cf27c --- /dev/null +++ b/.snyk @@ -0,0 +1,37 @@ +# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities. +version: v1.25.0 +# ignores vulnerabilities until expiry date; change duration by modifying expiry date +ignore: + 'snyk:lic:golang:github.com:karalabe:usb:LGPL-3.0': + - '*': + reason: 'As open source org, we have no issues with licenses' + created: 2022-11-11T08:06:37.028Z + 'snyk:lic:golang:github.com:mitchellh:cli:MPL-2.0': + - '*': + reason: 'As open source org, we have no issues with licenses' + created: 2022-11-11T08:07:42.661Z + 'snyk:lic:golang:github.com:hashicorp:hcl:v2:MPL-2.0': + - '*': + reason: 'As open source org, we have no issues with licenses' + created: 2022-11-11T08:09:08.112Z + 'snyk:lic:golang:github.com:hashicorp:go-multierror:MPL-2.0': + - '*': + reason: 'As open source org, we have no issues with licenses' + created: 2022-11-11T08:09:14.673Z + 'snyk:lic:golang:github.com:hashicorp:go-bexpr:MPL-2.0': + - '*': + reason: 'As open source org, we have no issues with licenses' + created: 2022-11-11T08:09:21.843Z + 'snyk:lic:golang:github.com:hashicorp:errwrap:MPL-2.0': + - '*': + reason: 'As open source org, we have no issues with licenses' + created: 2022-11-11T08:09:28.257Z + 'snyk:lic:golang:github.com:ethereum:go-ethereum:LGPL-3.0': + - '*': + reason: 'As open source org, we have no issues with licenses' + created: 2022-11-11T08:09:35.273Z + 'snyk:lic:golang:github.com:maticnetwork:polyproto:GPL-3.0': + - '*': + reason: 'As open source org, we have no issues with licenses' + created: 2022-11-11T08:09:41.635Z +patch: {} diff --git a/build/ci.go b/build/ci.go index c3dccfc588..e18958010b 100644 --- a/build/ci.go +++ b/build/ci.go @@ -24,19 +24,18 @@ Usage: go run build/ci.go Available commands are: - install [ -arch architecture ] [ -cc compiler ] [ packages... ] -- builds packages and executables - test [ -coverage ] [ packages... ] -- runs the tests - lint -- runs certain pre-selected linters - archive [ -arch architecture ] [ -type zip|tar ] [ -signer key-envvar ] [ -signify key-envvar ] [ -upload dest ] -- archives build artifacts - importkeys -- imports signing keys from env - debsrc [ -signer key-id ] [ -upload dest ] -- creates a debian source package - nsis -- creates a Windows NSIS installer - aar [ -local ] [ -sign key-id ] [-deploy repo] [ -upload dest ] -- creates an Android archive - xcode [ -local ] [ -sign key-id ] [-deploy repo] [ -upload dest ] -- creates an iOS XCode framework - purge [ -store blobstore ] [ -days threshold ] -- purges old archives from the blobstore + install [ -arch architecture ] [ -cc compiler ] [ packages... ] -- builds packages and executables + test [ -coverage ] [ packages... ] -- runs the tests + lint -- runs certain pre-selected linters + archive [ -arch architecture ] [ -type zip|tar ] [ -signer key-envvar ] [ -signify key-envvar ] [ -upload dest ] -- archives build artifacts + importkeys -- imports signing keys from env + debsrc [ -signer key-id ] [ -upload dest ] -- creates a debian source package + nsis -- creates a Windows NSIS installer + aar [ -local ] [ -sign key-id ] [-deploy repo] [ -upload dest ] -- creates an Android archive + xcode [ -local ] [ -sign key-id ] [-deploy repo] [ -upload dest ] -- creates an iOS XCode framework + purge [ -store blobstore ] [ -days threshold ] -- purges old archives from the blobstore For all commands, -n prevents execution of external programs (dry run mode). - */ package main @@ -674,21 +673,27 @@ func doDebianSource(cmdline []string) { meta := newDebMetadata(distro, goboot, *signer, env, now, pkg.Name, pkg.Version, pkg.Executables) pkgdir := stageDebianSource(*workdir, meta) + canonicalPath, err := common.VerifyPath(pkgdir) + if err != nil { + fmt.Println("path not verified: " + err.Error()) + return + } + // Add Go source code - if err := build.ExtractArchive(gobundle, pkgdir); err != nil { + if err := build.ExtractArchive(gobundle, canonicalPath); err != nil { log.Fatalf("Failed to extract Go sources: %v", err) } - if err := os.Rename(filepath.Join(pkgdir, "go"), filepath.Join(pkgdir, ".go")); err != nil { + if err := os.Rename(filepath.Join(canonicalPath, "go"), filepath.Join(canonicalPath, ".go")); err != nil { log.Fatalf("Failed to rename Go source folder: %v", err) } // Add all dependency modules in compressed form - os.MkdirAll(filepath.Join(pkgdir, ".mod", "cache"), 0755) - if err := cp.CopyAll(filepath.Join(pkgdir, ".mod", "cache", "download"), filepath.Join(*workdir, "modgopath", "pkg", "mod", "cache", "download")); err != nil { + os.MkdirAll(filepath.Join(canonicalPath, ".mod", "cache"), 0755) + if err := cp.CopyAll(filepath.Join(canonicalPath, ".mod", "cache", "download"), filepath.Join(*workdir, "modgopath", "pkg", "mod", "cache", "download")); err != nil { log.Fatalf("Failed to copy Go module dependencies: %v", err) } // Run the packaging and upload to the PPA debuild := exec.Command("debuild", "-S", "-sa", "-us", "-uc", "-d", "-Zxz", "-nc") - debuild.Dir = pkgdir + debuild.Dir = canonicalPath build.MustRun(debuild) var ( diff --git a/cmd/evm/runner.go b/cmd/evm/runner.go index 889de43e0a..e67d3e2143 100644 --- a/cmd/evm/runner.go +++ b/cmd/evm/runner.go @@ -280,7 +280,7 @@ func runCmd(ctx *cli.Context) error { os.Exit(1) } if err := pprof.WriteHeapProfile(f); err != nil { - fmt.Println("could not write memory profile: ", err) + fmt.Println("could not write memory profile") os.Exit(1) } f.Close() diff --git a/cmd/faucet/faucet.go b/cmd/faucet/faucet.go index 9a251f7884..67710eaeb4 100644 --- a/cmd/faucet/faucet.go +++ b/cmd/faucet/faucet.go @@ -162,9 +162,16 @@ func main() { } } // Load up the account key and decrypt its password - blob, err := ioutil.ReadFile(*accPassFlag) + + canonicalPath, err := common.VerifyPath(*accPassFlag) + if err != nil { + fmt.Println("path not verified: " + err.Error()) + return + } + + blob, err := ioutil.ReadFile(canonicalPath) if err != nil { - log.Crit("Failed to read account password contents", "file", *accPassFlag, "err", err) + log.Crit("Failed to read account password contents", "file", canonicalPath, "err", err) } pass := strings.TrimSuffix(string(blob), "\n") diff --git a/common/path.go b/common/path.go index 69820cfe5d..a56b01361a 100644 --- a/common/path.go +++ b/common/path.go @@ -47,3 +47,15 @@ func AbsolutePath(datadir string, filename string) string { } return filepath.Join(datadir, filename) } + +// VerifyPath sanitizes the path to avoid Path Traversal vulnerability +func VerifyPath(path string) (string, error) { + c := filepath.Clean(path) + + r, err := filepath.EvalSymlinks(c) + if err != nil { + return c, fmt.Errorf("unsafe or invalid path specified: %s", path) + } else { + return r, nil + } +} diff --git a/rlp/rlpgen/main.go b/rlp/rlpgen/main.go index 5b240bfd85..55112565db 100644 --- a/rlp/rlpgen/main.go +++ b/rlp/rlpgen/main.go @@ -21,6 +21,7 @@ import ( "errors" "flag" "fmt" + "github.com/ethereum/go-ethereum/common" "go/types" "io/ioutil" "os" @@ -52,8 +53,15 @@ func main() { } if *output == "-" { os.Stdout.Write(code) - } else if err := ioutil.WriteFile(*output, code, 0644); err != nil { - fatal(err) + } else { + canonicalPath, err := common.VerifyPath(*output) + if err != nil { + fmt.Println("path not verified: " + err.Error()) + fatal(err) + } + if err := ioutil.WriteFile(canonicalPath, code, 0644); err != nil { + fatal(err) + } } } diff --git a/scripts/getconfig.go b/scripts/getconfig.go index 136b69ecab..ad6ee18a8f 100644 --- a/scripts/getconfig.go +++ b/scripts/getconfig.go @@ -4,6 +4,7 @@ import ( "encoding/json" "errors" "fmt" + "github.com/ethereum/go-ethereum/common" "log" "os" "strconv" @@ -516,7 +517,13 @@ func commentFlags(path string, updatedArgs []string) { ignoreLineFlag := false - input, err := os.ReadFile(path) + canonicalPath, err := common.VerifyPath(path) + if err != nil { + fmt.Println("path not verified: " + err.Error()) + return + } + + input, err := os.ReadFile(canonicalPath) if err != nil { log.Fatalln(err) } @@ -596,7 +603,7 @@ func commentFlags(path string, updatedArgs []string) { output := strings.Join(newLines, "\n") - err = os.WriteFile(path, []byte(output), 0600) + err = os.WriteFile(canonicalPath, []byte(output), 0600) if err != nil { log.Fatalln(err) } diff --git a/tests/fuzzers/difficulty/debug/main.go b/tests/fuzzers/difficulty/debug/main.go index 23516b3a0d..e9a84581b6 100644 --- a/tests/fuzzers/difficulty/debug/main.go +++ b/tests/fuzzers/difficulty/debug/main.go @@ -2,6 +2,7 @@ package main import ( "fmt" + "github.com/ethereum/go-ethereum/common" "io/ioutil" "os" @@ -15,8 +16,15 @@ func main() { } crasher := os.Args[1] data, err := ioutil.ReadFile(crasher) + + canonicalPath, err := common.VerifyPath(crasher) + if err != nil { + fmt.Println("path not verified: " + err.Error()) + return + } + if err != nil { - fmt.Fprintf(os.Stderr, "error loading crasher %v: %v", crasher, err) + fmt.Fprintf(os.Stderr, "error loading crasher %v: %v", canonicalPath, err) os.Exit(1) } difficulty.Fuzz(data) diff --git a/tests/fuzzers/rangeproof/debug/main.go b/tests/fuzzers/rangeproof/debug/main.go index a81c69fea5..5a6a22e08e 100644 --- a/tests/fuzzers/rangeproof/debug/main.go +++ b/tests/fuzzers/rangeproof/debug/main.go @@ -18,6 +18,7 @@ package main import ( "fmt" + "github.com/ethereum/go-ethereum/common" "io/ioutil" "os" @@ -32,9 +33,16 @@ func main() { os.Exit(1) } crasher := os.Args[1] - data, err := ioutil.ReadFile(crasher) + + canonicalPath, err := common.VerifyPath(crasher) + if err != nil { + fmt.Println("path not verified: " + err.Error()) + return + } + + data, err := ioutil.ReadFile(canonicalPath) if err != nil { - fmt.Fprintf(os.Stderr, "error loading crasher %v: %v", crasher, err) + fmt.Fprintf(os.Stderr, "error loading crasher %v: %v", canonicalPath, err) os.Exit(1) } rangeproof.Fuzz(data) diff --git a/tests/fuzzers/snap/debug/main.go b/tests/fuzzers/snap/debug/main.go index d0d1b49307..501a416131 100644 --- a/tests/fuzzers/snap/debug/main.go +++ b/tests/fuzzers/snap/debug/main.go @@ -18,6 +18,7 @@ package main import ( "fmt" + "github.com/ethereum/go-ethereum/common" "io/ioutil" "os" @@ -30,9 +31,16 @@ func main() { os.Exit(1) } crasher := os.Args[1] - data, err := ioutil.ReadFile(crasher) + + canonicalPath, err := common.VerifyPath(crasher) + if err != nil { + fmt.Println("path not verified: " + err.Error()) + return + } + + data, err := ioutil.ReadFile(canonicalPath) if err != nil { - fmt.Fprintf(os.Stderr, "error loading crasher %v: %v", crasher, err) + fmt.Fprintf(os.Stderr, "error loading crasher %v: %v", canonicalPath, err) os.Exit(1) } snap.FuzzTrieNodes(data) diff --git a/tests/fuzzers/stacktrie/debug/main.go b/tests/fuzzers/stacktrie/debug/main.go index 1ec28a8ef1..1de90600a8 100644 --- a/tests/fuzzers/stacktrie/debug/main.go +++ b/tests/fuzzers/stacktrie/debug/main.go @@ -2,6 +2,7 @@ package main import ( "fmt" + "github.com/ethereum/go-ethereum/common" "io/ioutil" "os" @@ -14,9 +15,16 @@ func main() { os.Exit(1) } crasher := os.Args[1] - data, err := ioutil.ReadFile(crasher) + + canonicalPath, err := common.VerifyPath(crasher) + if err != nil { + fmt.Println("path not verified: " + err.Error()) + return + } + + data, err := ioutil.ReadFile(canonicalPath) if err != nil { - fmt.Fprintf(os.Stderr, "error loading crasher %v: %v", crasher, err) + fmt.Fprintf(os.Stderr, "error loading crasher %v: %v", canonicalPath, err) os.Exit(1) } stacktrie.Debug(data) diff --git a/tests/fuzzers/vflux/debug/main.go b/tests/fuzzers/vflux/debug/main.go index 1d4a5ff19c..bddf652e66 100644 --- a/tests/fuzzers/vflux/debug/main.go +++ b/tests/fuzzers/vflux/debug/main.go @@ -18,6 +18,7 @@ package main import ( "fmt" + "github.com/ethereum/go-ethereum/common" "io/ioutil" "os" @@ -35,9 +36,16 @@ func main() { os.Exit(1) } crasher := os.Args[1] - data, err := ioutil.ReadFile(crasher) + + canonicalPath, err := common.VerifyPath(crasher) + if err != nil { + fmt.Println("path not verified: " + err.Error()) + return + } + + data, err := ioutil.ReadFile(canonicalPath) if err != nil { - fmt.Fprintf(os.Stderr, "error loading crasher %v: %v", crasher, err) + fmt.Fprintf(os.Stderr, "error loading crasher %v: %v", canonicalPath, err) os.Exit(1) } vflux.FuzzClientPool(data) From 885273ae01caf58f4c29a673e8be8d9b2d9d522c Mon Sep 17 00:00:00 2001 From: marcello33 Date: Fri, 11 Nov 2022 09:43:00 +0100 Subject: [PATCH 09/26] dev: fix: pos-944 import common package / gitignore snyk dccache file --- .gitignore | 2 ++ build/ci.go | 1 + 2 files changed, 3 insertions(+) diff --git a/.gitignore b/.gitignore index 50328c8121..99a9d939d6 100644 --- a/.gitignore +++ b/.gitignore @@ -53,3 +53,5 @@ profile.cov ./bor-debug-* dist + +.dccache diff --git a/build/ci.go b/build/ci.go index e18958010b..afff1b7328 100644 --- a/build/ci.go +++ b/build/ci.go @@ -58,6 +58,7 @@ import ( "time" "github.com/cespare/cp" + "github.com/ethereum/go-ethereum/common" "github.com/ethereum/go-ethereum/crypto/signify" "github.com/ethereum/go-ethereum/internal/build" "github.com/ethereum/go-ethereum/params" From 57cbddca277e033a894a0c5472f681d948f9db67 Mon Sep 17 00:00:00 2001 From: marcello33 Date: Fri, 11 Nov 2022 10:11:33 +0100 Subject: [PATCH 10/26] dev: fix: pos-944 verify canonical path for crashers --- tests/fuzzers/difficulty/debug/main.go | 2 +- tests/fuzzers/les/debug/main.go | 12 ++++++++++-- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/tests/fuzzers/difficulty/debug/main.go b/tests/fuzzers/difficulty/debug/main.go index e9a84581b6..22875b3851 100644 --- a/tests/fuzzers/difficulty/debug/main.go +++ b/tests/fuzzers/difficulty/debug/main.go @@ -15,7 +15,6 @@ func main() { os.Exit(1) } crasher := os.Args[1] - data, err := ioutil.ReadFile(crasher) canonicalPath, err := common.VerifyPath(crasher) if err != nil { @@ -23,6 +22,7 @@ func main() { return } + data, err := ioutil.ReadFile(canonicalPath) if err != nil { fmt.Fprintf(os.Stderr, "error loading crasher %v: %v", canonicalPath, err) os.Exit(1) diff --git a/tests/fuzzers/les/debug/main.go b/tests/fuzzers/les/debug/main.go index 09e087d4c8..11d171598e 100644 --- a/tests/fuzzers/les/debug/main.go +++ b/tests/fuzzers/les/debug/main.go @@ -18,6 +18,7 @@ package main import ( "fmt" + "github.com/ethereum/go-ethereum/common" "io/ioutil" "os" @@ -32,9 +33,16 @@ func main() { os.Exit(1) } crasher := os.Args[1] - data, err := ioutil.ReadFile(crasher) + + canonicalPath, err := common.VerifyPath(crasher) + if err != nil { + fmt.Println("path not verified: " + err.Error()) + return + } + + data, err := ioutil.ReadFile(canonicalPath) if err != nil { - fmt.Fprintf(os.Stderr, "error loading crasher %v: %v", crasher, err) + fmt.Fprintf(os.Stderr, "error loading crasher %v: %v", canonicalPath, err) os.Exit(1) } les.Fuzz(data) From 050ba2da57c2601a83f2ee67b064ac2804579c43 Mon Sep 17 00:00:00 2001 From: marcello33 Date: Fri, 11 Nov 2022 10:25:36 +0100 Subject: [PATCH 11/26] dev: fix: pos-944 linter --- rlp/rlpgen/main.go | 5 +++-- scripts/getconfig.go | 2 +- tests/fuzzers/difficulty/debug/main.go | 2 +- tests/fuzzers/les/debug/main.go | 2 +- tests/fuzzers/rangeproof/debug/main.go | 2 +- tests/fuzzers/snap/debug/main.go | 2 +- tests/fuzzers/stacktrie/debug/main.go | 2 +- tests/fuzzers/vflux/debug/main.go | 2 +- 8 files changed, 10 insertions(+), 9 deletions(-) diff --git a/rlp/rlpgen/main.go b/rlp/rlpgen/main.go index 55112565db..cfee358c9d 100644 --- a/rlp/rlpgen/main.go +++ b/rlp/rlpgen/main.go @@ -21,12 +21,13 @@ import ( "errors" "flag" "fmt" - "github.com/ethereum/go-ethereum/common" "go/types" "io/ioutil" "os" "golang.org/x/tools/go/packages" + + "github.com/ethereum/go-ethereum/common" ) const pathOfPackageRLP = "github.com/ethereum/go-ethereum/rlp" @@ -59,7 +60,7 @@ func main() { fmt.Println("path not verified: " + err.Error()) fatal(err) } - if err := ioutil.WriteFile(canonicalPath, code, 0644); err != nil { + if err := ioutil.WriteFile(canonicalPath, code, 0600); err != nil { fatal(err) } } diff --git a/scripts/getconfig.go b/scripts/getconfig.go index ad6ee18a8f..6e74aaeeee 100644 --- a/scripts/getconfig.go +++ b/scripts/getconfig.go @@ -4,7 +4,6 @@ import ( "encoding/json" "errors" "fmt" - "github.com/ethereum/go-ethereum/common" "log" "os" "strconv" @@ -12,6 +11,7 @@ import ( "github.com/pelletier/go-toml" + "github.com/ethereum/go-ethereum/common" "github.com/ethereum/go-ethereum/internal/cli/server" ) diff --git a/tests/fuzzers/difficulty/debug/main.go b/tests/fuzzers/difficulty/debug/main.go index 22875b3851..594c87fb79 100644 --- a/tests/fuzzers/difficulty/debug/main.go +++ b/tests/fuzzers/difficulty/debug/main.go @@ -2,10 +2,10 @@ package main import ( "fmt" - "github.com/ethereum/go-ethereum/common" "io/ioutil" "os" + "github.com/ethereum/go-ethereum/common" "github.com/ethereum/go-ethereum/tests/fuzzers/difficulty" ) diff --git a/tests/fuzzers/les/debug/main.go b/tests/fuzzers/les/debug/main.go index 11d171598e..9f0f8c3fc2 100644 --- a/tests/fuzzers/les/debug/main.go +++ b/tests/fuzzers/les/debug/main.go @@ -18,10 +18,10 @@ package main import ( "fmt" - "github.com/ethereum/go-ethereum/common" "io/ioutil" "os" + "github.com/ethereum/go-ethereum/common" "github.com/ethereum/go-ethereum/tests/fuzzers/les" ) diff --git a/tests/fuzzers/rangeproof/debug/main.go b/tests/fuzzers/rangeproof/debug/main.go index 5a6a22e08e..92c843e75f 100644 --- a/tests/fuzzers/rangeproof/debug/main.go +++ b/tests/fuzzers/rangeproof/debug/main.go @@ -18,10 +18,10 @@ package main import ( "fmt" - "github.com/ethereum/go-ethereum/common" "io/ioutil" "os" + "github.com/ethereum/go-ethereum/common" "github.com/ethereum/go-ethereum/tests/fuzzers/rangeproof" ) diff --git a/tests/fuzzers/snap/debug/main.go b/tests/fuzzers/snap/debug/main.go index 501a416131..77fadec9ee 100644 --- a/tests/fuzzers/snap/debug/main.go +++ b/tests/fuzzers/snap/debug/main.go @@ -18,10 +18,10 @@ package main import ( "fmt" - "github.com/ethereum/go-ethereum/common" "io/ioutil" "os" + "github.com/ethereum/go-ethereum/common" "github.com/ethereum/go-ethereum/tests/fuzzers/snap" ) diff --git a/tests/fuzzers/stacktrie/debug/main.go b/tests/fuzzers/stacktrie/debug/main.go index 1de90600a8..b666d1be2a 100644 --- a/tests/fuzzers/stacktrie/debug/main.go +++ b/tests/fuzzers/stacktrie/debug/main.go @@ -2,10 +2,10 @@ package main import ( "fmt" - "github.com/ethereum/go-ethereum/common" "io/ioutil" "os" + "github.com/ethereum/go-ethereum/common" "github.com/ethereum/go-ethereum/tests/fuzzers/stacktrie" ) diff --git a/tests/fuzzers/vflux/debug/main.go b/tests/fuzzers/vflux/debug/main.go index bddf652e66..6df0bf25c6 100644 --- a/tests/fuzzers/vflux/debug/main.go +++ b/tests/fuzzers/vflux/debug/main.go @@ -18,10 +18,10 @@ package main import ( "fmt" - "github.com/ethereum/go-ethereum/common" "io/ioutil" "os" + "github.com/ethereum/go-ethereum/common" "github.com/ethereum/go-ethereum/log" "github.com/ethereum/go-ethereum/tests/fuzzers/vflux" ) From 1a0b9103ea56be18271c8c4727b73aa2e5b35016 Mon Sep 17 00:00:00 2001 From: marcello33 Date: Tue, 15 Nov 2022 12:47:05 +0100 Subject: [PATCH 12/26] dev: add: pos-976 add govuln check --- .github/workflows/ci.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 002752d6aa..8b654d66b3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -55,6 +55,15 @@ jobs: if: runner.os == 'Linux' run: make lint + - name: Running govulncheck + uses: Templum/govulncheck-action@v0.0.6 + with: + go-version: 1.19 + vulncheck-version: latest + package: ./... + github-token: ${{ secrets.GITHUB_TOKEN }} + fail-on-vuln: false + - name: Test run: make test From f5871c87e709086767cbba405b457dd93e5b3908 Mon Sep 17 00:00:00 2001 From: marcello33 Date: Tue, 15 Nov 2022 16:42:12 +0100 Subject: [PATCH 13/26] dev: add: pos-976 test upload with permissions --- .github/workflows/ci.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8b654d66b3..2a9a7a1c87 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -16,6 +16,8 @@ concurrency: jobs: tests: + permissions: + security-events: write if: (github.event.action != 'closed' || github.event.pull_request.merged == true) strategy: matrix: @@ -64,6 +66,11 @@ jobs: github-token: ${{ secrets.GITHUB_TOKEN }} fail-on-vuln: false + - name: Upload govulncheck sarif report + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: govulncheck.sarif + - name: Test run: make test From de042845dbdd0fd5ae76dee558b5200de9ebc298 Mon Sep 17 00:00:00 2001 From: marcello33 Date: Tue, 15 Nov 2022 17:11:28 +0100 Subject: [PATCH 14/26] dev: add: pos-976 remove duplicated upload --- .github/workflows/ci.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2a9a7a1c87..30313c007c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -66,11 +66,6 @@ jobs: github-token: ${{ secrets.GITHUB_TOKEN }} fail-on-vuln: false - - name: Upload govulncheck sarif report - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: govulncheck.sarif - - name: Test run: make test From 563e2619c5208c07ba200314175b90498ab208d9 Mon Sep 17 00:00:00 2001 From: marcello33 Date: Tue, 15 Nov 2022 17:13:54 +0100 Subject: [PATCH 15/26] dev: add: pos-976 report upload --- .github/workflows/ci.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 30313c007c..4af8aaf5aa 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -66,6 +66,12 @@ jobs: github-token: ${{ secrets.GITHUB_TOKEN }} fail-on-vuln: false + - name: Upload govulncheck Sarif Report + uses: actions/upload-artifact@v3 + with: + name: sarif-report + path: govulncheck-report.sarif + - name: Test run: make test From 2c19a3982d2c43ae20496a9658ad1cbdd3bd2ac7 Mon Sep 17 00:00:00 2001 From: marcello33 Date: Tue, 15 Nov 2022 18:42:20 +0100 Subject: [PATCH 16/26] dev: add: pos-976 remove upload --- .github/workflows/ci.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4af8aaf5aa..30313c007c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -66,12 +66,6 @@ jobs: github-token: ${{ secrets.GITHUB_TOKEN }} fail-on-vuln: false - - name: Upload govulncheck Sarif Report - uses: actions/upload-artifact@v3 - with: - name: sarif-report - path: govulncheck-report.sarif - - name: Test run: make test From 7e307ec58b663c515cfaf47d04afbc779a2b8a97 Mon Sep 17 00:00:00 2001 From: marcello33 Date: Wed, 16 Nov 2022 17:36:16 +0100 Subject: [PATCH 17/26] dev: fix: pos-944 fix govuln action --- .github/workflows/ci.yml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 30313c007c..caca49084e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -58,14 +58,23 @@ jobs: run: make lint - name: Running govulncheck - uses: Templum/govulncheck-action@v0.0.6 + uses: Templum/govulncheck-action@v0.0.7 + continue-on-error: true + env: + DEBUG: "true" with: - go-version: 1.19 + go-version: 1.18 vulncheck-version: latest package: ./... github-token: ${{ secrets.GITHUB_TOKEN }} fail-on-vuln: false + - name: Upload govulncheck report + uses: actions/upload-artifact@v3 + with: + name: raw-report + path: raw-report.json + - name: Test run: make test From 0cd380f259a761afa18550c9ace17cb83e966cdc Mon Sep 17 00:00:00 2001 From: marcello33 Date: Thu, 17 Nov 2022 15:39:33 +0100 Subject: [PATCH 18/26] dev: fix: pos-944 move govulncheck to security-ci --- .github/workflows/ci.yml | 18 ------------------ .github/workflows/security-ci.yml | 23 +++++++++++++++++++++++ 2 files changed, 23 insertions(+), 18 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index caca49084e..f217ef0e26 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -57,24 +57,6 @@ jobs: if: runner.os == 'Linux' run: make lint - - name: Running govulncheck - uses: Templum/govulncheck-action@v0.0.7 - continue-on-error: true - env: - DEBUG: "true" - with: - go-version: 1.18 - vulncheck-version: latest - package: ./... - github-token: ${{ secrets.GITHUB_TOKEN }} - fail-on-vuln: false - - - name: Upload govulncheck report - uses: actions/upload-artifact@v3 - with: - name: raw-report - path: raw-report.json - - name: Test run: make test diff --git a/.github/workflows/security-ci.yml b/.github/workflows/security-ci.yml index 4d18a683dd..5130098973 100644 --- a/.github/workflows/security-ci.yml +++ b/.github/workflows/security-ci.yml @@ -39,3 +39,26 @@ jobs: uses: github/codeql-action/upload-sarif@v2 with: sarif_file: snyk.sarif + + govuln: + name: Run govuln check and Publish + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Running govulncheck + uses: Templum/govulncheck-action@v0.0.7 + continue-on-error: true + env: + DEBUG: "true" + with: + go-version: 1.18 + vulncheck-version: latest + package: ./... + github-token: ${{ secrets.GITHUB_TOKEN }} + fail-on-vuln: true + + - name: Upload govulncheck report + uses: actions/upload-artifact@v3 + with: + name: raw-report + path: raw-report.json From 528a5986da837f1a97c2aa3d92c91e722f646190 Mon Sep 17 00:00:00 2001 From: marcello33 Date: Thu, 17 Nov 2022 15:44:08 +0100 Subject: [PATCH 19/26] dev: fix: pos-944 bump golvun action and golang versions --- .github/workflows/security-ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/security-ci.yml b/.github/workflows/security-ci.yml index 5130098973..5dc2b221db 100644 --- a/.github/workflows/security-ci.yml +++ b/.github/workflows/security-ci.yml @@ -46,12 +46,12 @@ jobs: steps: - uses: actions/checkout@v3 - name: Running govulncheck - uses: Templum/govulncheck-action@v0.0.7 + uses: Templum/govulncheck-action@v0.0.8 continue-on-error: true env: DEBUG: "true" with: - go-version: 1.18 + go-version: 1.19 vulncheck-version: latest package: ./... github-token: ${{ secrets.GITHUB_TOKEN }} From d9402a08eda7603403c0f2fd4491ed463a2be086 Mon Sep 17 00:00:00 2001 From: marcello33 Date: Thu, 17 Nov 2022 15:56:47 +0100 Subject: [PATCH 20/26] dev: fix: pos-944 remove persmissions and fix conflicts --- .github/workflows/ci.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f217ef0e26..002752d6aa 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -16,8 +16,6 @@ concurrency: jobs: tests: - permissions: - security-events: write if: (github.event.action != 'closed' || github.event.pull_request.merged == true) strategy: matrix: From b55421c95d89726588a9c221f3d87358cfeb3a90 Mon Sep 17 00:00:00 2001 From: marcello33 Date: Mon, 28 Nov 2022 08:37:59 +0100 Subject: [PATCH 21/26] dev: chg: restore err msg --- cmd/evm/runner.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/evm/runner.go b/cmd/evm/runner.go index e67d3e2143..889de43e0a 100644 --- a/cmd/evm/runner.go +++ b/cmd/evm/runner.go @@ -280,7 +280,7 @@ func runCmd(ctx *cli.Context) error { os.Exit(1) } if err := pprof.WriteHeapProfile(f); err != nil { - fmt.Println("could not write memory profile") + fmt.Println("could not write memory profile: ", err) os.Exit(1) } f.Close() From dc41731e96f110979832c6abb49c17ca813c54ff Mon Sep 17 00:00:00 2001 From: marcello33 Date: Mon, 28 Nov 2022 08:42:21 +0100 Subject: [PATCH 22/26] dev: chg: remove duplicated function --- metrics/metrics.go | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-) diff --git a/metrics/metrics.go b/metrics/metrics.go index 280811514c..dc3e351f0e 100644 --- a/metrics/metrics.go +++ b/metrics/metrics.go @@ -7,8 +7,8 @@ package metrics import ( "fmt" + "github.com/ethereum/go-ethereum/common" "os" - "path/filepath" "runtime" "strings" "time" @@ -73,7 +73,7 @@ func init() { func updateMetricsFromConfig(path string) { // Don't act upon any errors here. They're already taken into // consideration when the toml config file will be parsed in the cli. - canonicalPath, err := verifyPath(path) + canonicalPath, err := common.VerifyPath(path) if err != nil { fmt.Println("path not verified: " + err.Error()) return @@ -177,14 +177,3 @@ func CollectProcessMetrics(refresh time.Duration) { time.Sleep(refresh) } } - -func verifyPath(path string) (string, error) { - c := filepath.Clean(path) - - r, err := filepath.EvalSymlinks(c) - if err != nil { - return c, fmt.Errorf("unsafe or invalid path specified: %s", path) - } else { - return r, nil - } -} From 167caf2cbd7111d6236dc151b98d51c63f44faf5 Mon Sep 17 00:00:00 2001 From: marcello33 Date: Mon, 28 Nov 2022 09:11:08 +0100 Subject: [PATCH 23/26] dev: chg: sort import --- metrics/metrics.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metrics/metrics.go b/metrics/metrics.go index dc3e351f0e..55edfafd96 100644 --- a/metrics/metrics.go +++ b/metrics/metrics.go @@ -7,13 +7,13 @@ package metrics import ( "fmt" - "github.com/ethereum/go-ethereum/common" "os" "runtime" "strings" "time" "github.com/BurntSushi/toml" + "github.com/ethereum/go-ethereum/common" ) // Enabled is checked by the constructor functions for all of the From 62f9ea276726ed30eff78be72d258ab283f9efaf Mon Sep 17 00:00:00 2001 From: marcello33 Date: Mon, 28 Nov 2022 11:47:55 +0100 Subject: [PATCH 24/26] dev: chg: fix linter --- metrics/metrics.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/metrics/metrics.go b/metrics/metrics.go index 55edfafd96..e54bb3e0d2 100644 --- a/metrics/metrics.go +++ b/metrics/metrics.go @@ -12,8 +12,9 @@ import ( "strings" "time" - "github.com/BurntSushi/toml" "github.com/ethereum/go-ethereum/common" + + "github.com/BurntSushi/toml" ) // Enabled is checked by the constructor functions for all of the From 860f74db67c2da94f2d12faca2115bcb1642e3fa Mon Sep 17 00:00:00 2001 From: marcello33 Date: Fri, 2 Dec 2022 12:57:39 +0100 Subject: [PATCH 25/26] dev: add: use common VerifyCrasher function to avoid duplications / replace deprecated ioutils.ReadFile --- common/path.go | 17 +++++++++++++++++ tests/fuzzers/difficulty/debug/main.go | 11 ++--------- tests/fuzzers/les/debug/main.go | 11 ++--------- tests/fuzzers/rangeproof/debug/main.go | 11 ++--------- tests/fuzzers/snap/debug/main.go | 11 ++--------- tests/fuzzers/stacktrie/debug/main.go | 11 ++--------- tests/fuzzers/vflux/debug/main.go | 11 ++--------- 7 files changed, 29 insertions(+), 54 deletions(-) diff --git a/common/path.go b/common/path.go index a56b01361a..e7cc9a8a10 100644 --- a/common/path.go +++ b/common/path.go @@ -59,3 +59,20 @@ func VerifyPath(path string) (string, error) { return r, nil } } + +// VerifyCrasher sanitizes the path to avoid Path Traversal vulnerability and read the file from that path, returning its content +func VerifyCrasher(crasher string) []byte { + canonicalPath, err := VerifyPath(crasher) + if err != nil { + fmt.Println("path not verified: " + err.Error()) + return nil + } + + data, err := os.ReadFile(canonicalPath) + if err != nil { + fmt.Fprintf(os.Stderr, "error loading crasher %v: %v", canonicalPath, err) + os.Exit(1) + } + + return data +} diff --git a/tests/fuzzers/difficulty/debug/main.go b/tests/fuzzers/difficulty/debug/main.go index 594c87fb79..0bd4478949 100644 --- a/tests/fuzzers/difficulty/debug/main.go +++ b/tests/fuzzers/difficulty/debug/main.go @@ -2,7 +2,6 @@ package main import ( "fmt" - "io/ioutil" "os" "github.com/ethereum/go-ethereum/common" @@ -16,16 +15,10 @@ func main() { } crasher := os.Args[1] - canonicalPath, err := common.VerifyPath(crasher) - if err != nil { - fmt.Println("path not verified: " + err.Error()) + data := common.VerifyCrasher(crasher) + if data == nil { return } - data, err := ioutil.ReadFile(canonicalPath) - if err != nil { - fmt.Fprintf(os.Stderr, "error loading crasher %v: %v", canonicalPath, err) - os.Exit(1) - } difficulty.Fuzz(data) } diff --git a/tests/fuzzers/les/debug/main.go b/tests/fuzzers/les/debug/main.go index 9f0f8c3fc2..c4b8803954 100644 --- a/tests/fuzzers/les/debug/main.go +++ b/tests/fuzzers/les/debug/main.go @@ -18,7 +18,6 @@ package main import ( "fmt" - "io/ioutil" "os" "github.com/ethereum/go-ethereum/common" @@ -34,16 +33,10 @@ func main() { } crasher := os.Args[1] - canonicalPath, err := common.VerifyPath(crasher) - if err != nil { - fmt.Println("path not verified: " + err.Error()) + data := common.VerifyCrasher(crasher) + if data == nil { return } - data, err := ioutil.ReadFile(canonicalPath) - if err != nil { - fmt.Fprintf(os.Stderr, "error loading crasher %v: %v", canonicalPath, err) - os.Exit(1) - } les.Fuzz(data) } diff --git a/tests/fuzzers/rangeproof/debug/main.go b/tests/fuzzers/rangeproof/debug/main.go index 92c843e75f..9e782c6dda 100644 --- a/tests/fuzzers/rangeproof/debug/main.go +++ b/tests/fuzzers/rangeproof/debug/main.go @@ -18,7 +18,6 @@ package main import ( "fmt" - "io/ioutil" "os" "github.com/ethereum/go-ethereum/common" @@ -34,16 +33,10 @@ func main() { } crasher := os.Args[1] - canonicalPath, err := common.VerifyPath(crasher) - if err != nil { - fmt.Println("path not verified: " + err.Error()) + data := common.VerifyCrasher(crasher) + if data == nil { return } - data, err := ioutil.ReadFile(canonicalPath) - if err != nil { - fmt.Fprintf(os.Stderr, "error loading crasher %v: %v", canonicalPath, err) - os.Exit(1) - } rangeproof.Fuzz(data) } diff --git a/tests/fuzzers/snap/debug/main.go b/tests/fuzzers/snap/debug/main.go index 77fadec9ee..d7f8a4a9f2 100644 --- a/tests/fuzzers/snap/debug/main.go +++ b/tests/fuzzers/snap/debug/main.go @@ -18,7 +18,6 @@ package main import ( "fmt" - "io/ioutil" "os" "github.com/ethereum/go-ethereum/common" @@ -32,16 +31,10 @@ func main() { } crasher := os.Args[1] - canonicalPath, err := common.VerifyPath(crasher) - if err != nil { - fmt.Println("path not verified: " + err.Error()) + data := common.VerifyCrasher(crasher) + if data == nil { return } - data, err := ioutil.ReadFile(canonicalPath) - if err != nil { - fmt.Fprintf(os.Stderr, "error loading crasher %v: %v", canonicalPath, err) - os.Exit(1) - } snap.FuzzTrieNodes(data) } diff --git a/tests/fuzzers/stacktrie/debug/main.go b/tests/fuzzers/stacktrie/debug/main.go index b666d1be2a..b7dbafbcc5 100644 --- a/tests/fuzzers/stacktrie/debug/main.go +++ b/tests/fuzzers/stacktrie/debug/main.go @@ -2,7 +2,6 @@ package main import ( "fmt" - "io/ioutil" "os" "github.com/ethereum/go-ethereum/common" @@ -16,16 +15,10 @@ func main() { } crasher := os.Args[1] - canonicalPath, err := common.VerifyPath(crasher) - if err != nil { - fmt.Println("path not verified: " + err.Error()) + data := common.VerifyCrasher(crasher) + if data == nil { return } - data, err := ioutil.ReadFile(canonicalPath) - if err != nil { - fmt.Fprintf(os.Stderr, "error loading crasher %v: %v", canonicalPath, err) - os.Exit(1) - } stacktrie.Debug(data) } diff --git a/tests/fuzzers/vflux/debug/main.go b/tests/fuzzers/vflux/debug/main.go index 6df0bf25c6..ed992752a3 100644 --- a/tests/fuzzers/vflux/debug/main.go +++ b/tests/fuzzers/vflux/debug/main.go @@ -18,7 +18,6 @@ package main import ( "fmt" - "io/ioutil" "os" "github.com/ethereum/go-ethereum/common" @@ -37,16 +36,10 @@ func main() { } crasher := os.Args[1] - canonicalPath, err := common.VerifyPath(crasher) - if err != nil { - fmt.Println("path not verified: " + err.Error()) + data := common.VerifyCrasher(crasher) + if data == nil { return } - data, err := ioutil.ReadFile(canonicalPath) - if err != nil { - fmt.Fprintf(os.Stderr, "error loading crasher %v: %v", canonicalPath, err) - os.Exit(1) - } vflux.FuzzClientPool(data) } From a8ce426e3c3d93034422f6a5f2550831378b6c32 Mon Sep 17 00:00:00 2001 From: marcello33 Date: Fri, 2 Dec 2022 12:59:14 +0100 Subject: [PATCH 26/26] dev: fix: typo --- common/path.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common/path.go b/common/path.go index e7cc9a8a10..46239d17f7 100644 --- a/common/path.go +++ b/common/path.go @@ -60,7 +60,7 @@ func VerifyPath(path string) (string, error) { } } -// VerifyCrasher sanitizes the path to avoid Path Traversal vulnerability and read the file from that path, returning its content +// VerifyCrasher sanitizes the path to avoid Path Traversal vulnerability and reads the file from that path, returning its content func VerifyCrasher(crasher string) []byte { canonicalPath, err := VerifyPath(crasher) if err != nil {