Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HPCC-32999 Prevent command injection with zip password when requesting ZAP file #19352

Merged
merged 1 commit into from
Dec 16, 2024
Merged

HPCC-32999 Prevent command injection with zip password when requesting ZAP file #19352

merged 1 commit into from
Dec 16, 2024
+37 −1

Conversation

asselitx
Copy link
Contributor

@asselitx asselitx commented Dec 11, 2024
edited
Loading

Type of change:

  • This change is a bug fix (non-breaking change which fixes an issue).
  • This change is a new feature (non-breaking change which adds functionality).
  • This change improves the code (refactor or other change that does not change the functionality)
  • This change fixes warnings (the fix does not alter the functionality or the generated code)
  • This change is a breaking change (fix or feature that will cause existing behavior to change).
  • This change alters the query API (existing queries will have to be recompiled)

Checklist:

  • My code follows the code style of this project.
    • My code does not create any new warnings from compiler, build system, or lint.
  • The commit message is properly formatted and free of typos.
    • The commit message title makes sense in a changelog, by itself.
    • The commit is signed.
  • My change requires a change to the documentation.
    • I have updated the documentation accordingly, or...
    • I have created a JIRA ticket to update the documentation.
    • Any new interfaces or exported functions are appropriately commented.
  • I have read the CONTRIBUTORS document.
  • The change has been fully tested:
    • I have added tests to cover my changes.
    • All new and existing tests passed.
    • I have checked that this change does not introduce memory leaks.
    • I have used Valgrind or similar tools to check for potential issues.
  • I have given due consideration to all of the following potential concerns:
    • Scalability
    • Performance
    • Security
    • Thread-safety
    • Cloud-compatibility
    • Premature optimization
    • Existing deployed queries will not be broken
    • This change fixes the problem, not just the symptom
    • The target branch of this pull request is appropriate for such a change.
  • There are no similar instances of the same problem that should be addressed
    • I have addressed them here
    • I have raised JIRA issues to address them separately
  • This is a user interface / front-end modification
    • I have tested my changes in multiple modern browsers
    • The component(s) render as expected

Smoketest:

  • Send notifications about my Pull Request position in Smoketest queue.
  • Test my draft Pull Request.

Testing:

Manual testing performed locally.

@github-actions GitHub Actions
Copy link

Jira Issue: https://hpccsystems.atlassian.net//browse/HPCC-32999

Jirabot Action Result:
Workflow Transition To: Merge Pending
Updated PR

dcamper
dcamper approved these changes Dec 11, 2024
View reviewed changes
Copy link
Contributor

@dcamper dcamper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good.

ghalliday
ghalliday approved these changes Dec 11, 2024
View reviewed changes
Copy link
Member

@ghalliday ghalliday left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, please squash.

@ghalliday
Copy link
Member

Also, which version should this target? I think probably 9.2.x since it is a security fix.

@asselitx
HPCC-32999 Sanitize user provided password to ZAP file
1c60d2e 
- Single-quote the entire password to preserve all characters but prevent
  interpretation as metacharacters.
- Replace any single quote in the original string with a sequence of characters
  that breaks the single-quoted password into three parts
    (1) a single-quoted prefix
    (2) a double-quoted single quote and
    (3) a single-quoted suffix
- The shell quote-removal deletes double-quotes around any single quote at the
  same time that it de-quotes the single-quoted prefix and suffix, leaving any
  single quote inside the password string that is tokenized as a single
  argument.

This will require a different approach for Windows targets as a future task.

Signed-off-by: Terrence Asselin <[email protected]>
@asselitx asselitx force-pushed the zap-zip-rce-hpcc-32999 branch from 580bfae to 1c60d2e Compare December 12, 2024 19:17
@asselitx asselitx changed the base branch from candidate-9.8.x to candidate-9.2.x December 12, 2024 19:18
@asselitx
Copy link
Contributor Author

asselitx commented Dec 12, 2024
edited
Loading

@ghalliday squashed, rebased and ready for merge once checks complete. Looks like this "macos-14" failure is common to many PRs currently.

@ghalliday ghalliday merged commit 4ec268d into hpcc-systems:candidate-9.2.x Dec 16, 2024
50 of 51 checks passed
@github-actions GitHub Actions
Copy link

Jirabot Action Result:
Added fix version: 9.2.146
Added fix version: 9.4.120
Added fix version: 9.6.72
Added fix version: 9.8.46
Workflow Transition: 'Resolve issue'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dcamper dcamper dcamper approved these changes

@ghalliday ghalliday ghalliday approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@asselitx @ghalliday @dcamper