Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Fix graphql server path injection #4809

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

[Security] Fix graphql server path injection #4809

wants to merge 4 commits into from
+198 −12

Conversation

moggaa
Copy link
Contributor

@moggaa moggaa commented Aug 4, 2024
edited
Loading

Proposed changes

  • The current handler code is vulnerable to path injection, allowing unauthorized file access. (ref)
  • Used the sanitize.PathName function to ensure a formatted, compliant path name, addressing the vulnerability.

Types of changes

What types of changes does your code introduce to Litmus? Put an x in the boxes that apply

  • New feature (non-breaking change which adds functionality)
  • Bugfix (non-breaking change which fixes an issue)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation Update (if none of the other choices applies)

Checklist

Put an x in the boxes that apply. You can also fill these out after creating the PR. If you're unsure about any of them, don't hesitate to ask. We're here to help! This is simply a reminder of what we are going to look for before merging your code.

  • I have read the CONTRIBUTING doc
  • I have signed the commit for DCO to be passed.
  • Lint and unit tests pass locally with my changes
  • I have added tests that prove my fix is effective or that my feature works (if appropriate)
  • I have added necessary documentation (if appropriate)

Dependency

  • Please add the links to the dependent PR need to be merged before this (if any).

Special notes for your reviewer:

@moggaa moggaa force-pushed the fix/handler-path-injection branch 2 times, most recently from 61b02d3 to 67fadc1 Compare August 4, 2024 06:53
@namkyu1999 namkyu1999 marked this pull request as ready for review August 4, 2024 07:06
@namkyu1999 namkyu1999 changed the title fix: chaoshub handler path injection [Security] Fix chaoshub handler path injection Aug 4, 2024
@namkyu1999
Copy link
Member

This pr solved below security issues

@moggaa moggaa marked this pull request as draft August 4, 2024 11:12
@moggaa moggaa changed the title [Security] Fix chaoshub handler path injection [Security] Fix graphql server path injection Oct 5, 2024
@moggaa moggaa marked this pull request as ready for review October 5, 2024 08:33
namkyu1999
namkyu1999 approved these changes Oct 10, 2024
View reviewed changes
Copy link
Member

@namkyu1999 namkyu1999 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@namkyu1999 namkyu1999 added the need-approvers-review Reminder label to the codeowners/maintainers for stale PRs that are more that 2 weeks old label Nov 15, 2024
Saranya-jena
Saranya-jena reviewed Nov 22, 2024
View reviewed changes
chaoscenter/graphql/server/pkg/chaoshub/handler/handler.go
@@ -320,6 +337,34 @@ func ChaosHubIconHandler() gin.HandlerFunc {
responseStatusCode int
)

if c.Param("projectId") != sanitize.PathName(c.Param("projectId")) {
Copy link
Contributor

@Saranya-jena Saranya-jena Nov 22, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we add constants for the different params? @moggaa

amityt
amityt approved these changes Nov 22, 2024
View reviewed changes
Copy link
Contributor

@amityt amityt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Saranya-jena Saranya-jena Saranya-jena left review comments

@namkyu1999 namkyu1999 namkyu1999 approved these changes

@amityt amityt amityt approved these changes

@SarthakJain26 SarthakJain26 Awaiting requested review from SarthakJain26

Assignees

@moggaa moggaa

Labels
mentorship-kr need-approvers-review Reminder label to the codeowners/maintainers for stale PRs that are more that 2 weeks old
Projects
Open Source Contribution Academy 2024
Status: In Review
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@moggaa @namkyu1999 @Saranya-jena @amityt