Fix CSV injection vulnerability (#355)

See GHSA-fqh6-v4qp-65fv, thanks to @iodn for reporting. (Also fixes broken build scripts for development, and the test pipeline. K8s changed repo details :/)
thinkst · Mar 6, 2024 · c595a1f · c595a1f
1 parent ffa180a
commit c595a1f
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 20 deletions.
diff --git a/.devcontainer/library-scripts/custom-installs.sh b/.devcontainer/library-scripts/custom-installs.sh
@@ -16,22 +16,17 @@ chmod +x terraform-docs
 mv terraform-docs /usr/local/terraform-docs
 
 # Install mysql (default repos are broken for buster)
+apt-key adv --keyserver keyserver.ubuntu.com --recv-keys B7B3B788A8D3785C
 wget https://dev.mysql.com/get/mysql-apt-config_0.8.22-1_all.deb
 DEBIAN_FRONTEND=noninteractive dpkg -i mysql-apt-config_0.8.22-1_all.deb
 apt update
 DEBIAN_FRONTEND=noninteractive apt-get install -y mysql-client
 
 apt install -y wireguard-tools
 
-# curl -sSL https://install.python-poetry.org | POETRY_HOME=/home/vscode/.local python -
-# /home/vscode/.local/bin/poetry config virtualenvs.in-project true
-
-# wget https://golang.org/dl/go1.18.2.linux-amd64.tar.gz
-# tar -C /usr/local -xzf go1.18.2.linux-amd64.tar.gz
-# /usr/local/go/bin/go install github.com/aquasecurity/tfsec/cmd/tfsec@latest
-
-sudo curl -fsSLo /usr/share/keyrings/kubernetes-archive-keyring.gpg  https://dl.k8s.io/apt/doc/apt-key.gpg
-sudo install -o root -g root -m 644 /usr/share/keyrings/kubernetes-archive-keyring.gpg /etc/apt/trusted.gpg.d/
-sudo echo "deb [signed-by=/etc/apt/trusted.gpg.d/kubernetes-archive-keyring.gpg] https://apt.kubernetes.io kubernetes-xenial main" | sudo tee /etc/apt/sources.list.d/kubernetes.list
-sudo apt-get update -y
-sudo apt-get install -y kubectl
+mkdir -p /etc/apt/keyrings
+apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 234654DA9A296436
+curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.28/deb/Release.key | gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
+echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.28/deb/ /' | tee /etc/apt/sources.list.d/kubernetes.list
+apt-get update -y
+apt-get install -y kubectl=1.28.1-1.1
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -79,10 +79,7 @@ jobs:
           poetry config virtualenvs.in-project true
           sudo apt-get update -y
           sudo apt-get install -y apt-transport-https ca-certificates curl
-          sudo curl -fsSLo /usr/share/keyrings/kubernetes-archive-keyring.gpg https://dl.k8s.io/apt/doc/apt-key.gpg
-          echo "deb [signed-by=/usr/share/keyrings/kubernetes-archive-keyring.gpg] https://apt.kubernetes.io/ kubernetes-xenial main" | sudo tee /etc/apt/sources.list.d/kubernetes.list
           sudo apt-get update -y
-          sudo apt-get install -y kubectl
           sudo apt-get install -y osslsigncode
           sudo apt install redis-tools
       - name: Set up cache

diff --git a/aws-css-token-infra/CSSClonedSiteCFFunc/index.js b/aws-css-token-infra/CSSClonedSiteCFFunc/index.js
@@ -50,8 +50,8 @@ function handler(event) {
     if (referer == '')
         console.log("Empty/missing Referer header for: " + expected_referrer);
 
-    if (expected_referrer == '' || referer == '' || referer_origin.endsWith(expected_referrer) || referer_origin.endsWith(event.context.distributionDomainName)) { 
-        // Happy case where the referer matches   
+    if (expected_referrer == '' || referer == '' || referer_origin.endsWith(expected_referrer) || referer_origin.endsWith(event.context.distributionDomainName)) {
+        // Happy case where the referer matches
         return matching_ref_response;
     }
     if (expected_referrer.endsWith('microsoftonline.com') && referer_origin.endsWith('login.microsoft.com')) {

diff --git a/canarytokens/canarydrop.py b/canarytokens/canarydrop.py
@@ -457,8 +457,12 @@ def alerting(self) -> None:
         self.user.do_accounting(canarydrop=self)
 
     def get_csv_incident_list(self) -> str:
+        def escape_csv_field(data) -> str:
+            data = f"'{data}"
+            return data
+
         csvOutput = io.StringIO()
-        writer = csv.writer(csvOutput)
+        writer = csv.writer(csvOutput, quoting=csv.QUOTE_ALL)
 
         if len(self.triggered_details.hits) > 0:  # pragma: no cover
             hit_class_dict = dict(self.triggered_details.hits[0])
@@ -476,7 +480,12 @@ def get_csv_incident_list(self) -> str:
                 hit_dict = dict(hit)
                 data = [hit_id]
                 for key in headers:
-                    data.append(hit_dict.get(key, "N/A"))
+                    csv_field = hit_dict.get(key, "N/A")
+
+                    # The row includeds non-str objects, but they are all passed through __str__() by CSV writer,
+                    # so we sanitise those and add strings only to the row.
+                    csv_field = escape_csv_field(csv_field.__str__())
+                    data.append(csv_field)
                 writer.writerow(data)
         else:
             writer.writerow("the token has not been triggered")

diff --git a/canarytokens/channel_dns.py b/canarytokens/channel_dns.py
@@ -112,7 +112,7 @@ def _do_ns_response(self, name=None):
             ),
             type=dns.NS,
             auth=True,
-            ttl=300
+            ttl=300,
         )
         additional = dns.RRHeader(
             name=".".join(["ns1", name.decode()]),