Merge remote-tracking branch 'origin/main' into mangoiv/hsec-cabal

haskell · Mar 17, 2024 · 0289b64 · 0289b64
2 parents 2de40ce + 5543e3b
commit 0289b64
Show file tree

Hide file tree

Showing 17 changed files with 281 additions and 74 deletions.
diff --git a/.github/workflows/call-check-advisories.yml b/.github/workflows/call-check-advisories.yml
@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-20.04
     needs: populate_cache
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           path: source
           # We need to retrieve full history to determine the correct

diff --git a/.github/workflows/call-nix.yml b/.github/workflows/call-nix.yml
@@ -7,7 +7,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: git checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Install Nix
         uses: DeterminateSystems/nix-installer-action@main
         with:
@@ -29,12 +29,12 @@ jobs:
           code_hash=$(git rev-parse HEAD:code)
           echo "code-hash=$code_hash" >> "$GITHUB_OUTPUT"
       - uses: actions/cache/save@v3
-        if: ${{ github.event_name == 'push' && github.ref_name == 'main' }}
         with:
           key: hsec-tools-${{ steps.code-hash.outputs.code-hash}}
           path: ~/.local/dockerImages
       - name: upload executable
         uses: actions/upload-artifact@v3
+        if: ${{ github.event_name == 'push' && github.ref_name == 'main' }}
         with:
           name: hsec-tools-${{ github.sha }}
           path: ~/.local/dockerImages
diff --git a/.github/workflows/check-advisories.yml b/.github/workflows/check-advisories.yml
@@ -9,7 +9,7 @@ jobs:
       should_skip: ${{ steps.skip_check.outputs.should_skip }}
     steps:
       - id: skip_check
-        uses: fkirc/skip-duplicate-actions@v5.3.0
+        uses: fkirc/skip-duplicate-actions@v5.3.1
         with:
           concurrent_skipping: "never"
           skip_after_successful_duplicate: "true"
@@ -23,7 +23,7 @@ jobs:
       changed_files: ${{ steps.process-changed-files.outputs.out }}
     steps:
       - id: skip_check
-        uses: fkirc/skip-duplicate-actions@v5.3.0
+        uses: fkirc/skip-duplicate-actions@v5.3.1
         with:
           concurrent_skipping: "never"
           skip_after_successful_duplicate: "true"
@@ -45,7 +45,7 @@ jobs:
       code_hash: ${{ steps.code-hash.outputs.code-hash }}
     steps:
       - name: git checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - id: code-hash
         run: |
           code_hash=$(git rev-parse HEAD:code)

diff --git a/.github/workflows/haskell-ci.yml b/.github/workflows/haskell-ci.yml
@@ -24,7 +24,7 @@ jobs:
       should_skip: ${{ steps.skip_check.outputs.should_skip }}
     steps:
       - id: skip_check
-        uses: fkirc/skip-duplicate-actions@v5.3.0
+        uses: fkirc/skip-duplicate-actions@v5.3.1
         with:
           concurrent_skipping: "never"
           skip_after_successful_duplicate: "true"
@@ -175,7 +175,7 @@ jobs:
           key: ${{ runner.os }}-${{ matrix.compiler }}-tools-d8b62173
           path: ~/.haskell-ci-tools
       - name: checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           path: source
       - name: initial cabal.project for sdist

diff --git a/.github/workflows/nix.yml b/.github/workflows/nix.yml
@@ -10,7 +10,7 @@ jobs:
       should_skip: ${{ steps.skip_check.outputs.should_skip }}
     steps:
       - id: skip_check
-        uses: fkirc/skip-duplicate-actions@v5.3.0
+        uses: fkirc/skip-duplicate-actions@v5.3.1
         with:
           concurrent_skipping: "never"
           skip_after_successful_duplicate: "true"
@@ -56,10 +56,9 @@ jobs:
           cp generatedWebsite/by-dates.html generatedWebsite/index.html
           rm -Rf generatedWebsite/advisories || echo "Markdown links issue has been fixed"
       - name: Deploy
-        uses: s0/git-publish-subdir-action@develop
-        env:
-          REPO: self
-          BRANCH: generated/gh-pages
-          FOLDER: generatedWebsite
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          SQUASH_HISTORY: true
+        uses: peaceiris/actions-gh-pages@v3
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          publish_dir: ./generatedWebsite
+          publish_branch: generated/gh-pages
+          force_orphan: true
diff --git a/advisories/hackage/bz2/HSEC-2024-0002.md b/advisories/hackage/bz2/HSEC-2024-0002.md
@@ -0,0 +1 @@
+../bzlib/HSEC-2024-0002.md
diff --git a/advisories/hackage/bzlib-conduit/HSEC-2024-0002.md b/advisories/hackage/bzlib-conduit/HSEC-2024-0002.md
@@ -0,0 +1 @@
+../bzlib/HSEC-2024-0002.md
diff --git a/advisories/hackage/bzlib/HSEC-2024-0002.md b/advisories/hackage/bzlib/HSEC-2024-0002.md
@@ -0,0 +1,61 @@
+```toml
+[advisory]
+id = "HSEC-2024-0002"
+cwe = [787]
+keywords = ["corruption", "vendored-code", "language-c"]
+aliases = ["CVE-2019-12900"]
+
+[[references]]
+type = "DISCUSSION"
+url = "https://gnu.wildebeest.org/blog/mjw/2019/08/02/bzip2-and-the-cve-that-wasnt/"
+
+[[references]]
+type = "DISCUSSION"
+url = "http://scary.beasts.org/security/CESA-2008-005.html"
+
+[[references]]
+type = "ADVISORY"
+url = "https://access.redhat.com/security/cve/cve-2019-12900"
+
+[[references]]
+type = "FIX"
+url = "https://sourceware.org/git/?p=bzip2.git;a=commit;h=7ed62bfb46e87a9e878712603469440e6882b184"
+
+[[affected]]
+package = "bzlib"
+cvss = "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
+
+[[affected.versions]]
+introduced = "0.4"
+fixed = "0.5.2.0"
+
+[[affected]]
+package = "bz2"
+cvss = "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
+
+[[affected.versions]]
+introduced = "0.1.0.0"
+fixed = "1.0.1.1"
+
+[[affected]]
+package = "bzlib-conduit"
+cvss = "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
+
+[[affected.versions]]
+introduced = "0.1.0.0"
+fixed = "0.3.0.3"
+```
+
+# out-of-bounds write when there are many bzip2 selectors
+
+A malicious bzip2 payload may produce a memory corruption
+resulting in a denial of service and/or remote code execution.
+Network services or command line utilities decompressing
+untrusted bzip2 payloads are affected.
+
+Note that the exploitation of this bug relies on an undefined
+behavior that appears to be handled safely by current compilers.
+
+The Haskell libraires are vulnerable when they are built using
+the bundled C library source code, which is the default
+in most cases.
diff --git a/advisories/hackage/keter/HSEC-2024-0001.md b/advisories/hackage/keter/HSEC-2024-0001.md
@@ -0,0 +1,30 @@
+```toml
+[advisory]
+id = "HSEC-2024-0001"
+cwe = [79]
+keywords = ["http", "xss", "rxss", "historic"]
+
+[[references]]
+type = "FIX"
+url = "https://github.com/snoyberg/keter/pull/246"
+
+[[affected]]
+package = "keter"
+cvss = "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
+declarations."Keter.Proxy.toResponse" = ">= 0.3.4 && < 1.0.1"
+declarations."Keter.Proxy.unknownHostResponse" = ">= 1.0.1 && < 1.8.4"
+
+[[affected.versions]]
+introduced = "0.3.4"
+fixed = "1.8.4"
+```
+
+# Reflected XSS vulnerability in keter
+
+Keter is an app-server/reverse-proxy often used with webapps build on Yesod web-framework.
+
+In the logic handling VHost dispatch, Keter was echoing back `Host` header value, unescaped,
+as part of an HTML error page. This constitutes a reflected-XSS vulnerability. Although
+not readily exploitable directly from a browser (where `Host` header can't generally assume
+arbitrary values), it may become such in presence of further weaknesses in components
+upstream of Keter in the http proxying chain. Therefore, AC:High in CVSS evaluation.
diff --git a/code/cvss/test/Spec.hs b/code/cvss/test/Spec.hs
@@ -27,6 +27,7 @@ examples =
     , ("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", 6.1, CVSS.Medium)
     , ("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", 6.4, CVSS.Medium)
     , ("CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", 3.1, CVSS.Low)
+    , ("CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", 4.0, CVSS.Medium)
     , ("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", 9.9, CVSS.Critical)
     , ("CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", 4.2, CVSS.Medium)
     , ("CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C", 7.8, CVSS.High)

diff --git a/code/hsec-tools/hsec-tools.cabal b/code/hsec-tools/hsec-tools.cabal
@@ -51,6 +51,7 @@ library
     , extra                 ^>=1.7.5
     , filepath              >=1.4      && <1.5
     , hsec-core
+    , feed                  ==1.3.*
     , lucid                 >=2.9.0
     , mtl                   >=2.2      && <2.4
     , osv
@@ -61,7 +62,7 @@ library
     , safe                  >=0.3
     , text                  >=1.2      && <3
     , time                  >=1.9      && <1.14
-    , toml-parser           ^>=1.3.0.0
+    , toml-parser           ^>=2.0.0.0
     , validation-selective  >=0.1      && <1
 
   hs-source-dirs:   src

diff --git a/code/hsec-tools/src/Security/Advisories/Generate/HTML.hs b/code/hsec-tools/src/Security/Advisories/Generate/HTML.hs
@@ -11,21 +11,24 @@ import Control.Monad (forM_)
 import Data.List (sortOn)
 import Data.List.Extra (groupSort)
 import qualified Data.Map.Strict as Map
+import Data.Maybe (listToMaybe)
 import Data.Ord (Down (..))
 import Data.Text (Text)
 import qualified Data.Text as T
 import qualified Data.Text.IO as T
-import System.Exit (exitFailure)
-import System.IO (stderr, hPrint)
-
+import qualified Data.Text.Lazy as TL
+import Data.Time (ZonedTime, zonedTimeToUTC)
 import Distribution.Pretty (prettyShow)
 import Lucid
-import Validation (Validation(..))
-
 import qualified Security.Advisories as Advisories
+import Security.Advisories.Filesystem (listAdvisories)
 import System.Directory (createDirectoryIfMissing)
+import System.Exit (exitFailure)
 import System.FilePath ((</>))
-import Security.Advisories.Filesystem (listAdvisories)
+import System.IO (hPrint, stderr)
+import qualified Text.Atom.Feed as Feed
+import qualified Text.Atom.Feed.Export as FeedExport
+import Validation (Validation (..))
 
 -- * Actions
 
@@ -41,33 +44,35 @@ renderAdvisoriesIndex src dst = do
       Success advisories ->
         return advisories
 
-  let renderToFile' path content = do
+  let renderHTMLToFile path content = do
         putStrLn $ "Rendering " <> path
         renderToFile path content
 
   createDirectoryIfMissing False dst
   let indexAdvisories = map toAdvisoryR advisories
-  renderToFile' (dst </> "by-dates.html") $ listByDates indexAdvisories
-  renderToFile' (dst </> "by-packages.html") $ listByPackages indexAdvisories
+  renderHTMLToFile (dst </> "by-dates.html") $ listByDates indexAdvisories
+  renderHTMLToFile (dst </> "by-packages.html") $ listByPackages indexAdvisories
 
   let advisoriesDir = dst </> "advisory"
   createDirectoryIfMissing False advisoriesDir
   forM_ advisories $ \advisory ->
-    renderToFile' (advisoriesDir </> advisoryHtmlFilename (Advisories.advisoryId advisory)) $
+    renderHTMLToFile (advisoriesDir </> advisoryHtmlFilename (Advisories.advisoryId advisory)) $
       inPage PageAdvisory $
         div_ [class_ "pure-u-1"] $
           toHtmlRaw (Advisories.advisoryHtml advisory)
 
-  writeFile (dst </> ".nojekyll") ""
+  putStrLn $ "Rendering " <> (dst </> "atom.xml")
+  writeFile (dst </> "atom.xml") $ T.unpack $ renderFeed indexAdvisories
 
 -- * Rendering types
 
 data AdvisoryR = AdvisoryR
   { advisoryId :: Advisories.HsecId,
     advisorySummary :: Text,
-    advisoryAffected :: [AffectedPackageR]
+    advisoryAffected :: [AffectedPackageR],
+    advisoryModified :: ZonedTime
   }
-  deriving stock (Eq, Show)
+  deriving stock (Show)
 
 data AffectedPackageR = AffectedPackageR
   { packageName :: Text,
@@ -158,6 +163,7 @@ inPage page content =
       head_ $ do
         meta_ [charset_ "UTF-8"]
         base_ [href_ $ baseUrlForPage page]
+        link_ [rel_ "alternate", type_ "application/atom+xml", href_ atomFeedUrl]
         link_ [rel_ "stylesheet", href_ "https://cdn.jsdelivr.net/npm/purecss@3.0.0/build/pure-min.css", integrity_ "sha384-X38yfunGUhNzHpBaEBsWLO+A0HDYOQi8ufWDkZ0k9e0eXz/tH3II7uKZ9msv++Ls", crossorigin_ "anonymous"]
         meta_ [name_ "viewport", content_ "width=device-width, initial-scale=1"]
         title_ "Haskell Security.Advisories.Core"
@@ -204,7 +210,8 @@ toAdvisoryR x =
   AdvisoryR
     { advisoryId = Advisories.advisoryId x,
       advisorySummary = Advisories.advisorySummary x,
-      advisoryAffected = concatMap toAffectedPackageR $ Advisories.advisoryAffected x
+      advisoryAffected = concatMap toAffectedPackageR $ Advisories.advisoryAffected x,
+      advisoryModified = Advisories.advisoryModified x
     }
   where
     toAffectedPackageR :: Advisories.Affected -> [AffectedPackageR]
@@ -215,3 +222,34 @@ toAdvisoryR x =
             introduced = T.pack $ prettyShow $ Advisories.affectedVersionRangeIntroduced versionRange,
             fixed = T.pack . prettyShow <$> Advisories.affectedVersionRangeFixed versionRange
           }
+
+-- * Atom/RSS feed
+
+feed :: [AdvisoryR] -> Feed.Feed
+feed advisories =
+  ( Feed.nullFeed
+      atomFeedUrl
+      (Feed.TextString "Haskell Security Advisory DB") -- Title
+      (maybe "" (T.pack . show) $ listToMaybe $ sortOn (Down . zonedTimeToUTC . advisoryModified) advisories)
+  )
+    { Feed.feedEntries = fmap toEntry advisories,
+      Feed.feedLinks = [Feed.nullLink advisoriesRootUrl]
+    }
+  where
+    toEntry advisory =
+      Feed.nullEntry
+        (advisoriesRootUrl <> "/" <> advisoryLink (advisoryId advisory))
+        (Feed.TextString $ advisorySummary advisory)
+        (T.pack $ show $ advisoryModified advisory)
+
+renderFeed :: [AdvisoryR] -> Text
+renderFeed =
+  maybe (error "Cannot render atom feed") TL.toStrict
+    . FeedExport.textFeed
+    . feed
+
+advisoriesRootUrl :: T.Text
+advisoriesRootUrl = "https://haskell.github.io/security-advisories"
+
+atomFeedUrl :: T.Text
+atomFeedUrl = advisoriesRootUrl <> "/atom.xml"