Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix CWE-78 #315

Merged
merged 1 commit into from
Jun 21, 2021
Merged

Fix CWE-78 #315

merged 1 commit into from
Jun 21, 2021

Conversation

tdrozdovsky
Copy link
Contributor

Signed-off-by: Taras Drozdovskyi t.drozdovsky@samsung.com

Description

After analyzing the existing code, it should be noted that sanitization measures have been made in the edge-orchestration:

  1. analysis for a command injection using an escape sequence
  2. filtering commands that are on the blacklist
  3. only those commands that are previously described in the configuration file (ex. ls_srv.conf) can be executed.

Strengthening against attacks of this kind can be:

  1. Using the integrity check and digital signature of the configuration file.
  2. Applying Linux Kernel protection modules.

All attempts to eliminate the security alert by changing the source code were unsuccessful.
The elimination requires hard-coding the string literals of the commands to be used, but this greatly limits the flexibility of the edge-orchestration and doesn't add a significant increase in security.

Therefore, I propose to mark this alert as a fall positive.

Fixes #298

Type of change

Please delete options that are not relevant.

  • Bug fix (non-breaking change which fixes an issue)

How Has This Been Tested?

The result can be seen after merging the PR and restarting the LGTM

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes

@tdrozdovsky
Fix CWE-78
943f72d 
Signed-off-by: Taras Drozdovskyi <t.drozdovsky@samsung.com>
@tdrozdovsky tdrozdovsky added bug Something isn't working high priority It should be resolved ASAP labels Jun 10, 2021
@tdrozdovsky tdrozdovsky self-assigned this Jun 10, 2021
@tdrozdovsky tdrozdovsky added this to In progress in Refactoring via automation Jun 10, 2021
@sonarcloud
Copy link

sonarcloud bot commented Jun 10, 2021

Kudos, SonarCloud Quality Gate passed!

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
0.9% 0.9% Duplication

tiokim
tiokim approved these changes Jun 11, 2021
View reviewed changes
Copy link
Contributor

@tiokim tiokim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with your idea.
Is there anything else we should put some in the injectionOperators?

Refactoring automation moved this from In progress to Reviewer approved Jun 11, 2021
@tdrozdovsky
Copy link
Contributor Author

tdrozdovsky commented Jun 11, 2021
edited

I agree with your idea.
Is there anything else we should put some in the injectionOperators?

That's enough for the moment! Thank you!

MoonkiHong
MoonkiHong approved these changes Jun 17, 2021
View reviewed changes
Copy link
Contributor

@MoonkiHong MoonkiHong left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

@MoonkiHong
Copy link
Contributor

@suresh-lc PTAL. 😄

suresh-lc
suresh-lc approved these changes Jun 21, 2021
View reviewed changes
Copy link
Contributor

@suresh-lc suresh-lc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@MoonkiHong MoonkiHong merged commit e13d11c into lf-edge:master Jun 21, 2021
Refactoring automation moved this from Reviewer approved to Done Jun 21, 2021
@tdrozdovsky tdrozdovsky deleted the fix-cwe-78 branch July 8, 2021 12:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tiokim tiokim tiokim approved these changes

@MoonkiHong MoonkiHong MoonkiHong approved these changes

@suresh-lc suresh-lc suresh-lc approved these changes

Assignees

@tdrozdovsky tdrozdovsky

Labels
bug Something isn't working high priority It should be resolved ASAP
Projects
Refactoring
Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Security] CWE-78 Command built from user-controlled sources
4 participants
@tdrozdovsky @MoonkiHong @tiokim @suresh-lc