Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix CVE-2019-15597 - Implement new DF command instead of library function #7362

Merged
merged 1 commit into from
Jul 6, 2023
Merged

Fix CVE-2019-15597 - Implement new DF command instead of library function #7362

merged 1 commit into from
Jul 6, 2023

Conversation

nadavMiz
Copy link
Contributor

@nadavMiz nadavMiz commented Jun 27, 2023
edited

Explain the changes

  1. implemented a local function to replace the unmaintained node-df library. this function is based on the node-df implementation with changes to fit our code better (https://github.com/adriano-di-giovanni/node-df).
  2. add '' before all special characters in the file name so bash will read them as part of the file name itself. this is to prevent the code injection suggested in CVE-2019-15597

Issues: Fixed #xxx / Gap #xxx

  1. https://bugzilla.redhat.com/show_bug.cgi?id=2124534

Testing Instructions:

  1. df is used mainly during node creation, so create a new backing store and validate that it was created successfully
  • Doc added/updated
  • Tests added

@nadavMiz nadavMiz requested review from nimrod-becker, a team and tangledbytes and removed request for a team June 27, 2023 11:02
@nimrod-becker nimrod-becker requested review from guymguym and removed request for nimrod-becker June 27, 2023 11:09
@nimrod-becker
Copy link
Contributor

lets add a unit test

liranmauda
liranmauda requested changes Jun 28, 2023
View reviewed changes
src/util/os_utils.js Outdated Show resolved Hide resolved
src/util/os_utils.js Outdated Show resolved Hide resolved
@pull-request-size pull-request-size bot added size/L and removed size/M labels Jun 28, 2023
@nadavMiz
Copy link
Contributor Author

lets add a unit test

since df checks the available space on the whole file system, which I have no control over, I can't test the validity of the actual values. so instead I just check that the command returns a valid response and that no errors are thrown

liranmauda
liranmauda requested changes Jun 28, 2023
View reviewed changes
src/util/os_utils.js Outdated Show resolved Hide resolved
src/test/unit_tests/test_os_utils.js Outdated Show resolved Hide resolved
tangledbytes
tangledbytes reviewed Jun 28, 2023
View reviewed changes
src/util/os_utils.js Outdated Show resolved Hide resolved
@nadavMiz nadavMiz force-pushed the df-implement branch 3 times, most recently from 6c689bc to 82d40ee Compare June 28, 2023 13:07
@pull-request-size pull-request-size bot added size/M and removed size/L labels Jun 28, 2023
@pull-request-size pull-request-size bot added size/L and removed size/M labels Jun 28, 2023
@nadavMiz nadavMiz requested a review from liranmauda June 29, 2023 08:43
@nadavMiz
Copy link
Contributor Author

nadavMiz commented Jun 29, 2023
edited

I have added try catch to df calls with file name since now the function throws if the file doesn't exist and does not just return a null value

liranmauda
liranmauda reviewed Jul 2, 2023
View reviewed changes
src/util/os_utils.js Outdated Show resolved Hide resolved
liranmauda
liranmauda reviewed Jul 2, 2023
View reviewed changes
src/util/os_utils.js Outdated Show resolved Hide resolved
liranmauda
liranmauda reviewed Jul 3, 2023
View reviewed changes
src/util/os_utils.js Outdated Show resolved Hide resolved
liranmauda
liranmauda approved these changes Jul 6, 2023
View reviewed changes
Copy link
Contributor

@liranmauda liranmauda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@nadavMiz
Fix CVE-2019-15597 - Implement new df command instead of library func…
0c3fda0 
…tion

Signed-off-by: nadav mizrahi <nadav.mizrahi16@gmail.com>
@nadavMiz nadavMiz merged commit bedfa56 into noobaa:master Jul 6, 2023
6 checks passed
@nadavMiz nadavMiz deleted the df-implement branch July 6, 2023 09:51
@nadavMiz nadavMiz restored the df-implement branch July 6, 2023 11:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@liranmauda liranmauda liranmauda approved these changes

@guymguym guymguym Awaiting requested review from guymguym

@tangledbytes tangledbytes Awaiting requested review from tangledbytes

Assignees
No one assigned
Labels
size/L
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@nadavMiz @nimrod-becker @liranmauda @tangledbytes