Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Avoid the use of hardcoded temporary directory names in framework #10115

Closed
13 tasks done
Tracked by #2330
mcarmona99 opened this issue Sep 14, 2021 · 1 comment · Fixed by #10544
Closed
13 tasks done
Tracked by #2330

Avoid the use of hardcoded temporary directory names in framework #10115

mcarmona99 opened this issue Sep 14, 2021 · 1 comment · Fixed by #10544
Assignees
@Kondent
Labels
module/framework type/enhancement New feature or request type/test

Comments

@mcarmona99
Copy link
Contributor

mcarmona99 commented Sep 14, 2021
edited by vicferpoy

Description

With the test created in the issue wazuh/wazuh-qa#1615, some possible code flaws were found by Bandit.

In this issue we specify flaws regarding the use of insecure usage of temp file/directory.

Vulnerabilities found in:

  • framework/wazuh/core/configuration.py line 676
  • framework/wazuh/core/utils.py line 1755

These flaws are caused by hardcoded temporary directories. We could investigate if we could generate a temporary one in a safer way (the tmpfile library can create it by its own): https://docs.openstack.org/bandit/1.4.0/plugins/hardcoded_tmp_directory.html

Once changes are done, pass the test to check that these flaws were deleted from the known flaws JSON file of framework.

Checks

wazuh/wazuh

  • Unit tests without failures. Updated and/or expanded if there are new functions/methods/outputs:
    • Cluster (framework/wazuh/core/cluster/tests/ & framework/wazuh/core/cluster/dapi/tests/)
    • Core (framework/wazuh/core/tests/)
    • SDK (framework/wazuh/tests/)
    • RBAC (framework/wazuh/rbac/tests/)
    • API (api/api/tests/)
  • API tavern integration tests without failures. Updated and/or expanded if needed (api/test/integration/):
    • Affected tests
    • Affected RBAC (black and white) tests
  • Review integration test mapping using the script (api/test/integration/mapping/integration_test_api_endpoints.json)
  • Review of spec.yaml examples and schemas (api/api/spec/spec.yaml)
  • Review exceptions remediation when any endpoint path changes or is removed (framework/wazuh/core/exception.py)
  • Changelog (CHANGELOG.md)

wazuh/wazuh-documentation

  • Migration from 3.X for changed endpoints (source/user-manual/api/equivalence.rst)
  • Update RBAC reference with new/modified actions/resources/relationships (source/user-manual/api/rbac/reference.rst)
@mcarmona99 mcarmona99 mentioned this issue Sep 15, 2021
Closed
2 tasks
@Kondent Kondent self-assigned this Oct 14, 2021
@Kondent
Copy link
Contributor

Kondent commented Oct 14, 2021

Update

I found out a solution using NamedTemporaryFile from tempfile package.
I'll need to do more tests but it seems to be properly working. Bandit is no longer alerting of this flaw at our code.

Regards,
Alexis

This was referenced Oct 15, 2021
Merged
Open
@mcarmona99 mcarmona99 mentioned this issue Dec 14, 2021
Closed
16 tasks
Kondent pushed a commit to wazuh/wazuh-qa that referenced this issue Dec 16, 2021
Fix flaw regarding temp folders - wazuh/wazuh#10115
da19a91
@Kondent Kondent mentioned this issue Dec 16, 2021
Merged
2 tasks
Kondent pushed a commit to wazuh/wazuh-qa that referenced this issue Jan 5, 2022
Fix flaw regarding temp folders - wazuh/wazuh#10115
9a62a30
davidjiglesias pushed a commit to wazuh/wazuh-qa that referenced this issue Jan 5, 2022
@Kondent
Fix flaw regarding temp folders - wazuh/wazuh#10115 (#2350)
c3c9d70
mcarmona99 pushed a commit to wazuh/wazuh-qa that referenced this issue Feb 4, 2022
@Kondent @mcarmona99
Fix flaw regarding temp folders - wazuh/wazuh#10115 (#2350)
1827128
@vikman90 vikman90 added this to the Release 4.4.0 milestone Aug 29, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Kondent Kondent

Labels
module/framework type/enhancement New feature or request type/test
Projects
No open projects
Release 4.4.0
Status: Done
Milestone
No milestone
4 participants
@vikman90 @davidjiglesias @mcarmona99 @Kondent