Findings

High

Finding 23982: Potential for OS Command Injection
Severity Status Date discovered Age Reporter CWE
High Active, Verified Sept. 9, 2024 0 days Infra Admin (infrasec_nunet) 78
Location
Line Number
11
File Path
maint-scripts/config_network.c
CVSS v3
None
Description
Scanner: Semgrep
It is generally not recommended to call out to the operating system to execute commands.
When the application is executing file system based commands, user input should never be used
in
constructing commands or command arguments. If possible, determine if a library can be used
instead to provide the same functionality. Otherwise, consider hard coding both the command
and arguments to be used, or at the very least restricting which arguments can be passed
to the command execution function.

For more information please see:
https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152177

Mitigation

                 
                    
Impact
None
References
Identifier type: semgrep_id
Name: flawfinder.system-1
Value: flawfinder.system-1

Identifier type: owasp
Name: A03:2021 - Injection
Value: A03:2021

Identifier type: owasp
Name: A1:2017 - Injection
Value: A1:2017

Identifier type: flawfinder_func_name
Name: Flawfinder - system
Value: system

Finding 23983: Potential for OS Command Injection
Severity Status Date discovered Age Reporter CWE
High Active, Verified Sept. 9, 2024 0 days Infra Admin (infrasec_nunet) 78
Location
Line Number
13
File Path
maint-scripts/config_network.c
CVSS v3
None
Description
Scanner: Semgrep
It is generally not recommended to call out to the operating system to execute commands.
When the application is executing file system based commands, user input should never be used
in
constructing commands or command arguments. If possible, determine if a library can be used
instead to provide the same functionality. Otherwise, consider hard coding both the command
and arguments to be used, or at the very least restricting which arguments can be passed
to the command execution function.

For more information please see:
https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152177

Mitigation

                 
                    
Impact
None
References
Identifier type: semgrep_id
Name: flawfinder.system-1
Value: flawfinder.system-1

Identifier type: owasp
Name: A03:2021 - Injection
Value: A03:2021

Identifier type: owasp
Name: A1:2017 - Injection
Value: A1:2017

Identifier type: flawfinder_func_name
Name: Flawfinder - system
Value: system

Finding 23984: Potential for OS Command Injection
Severity Status Date discovered Age Reporter CWE
High Active, Verified Sept. 9, 2024 0 days Infra Admin (infrasec_nunet) 78
Location
Line Number
15
File Path
maint-scripts/config_network.c
CVSS v3
None
Description
Scanner: Semgrep
It is generally not recommended to call out to the operating system to execute commands.
When the application is executing file system based commands, user input should never be used
in
constructing commands or command arguments. If possible, determine if a library can be used
instead to provide the same functionality. Otherwise, consider hard coding both the command
and arguments to be used, or at the very least restricting which arguments can be passed
to the command execution function.

For more information please see:
https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152177

Mitigation

                 
                    
Impact
None
References
Identifier type: semgrep_id
Name: flawfinder.system-1
Value: flawfinder.system-1

Identifier type: owasp
Name: A03:2021 - Injection
Value: A03:2021

Identifier type: owasp
Name: A1:2017 - Injection
Value: A1:2017

Identifier type: flawfinder_func_name
Name: Flawfinder - system
Value: system

Finding 23985: Potential for OS Command Injection
Severity Status Date discovered Age Reporter CWE
High Active, Verified Sept. 9, 2024 0 days Infra Admin (infrasec_nunet) 78
Location
Line Number
17
File Path
maint-scripts/config_network.c
CVSS v3
None
Description
Scanner: Semgrep
It is generally not recommended to call out to the operating system to execute commands.
When the application is executing file system based commands, user input should never be used
in
constructing commands or command arguments. If possible, determine if a library can be used
instead to provide the same functionality. Otherwise, consider hard coding both the command
and arguments to be used, or at the very least restricting which arguments can be passed
to the command execution function.

For more information please see:
https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152177

Mitigation

                 
                    
Impact
None
References
Identifier type: semgrep_id
Name: flawfinder.system-1
Value: flawfinder.system-1

Identifier type: owasp
Name: A03:2021 - Injection
Value: A03:2021

Identifier type: owasp
Name: A1:2017 - Injection
Value: A1:2017

Identifier type: flawfinder_func_name
Name: Flawfinder - system
Value: system

Finding 23986: Potential for OS Command Injection
Severity Status Date discovered Age Reporter CWE
High Active, Verified Sept. 9, 2024 0 days Infra Admin (infrasec_nunet) 78
Location
Line Number
19
File Path
maint-scripts/config_network.c
CVSS v3
None
Description
Scanner: Semgrep
It is generally not recommended to call out to the operating system to execute commands.
When the application is executing file system based commands, user input should never be used
in
constructing commands or command arguments. If possible, determine if a library can be used
instead to provide the same functionality. Otherwise, consider hard coding both the command
and arguments to be used, or at the very least restricting which arguments can be passed
to the command execution function.

For more information please see:
https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152177

Mitigation

                 
                    
Impact
None
References
Identifier type: semgrep_id
Name: flawfinder.system-1
Value: flawfinder.system-1

Identifier type: owasp
Name: A03:2021 - Injection
Value: A03:2021

Identifier type: owasp
Name: A1:2017 - Injection
Value: A1:2017

Identifier type: flawfinder_func_name
Name: Flawfinder - system
Value: system

Finding 23987: Potential for OS Command Injection
Severity Status Date discovered Age Reporter CWE
High Active, Verified Sept. 9, 2024 0 days Infra Admin (infrasec_nunet) 78
Location
Line Number
21
File Path
maint-scripts/config_network.c
CVSS v3
None
Description
Scanner: Semgrep
It is generally not recommended to call out to the operating system to execute commands.
When the application is executing file system based commands, user input should never be used
in
constructing commands or command arguments. If possible, determine if a library can be used
instead to provide the same functionality. Otherwise, consider hard coding both the command
and arguments to be used, or at the very least restricting which arguments can be passed
to the command execution function.

For more information please see:
https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152177

Mitigation

                 
                    
Impact
None
References
Identifier type: semgrep_id
Name: flawfinder.system-1
Value: flawfinder.system-1

Identifier type: owasp
Name: A03:2021 - Injection
Value: A03:2021

Identifier type: owasp
Name: A1:2017 - Injection
Value: A1:2017

Identifier type: flawfinder_func_name
Name: Flawfinder - system
Value: system

Medium

Finding 23988: Incorrect Permission Assignment for Critical Resource
Severity Status Date discovered Age Reporter CWE
Medium Active, Verified Sept. 9, 2024 0 days Infra Admin (infrasec_nunet) 732
Location
Line Number
184
File Path
utils/utils.go
CVSS v3
None
Description
Scanner: Semgrep
The application was found setting directory permissions to overly permissive values. Consider
using the following values if the application user is the only process to access
files in the directory specified:
- 0700 - read/write access to the files in the directory

Another common value is `0750` which allows the application user read/write access and group
users to read the files contained in the directory.

Example creating a directory with read/write permissions for only the application user:
```
err := os.Mkdir("directory", 0700)
if err != nil {
  log.Fatal(err)
}
```

For all other values please see:
https://en.wikipedia.org/wiki/File-system_permissions#Numeric_notation

Mitigation

                 
                    
Impact
None
References
Identifier type: semgrep_id
Name: gosec.G301-1
Value: gosec.G301-1

Identifier type: owasp
Name: A01:2021 - Broken Access Control
Value: A01:2021

Identifier type: owasp
Name: A5:2017 - Broken Access Control
Value: A5:2017

Identifier type: gosec_rule_id
Name: Gosec Rule ID G301
Value: G301

Finding 23989: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Severity Status Date discovered Age Reporter CWE
Medium Active, Verified Sept. 9, 2024 0 days Infra Admin (infrasec_nunet) 22
Location
Line Number
104
File Path
internal/config/load.go
CVSS v3
None
Description
Scanner: Semgrep
The application dynamically constructs file or path information. If the path
information comes from user input, it could be abused to read sensitive files,
access other users data or aid in exploitation to gain further system access.

User input should never be used in constructing paths or files for interacting
with the filesystem. This includes filenames supplied by user uploads or downloads.
If possible, consider hashing user input or replacing it with unique values.
Additionally, use `filepath.Base` to only use the filename and not path information.
Always validate the full path prior to opening or writing to any file.

Example using `filepath.Base`, generating a unique filename without using
user input to construct filepath information:
```
type userData struct {
    id           string
    userFilename string
}

func newUserData(userFilename string) userData {
    return userData{
        id:           randomFileID(), // random id as the filename
        userFilename: userFilename,
    }
}

// randomFileID generates a random id, to be used as a filename
func randomFileID() string {
    id := make([]byte, 16)
    if _, err := io.ReadFull(rand.Reader, id); err != nil {
        log.Fatal(err)
    }
    return hex.EncodeToString(id)
}

func main() {

    // user input, saved only as a reference
    data := newUserData("../../possibly/malicious")

    // restrict all file access to this path
    const basePath = "/tmp/"

    // resolve the full path, but only use our random generated id
    resolvedPath, err := filepath.Join(basePath, filepath.Base(data.id))
    if err != nil {
        log.Fatal(err)
    }

    // verify the path is prefixed with our basePath
    if !strings.HasPrefix(resolvedPath, basePath) {
        log.Fatal("path does not start with basePath")
    }
    // process / work with file
}
```

For more information on path traversal issues see OWASP:
https://owasp.org/www-community/attacks/Path_Traversal

Mitigation

                 
                    
Impact
None
References
Identifier type: semgrep_id
Name: gosec.G304-1
Value: gosec.G304-1

Identifier type: owasp
Name: A01:2021 - Broken Access Control
Value: A01:2021

Identifier type: owasp
Name: A5:2017 - Broken Access Control
Value: A5:2017

Identifier type: gosec_rule_id
Name: Gosec Rule ID G304
Value: G304