Findings

High

Finding 21646: Potential for OS Command Injection
Severity Status Date discovered Age Reporter CWE
High Active, Verified Aug. 19, 2024 0 days Infra Admin (infrasec_nunet) 78
Location
Line Number
11
File Path
maint-scripts/config_network.c
CVSS v3
None
Description
Scanner: Semgrep
It is generally not recommended to call out to the operating system to execute commands.
When the application is executing file system based commands, user input should never be used
in
constructing commands or command arguments. If possible, determine if a library can be used
instead to provide the same functionality. Otherwise, consider hard coding both the command
and arguments to be used, or at the very least restricting which arguments can be passed
to the command execution function.

For more information please see:
https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152177

Mitigation

                 
                    
Impact
None
References
Identifier type: semgrep_id
Name: flawfinder.system-1
Value: flawfinder.system-1

Identifier type: owasp
Name: A03:2021 - Injection
Value: A03:2021

Identifier type: owasp
Name: A1:2017 - Injection
Value: A1:2017

Identifier type: flawfinder_func_name
Name: Flawfinder - system
Value: system

Finding 21647: Potential for OS Command Injection
Severity Status Date discovered Age Reporter CWE
High Active, Verified Aug. 19, 2024 0 days Infra Admin (infrasec_nunet) 78
Location
Line Number
13
File Path
maint-scripts/config_network.c
CVSS v3
None
Description
Scanner: Semgrep
It is generally not recommended to call out to the operating system to execute commands.
When the application is executing file system based commands, user input should never be used
in
constructing commands or command arguments. If possible, determine if a library can be used
instead to provide the same functionality. Otherwise, consider hard coding both the command
and arguments to be used, or at the very least restricting which arguments can be passed
to the command execution function.

For more information please see:
https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152177

Mitigation

                 
                    
Impact
None
References
Identifier type: semgrep_id
Name: flawfinder.system-1
Value: flawfinder.system-1

Identifier type: owasp
Name: A03:2021 - Injection
Value: A03:2021

Identifier type: owasp
Name: A1:2017 - Injection
Value: A1:2017

Identifier type: flawfinder_func_name
Name: Flawfinder - system
Value: system

Finding 21648: Potential for OS Command Injection
Severity Status Date discovered Age Reporter CWE
High Active, Verified Aug. 19, 2024 0 days Infra Admin (infrasec_nunet) 78
Location
Line Number
15
File Path
maint-scripts/config_network.c
CVSS v3
None
Description
Scanner: Semgrep
It is generally not recommended to call out to the operating system to execute commands.
When the application is executing file system based commands, user input should never be used
in
constructing commands or command arguments. If possible, determine if a library can be used
instead to provide the same functionality. Otherwise, consider hard coding both the command
and arguments to be used, or at the very least restricting which arguments can be passed
to the command execution function.

For more information please see:
https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152177

Mitigation

                 
                    
Impact
None
References
Identifier type: semgrep_id
Name: flawfinder.system-1
Value: flawfinder.system-1

Identifier type: owasp
Name: A03:2021 - Injection
Value: A03:2021

Identifier type: owasp
Name: A1:2017 - Injection
Value: A1:2017

Identifier type: flawfinder_func_name
Name: Flawfinder - system
Value: system

Finding 21649: Potential for OS Command Injection
Severity Status Date discovered Age Reporter CWE
High Active, Verified Aug. 19, 2024 0 days Infra Admin (infrasec_nunet) 78
Location
Line Number
17
File Path
maint-scripts/config_network.c
CVSS v3
None
Description
Scanner: Semgrep
It is generally not recommended to call out to the operating system to execute commands.
When the application is executing file system based commands, user input should never be used
in
constructing commands or command arguments. If possible, determine if a library can be used
instead to provide the same functionality. Otherwise, consider hard coding both the command
and arguments to be used, or at the very least restricting which arguments can be passed
to the command execution function.

For more information please see:
https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152177

Mitigation

                 
                    
Impact
None
References
Identifier type: semgrep_id
Name: flawfinder.system-1
Value: flawfinder.system-1

Identifier type: owasp
Name: A03:2021 - Injection
Value: A03:2021

Identifier type: owasp
Name: A1:2017 - Injection
Value: A1:2017

Identifier type: flawfinder_func_name
Name: Flawfinder - system
Value: system

Finding 21650: Potential for OS Command Injection
Severity Status Date discovered Age Reporter CWE
High Active, Verified Aug. 19, 2024 0 days Infra Admin (infrasec_nunet) 78
Location
Line Number
19
File Path
maint-scripts/config_network.c
CVSS v3
None
Description
Scanner: Semgrep
It is generally not recommended to call out to the operating system to execute commands.
When the application is executing file system based commands, user input should never be used
in
constructing commands or command arguments. If possible, determine if a library can be used
instead to provide the same functionality. Otherwise, consider hard coding both the command
and arguments to be used, or at the very least restricting which arguments can be passed
to the command execution function.

For more information please see:
https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152177

Mitigation

                 
                    
Impact
None
References
Identifier type: semgrep_id
Name: flawfinder.system-1
Value: flawfinder.system-1

Identifier type: owasp
Name: A03:2021 - Injection
Value: A03:2021

Identifier type: owasp
Name: A1:2017 - Injection
Value: A1:2017

Identifier type: flawfinder_func_name
Name: Flawfinder - system
Value: system

Finding 21651: Potential for OS Command Injection
Severity Status Date discovered Age Reporter CWE
High Active, Verified Aug. 19, 2024 0 days Infra Admin (infrasec_nunet) 78
Location
Line Number
21
File Path
maint-scripts/config_network.c
CVSS v3
None
Description
Scanner: Semgrep
It is generally not recommended to call out to the operating system to execute commands.
When the application is executing file system based commands, user input should never be used
in
constructing commands or command arguments. If possible, determine if a library can be used
instead to provide the same functionality. Otherwise, consider hard coding both the command
and arguments to be used, or at the very least restricting which arguments can be passed
to the command execution function.

For more information please see:
https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152177

Mitigation

                 
                    
Impact
None
References
Identifier type: semgrep_id
Name: flawfinder.system-1
Value: flawfinder.system-1

Identifier type: owasp
Name: A03:2021 - Injection
Value: A03:2021

Identifier type: owasp
Name: A1:2017 - Injection
Value: A1:2017

Identifier type: flawfinder_func_name
Name: Flawfinder - system
Value: system

Medium

Finding 21652: Improper Handling of Highly Compressed Data
Severity Status Date discovered Age Reporter CWE
Medium Active, Verified Aug. 19, 2024 0 days Infra Admin (infrasec_nunet) 409
Location
Line Number
322
File Path
utils/utils.go
CVSS v3
None
Description
Scanner: Semgrep
Directly decompressing files or buffers may lead to a potential Denial of Service (DoS)
due to a decompression bomb. Decompression bombs are maliciously compressed files
or data that decompresses to extremely large sizes. This can cause the process to run
out of memory, or the disk to fill up.

To protect against decompression bombs, an
[io.LimitReader(...)](https://pkg.go.dev/io#LimitReader)
should be used to limit how much can be read during the decompression routine.

Example using `io.LimitReader` to protect against a decompression bomb:
```
f, err := os.Open("some.gz")
if err != nil {
  log.Fatal(err)
}

r, err := gzip.NewReader(f)
if err != nil {
  log.Fatal(err)
}

const oneMegabyte = 1024 * 1024
limitedReader := io.LimitReader(r, oneMegabyte)

// use limitedReader to stop copying after 1 MB
if _, err := io.Copy(os.Stdout, limitedReader); err != nil {
  log.Fatal(err)
}
```

Mitigation

                 
                    
Impact
None
References
Identifier type: semgrep_id
Name: gosec.G110-1
Value: gosec.G110-1

Identifier type: owasp
Name: A03:2021 - Injection
Value: A03:2021

Identifier type: owasp
Name: A1:2017 - Injection
Value: A1:2017

Identifier type: gosec_rule_id
Name: Gosec Rule ID G110
Value: G110

Finding 21653: Uncontrolled Resource Consumption (Slowloris)
Severity Status Date discovered Age Reporter CWE
Medium Active, Verified Aug. 19, 2024 0 days Infra Admin (infrasec_nunet) 400
Location
Line Number
167
File Path
api/api_test.go
CVSS v3
None
Description
Scanner: Semgrep
Go's `net/http` serve functions may be vulnerable to resource consumption attacks if timeouts
are not properly configured
prior to starting the HTTP server. An adversary may open up thousands of connections but never
complete sending all data,
or never terminate the connections. This may lead to the server no longer accepting new
connections.

To protect against this style of resource consumption attack, timeouts should be set in the
`net/http` server prior to calling
the listen or serve functions. What this means is that the default `http.ListenAndServe` and
`http.Serve` functions should not
be used in a production setting as they are unable to have timeouts configured. Instead a
custom `http.Server` object must be
created with the timeouts configured.

Example setting timeouts on a `net/http` server:
```
// All values chosen below are dependent on application logic and
// should be tailored per use-case
srv := &http.Server{
  Addr: "localhost:8000",
  // ReadHeaderTimeout is the amount of time allowed to read
  // request headers. The connection's read deadline is reset
  // after reading the headers and the Handler can decide what
  // is considered too slow for the body. If ReadHeaderTimeout
  // is zero, the value of ReadTimeout is used. If both are
  // zero, there is no timeout.
  ReadHeaderTimeout: 15 * time.Second,

  // ReadTimeout is the maximum duration for reading the entire
  // request, including the body. A zero or negative value means
  // there will be no timeout.
  //
  // Because ReadTimeout does not let Handlers make per-request
  // decisions on each request body's acceptable deadline or
  // upload rate, most users will prefer to use
  // ReadHeaderTimeout. It is valid to use them both.
  ReadTimeout: 15 * time.Second,

  // WriteTimeout is the maximum duration before timing out
  // writes of the response. It is reset whenever a new
  // request's header is read. Like ReadTimeout, it does not
  // let Handlers make decisions on a per-request basis.
  // A zero or negative value means there will be no timeout.
  WriteTimeout: 10 * time.Second,

  // IdleTimeout is the maximum amount of time to wait for the
  // next request when keep-alives are enabled. If IdleTimeout
  // is zero, the value of ReadTimeout is used. If both are
  // zero, there is no timeout.
  IdleTimeout: 30 * time.Second,
}

// For per request timeouts applications can wrap all `http.HandlerFunc(...)` in
// `http.TimeoutHandler`` and specify a timeout, but note the TimeoutHandler does not
// start ticking until all headers have been read.

// Listen with our custom server with timeouts configured
if err := srv.ListenAndServe(); err != nil {
  log.Fatal(err)
}
```
For more information on the `http.Server` timeouts, see: https://pkg.go.dev/net/http#Server

For information on setting request based timeouts, see:
https://pkg.go.dev/net/http#TimeoutHandler

For more information on the Slowloris attack see:
https://en.wikipedia.org/wiki/Slowloris_(computer_security)

Mitigation

                 
                    
Impact
None
References
Identifier type: semgrep_id
Name: gosec.G114-1
Value: gosec.G114-1

Identifier type: owasp
Name: A05:2021 - Security Misconfiguration
Value: A05:2021

Identifier type: owasp
Name: A6:2017 - Security Misconfiguration
Value: A6:2017

Identifier type: gosec_rule_id
Name: Gosec Rule ID G112
Value: G112

Identifier type: gosec_rule_id
Name: Gosec Rule ID G114
Value: G114

Finding 21654: Uncontrolled Resource Consumption (Slowloris)
Severity Status Date discovered Age Reporter CWE
Medium Active, Verified Aug. 19, 2024 0 days Infra Admin (infrasec_nunet) 400
Location
Line Number
51
File Path
utils/network_test.go
CVSS v3
None
Description
Scanner: Semgrep
Go's `net/http` serve functions may be vulnerable to resource consumption attacks if timeouts
are not properly configured
prior to starting the HTTP server. An adversary may open up thousands of connections but never
complete sending all data,
or never terminate the connections. This may lead to the server no longer accepting new
connections.

To protect against this style of resource consumption attack, timeouts should be set in the
`net/http` server prior to calling
the listen or serve functions. What this means is that the default `http.ListenAndServe` and
`http.Serve` functions should not
be used in a production setting as they are unable to have timeouts configured. Instead a
custom `http.Server` object must be
created with the timeouts configured.

Example setting timeouts on a `net/http` server:
```
// All values chosen below are dependent on application logic and
// should be tailored per use-case
srv := &http.Server{
  Addr: "localhost:8000",
  // ReadHeaderTimeout is the amount of time allowed to read
  // request headers. The connection's read deadline is reset
  // after reading the headers and the Handler can decide what
  // is considered too slow for the body. If ReadHeaderTimeout
  // is zero, the value of ReadTimeout is used. If both are
  // zero, there is no timeout.
  ReadHeaderTimeout: 15 * time.Second,

  // ReadTimeout is the maximum duration for reading the entire
  // request, including the body. A zero or negative value means
  // there will be no timeout.
  //
  // Because ReadTimeout does not let Handlers make per-request
  // decisions on each request body's acceptable deadline or
  // upload rate, most users will prefer to use
  // ReadHeaderTimeout. It is valid to use them both.
  ReadTimeout: 15 * time.Second,

  // WriteTimeout is the maximum duration before timing out
  // writes of the response. It is reset whenever a new
  // request's header is read. Like ReadTimeout, it does not
  // let Handlers make decisions on a per-request basis.
  // A zero or negative value means there will be no timeout.
  WriteTimeout: 10 * time.Second,

  // IdleTimeout is the maximum amount of time to wait for the
  // next request when keep-alives are enabled. If IdleTimeout
  // is zero, the value of ReadTimeout is used. If both are
  // zero, there is no timeout.
  IdleTimeout: 30 * time.Second,
}

// For per request timeouts applications can wrap all `http.HandlerFunc(...)` in
// `http.TimeoutHandler`` and specify a timeout, but note the TimeoutHandler does not
// start ticking until all headers have been read.

// Listen with our custom server with timeouts configured
if err := srv.ListenAndServe(); err != nil {
  log.Fatal(err)
}
```
For more information on the `http.Server` timeouts, see: https://pkg.go.dev/net/http#Server

For information on setting request based timeouts, see:
https://pkg.go.dev/net/http#TimeoutHandler

For more information on the Slowloris attack see:
https://en.wikipedia.org/wiki/Slowloris_(computer_security)

Mitigation

                 
                    
Impact
None
References
Identifier type: semgrep_id
Name: gosec.G114-1
Value: gosec.G114-1

Identifier type: owasp
Name: A05:2021 - Security Misconfiguration
Value: A05:2021

Identifier type: owasp
Name: A6:2017 - Security Misconfiguration
Value: A6:2017

Identifier type: gosec_rule_id
Name: Gosec Rule ID G112
Value: G112

Identifier type: gosec_rule_id
Name: Gosec Rule ID G114
Value: G114

Finding 21655: Incorrect Permission Assignment for Critical Resource
Severity Status Date discovered Age Reporter CWE
Medium Active, Verified Aug. 19, 2024 0 days Infra Admin (infrasec_nunet) 732
Location
Line Number
218
File Path
utils/utils.go
CVSS v3
None
Description
Scanner: Semgrep
The application was found setting directory permissions to overly permissive values. Consider
using the following values if the application user is the only process to access
files in the directory specified:
- 0700 - read/write access to the files in the directory

Another common value is `0750` which allows the application user read/write access and group
users to read the files contained in the directory.

Example creating a directory with read/write permissions for only the application user:
```
err := os.Mkdir("directory", 0700)
if err != nil {
  log.Fatal(err)
}
```

For all other values please see:
https://en.wikipedia.org/wiki/File-system_permissions#Numeric_notation

Mitigation

                 
                    
Impact
None
References
Identifier type: semgrep_id
Name: gosec.G301-1
Value: gosec.G301-1

Identifier type: owasp
Name: A01:2021 - Broken Access Control
Value: A01:2021

Identifier type: owasp
Name: A5:2017 - Broken Access Control
Value: A5:2017

Identifier type: gosec_rule_id
Name: Gosec Rule ID G301
Value: G301

Finding 21656: Incorrect Permission Assignment for Critical Resource
Severity Status Date discovered Age Reporter CWE
Medium Active, Verified Aug. 19, 2024 0 days Infra Admin (infrasec_nunet) 732
Location
Line Number
771
File Path
utils/cardano/cardano.go
CVSS v3
None
Description
Scanner: Semgrep
The application was found setting file permissions to overly permissive values. Consider
using the following values if the application user is the only process to access
the file:

- 0400 - read only access to the file
- 0200 - write only access to the file
- 0600 - read/write access to the file

Example creating a file with read/write permissions for the application user:
```
f, err := os.OpenFile("file.txt", os.O_CREATE, 0600)
if err != nil {
  log.Fatal(err)
}
defer f.Close()
// continue to work with file here
```

For all other values please see:
https://en.wikipedia.org/wiki/File-system_permissions#Numeric_notation

Mitigation

                 
                    
Impact
None
References
Identifier type: semgrep_id
Name: gosec.G302-1
Value: gosec.G302-1

Identifier type: owasp
Name: A01:2021 - Broken Access Control
Value: A01:2021

Identifier type: owasp
Name: A5:2017 - Broken Access Control
Value: A5:2017

Identifier type: gosec_rule_id
Name: Gosec Rule ID G302
Value: G302

Finding 21657: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Severity Status Date discovered Age Reporter CWE
Medium Active, Verified Aug. 19, 2024 0 days Infra Admin (infrasec_nunet) 22
Location
Line Number
94
File Path
internal/config/load.go
CVSS v3
None
Description
Scanner: Semgrep
The application dynamically constructs file or path information. If the path
information comes from user input, it could be abused to read sensitive files,
access other users data or aid in exploitation to gain further system access.

User input should never be used in constructing paths or files for interacting
with the filesystem. This includes filenames supplied by user uploads or downloads.
If possible, consider hashing user input or replacing it with unique values.
Additionally, use `filepath.Base` to only use the filename and not path information.
Always validate the full path prior to opening or writing to any file.

Example using `filepath.Base`, generating a unique filename without using
user input to construct filepath information:
```
type userData struct {
    id           string
    userFilename string
}

func newUserData(userFilename string) userData {
    return userData{
        id:           randomFileID(), // random id as the filename
        userFilename: userFilename,
    }
}

// randomFileID generates a random id, to be used as a filename
func randomFileID() string {
    id := make([]byte, 16)
    if _, err := io.ReadFull(rand.Reader, id); err != nil {
        log.Fatal(err)
    }
    return hex.EncodeToString(id)
}

func main() {

    // user input, saved only as a reference
    data := newUserData("../../possibly/malicious")

    // restrict all file access to this path
    const basePath = "/tmp/"

    // resolve the full path, but only use our random generated id
    resolvedPath, err := filepath.Join(basePath, filepath.Base(data.id))
    if err != nil {
        log.Fatal(err)
    }

    // verify the path is prefixed with our basePath
    if !strings.HasPrefix(resolvedPath, basePath) {
        log.Fatal("path does not start with basePath")
    }
    // process / work with file
}
```

For more information on path traversal issues see OWASP:
https://owasp.org/www-community/attacks/Path_Traversal

Mitigation

                 
                    
Impact
None
References
Identifier type: semgrep_id
Name: gosec.G304-1
Value: gosec.G304-1

Identifier type: owasp
Name: A01:2021 - Broken Access Control
Value: A01:2021

Identifier type: owasp
Name: A5:2017 - Broken Access Control
Value: A5:2017

Identifier type: gosec_rule_id
Name: Gosec Rule ID G304
Value: G304