Findings
High
Finding 22120: Potential for OS Command Injection
| Severity |
Status |
Date discovered |
Age |
Reporter |
CWE |
|
High
|
Active, Verified |
Aug. 22, 2024 |
0 days |
Infra Admin (infrasec_nunet) |
78
|
Location
| File Path |
| maint-scripts/config_network.c |
CVSS v3
None
Description
Scanner: Semgrep
It is generally not recommended to call out to the operating system to execute commands.
When the application is executing file system based commands, user input should never be used
in
constructing commands or command arguments. If possible, determine if a library can be used
instead to provide the same functionality. Otherwise, consider hard coding both the command
and arguments to be used, or at the very least restricting which arguments can be passed
to the command execution function.
For more information please see:
https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152177
Mitigation
Impact
None
References
Identifier type: semgrep_id
Name: flawfinder.system-1
Value: flawfinder.system-1
Identifier type: owasp
Name: A03:2021 - Injection
Value: A03:2021
Identifier type: owasp
Name: A1:2017 - Injection
Value: A1:2017
Identifier type: flawfinder_func_name
Name: Flawfinder - system
Value: system
Finding 22121: Potential for OS Command Injection
| Severity |
Status |
Date discovered |
Age |
Reporter |
CWE |
|
High
|
Active, Verified |
Aug. 22, 2024 |
0 days |
Infra Admin (infrasec_nunet) |
78
|
Location
| File Path |
| maint-scripts/config_network.c |
CVSS v3
None
Description
Scanner: Semgrep
It is generally not recommended to call out to the operating system to execute commands.
When the application is executing file system based commands, user input should never be used
in
constructing commands or command arguments. If possible, determine if a library can be used
instead to provide the same functionality. Otherwise, consider hard coding both the command
and arguments to be used, or at the very least restricting which arguments can be passed
to the command execution function.
For more information please see:
https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152177
Mitigation
Impact
None
References
Identifier type: semgrep_id
Name: flawfinder.system-1
Value: flawfinder.system-1
Identifier type: owasp
Name: A03:2021 - Injection
Value: A03:2021
Identifier type: owasp
Name: A1:2017 - Injection
Value: A1:2017
Identifier type: flawfinder_func_name
Name: Flawfinder - system
Value: system
Finding 22122: Potential for OS Command Injection
| Severity |
Status |
Date discovered |
Age |
Reporter |
CWE |
|
High
|
Active, Verified |
Aug. 22, 2024 |
0 days |
Infra Admin (infrasec_nunet) |
78
|
Location
| File Path |
| maint-scripts/config_network.c |
CVSS v3
None
Description
Scanner: Semgrep
It is generally not recommended to call out to the operating system to execute commands.
When the application is executing file system based commands, user input should never be used
in
constructing commands or command arguments. If possible, determine if a library can be used
instead to provide the same functionality. Otherwise, consider hard coding both the command
and arguments to be used, or at the very least restricting which arguments can be passed
to the command execution function.
For more information please see:
https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152177
Mitigation
Impact
None
References
Identifier type: semgrep_id
Name: flawfinder.system-1
Value: flawfinder.system-1
Identifier type: owasp
Name: A03:2021 - Injection
Value: A03:2021
Identifier type: owasp
Name: A1:2017 - Injection
Value: A1:2017
Identifier type: flawfinder_func_name
Name: Flawfinder - system
Value: system
Finding 22123: Potential for OS Command Injection
| Severity |
Status |
Date discovered |
Age |
Reporter |
CWE |
|
High
|
Active, Verified |
Aug. 22, 2024 |
0 days |
Infra Admin (infrasec_nunet) |
78
|
Location
| File Path |
| maint-scripts/config_network.c |
CVSS v3
None
Description
Scanner: Semgrep
It is generally not recommended to call out to the operating system to execute commands.
When the application is executing file system based commands, user input should never be used
in
constructing commands or command arguments. If possible, determine if a library can be used
instead to provide the same functionality. Otherwise, consider hard coding both the command
and arguments to be used, or at the very least restricting which arguments can be passed
to the command execution function.
For more information please see:
https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152177
Mitigation
Impact
None
References
Identifier type: semgrep_id
Name: flawfinder.system-1
Value: flawfinder.system-1
Identifier type: owasp
Name: A03:2021 - Injection
Value: A03:2021
Identifier type: owasp
Name: A1:2017 - Injection
Value: A1:2017
Identifier type: flawfinder_func_name
Name: Flawfinder - system
Value: system
Finding 22124: Potential for OS Command Injection
| Severity |
Status |
Date discovered |
Age |
Reporter |
CWE |
|
High
|
Active, Verified |
Aug. 22, 2024 |
0 days |
Infra Admin (infrasec_nunet) |
78
|
Location
| File Path |
| maint-scripts/config_network.c |
CVSS v3
None
Description
Scanner: Semgrep
It is generally not recommended to call out to the operating system to execute commands.
When the application is executing file system based commands, user input should never be used
in
constructing commands or command arguments. If possible, determine if a library can be used
instead to provide the same functionality. Otherwise, consider hard coding both the command
and arguments to be used, or at the very least restricting which arguments can be passed
to the command execution function.
For more information please see:
https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152177
Mitigation
Impact
None
References
Identifier type: semgrep_id
Name: flawfinder.system-1
Value: flawfinder.system-1
Identifier type: owasp
Name: A03:2021 - Injection
Value: A03:2021
Identifier type: owasp
Name: A1:2017 - Injection
Value: A1:2017
Identifier type: flawfinder_func_name
Name: Flawfinder - system
Value: system
Finding 22125: Potential for OS Command Injection
| Severity |
Status |
Date discovered |
Age |
Reporter |
CWE |
|
High
|
Active, Verified |
Aug. 22, 2024 |
0 days |
Infra Admin (infrasec_nunet) |
78
|
Location
| File Path |
| maint-scripts/config_network.c |
CVSS v3
None
Description
Scanner: Semgrep
It is generally not recommended to call out to the operating system to execute commands.
When the application is executing file system based commands, user input should never be used
in
constructing commands or command arguments. If possible, determine if a library can be used
instead to provide the same functionality. Otherwise, consider hard coding both the command
and arguments to be used, or at the very least restricting which arguments can be passed
to the command execution function.
For more information please see:
https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152177
Mitigation
Impact
None
References
Identifier type: semgrep_id
Name: flawfinder.system-1
Value: flawfinder.system-1
Identifier type: owasp
Name: A03:2021 - Injection
Value: A03:2021
Identifier type: owasp
Name: A1:2017 - Injection
Value: A1:2017
Identifier type: flawfinder_func_name
Name: Flawfinder - system
Value: system
Medium
Finding 22126: Improper Handling of Highly Compressed Data
| Severity |
Status |
Date discovered |
Age |
Reporter |
CWE |
|
Medium
|
Active, Verified |
Aug. 22, 2024 |
0 days |
Infra Admin (infrasec_nunet) |
409
|
CVSS v3
None
Description
Scanner: Semgrep
Directly decompressing files or buffers may lead to a potential Denial of Service (DoS)
due to a decompression bomb. Decompression bombs are maliciously compressed files
or data that decompresses to extremely large sizes. This can cause the process to run
out of memory, or the disk to fill up.
To protect against decompression bombs, an
[io.LimitReader(...)](https://pkg.go.dev/io#LimitReader)
should be used to limit how much can be read during the decompression routine.
Example using `io.LimitReader` to protect against a decompression bomb:
```
f, err := os.Open("some.gz")
if err != nil {
log.Fatal(err)
}
r, err := gzip.NewReader(f)
if err != nil {
log.Fatal(err)
}
const oneMegabyte = 1024 * 1024
limitedReader := io.LimitReader(r, oneMegabyte)
// use limitedReader to stop copying after 1 MB
if _, err := io.Copy(os.Stdout, limitedReader); err != nil {
log.Fatal(err)
}
```
Mitigation
Impact
None
References
Identifier type: semgrep_id
Name: gosec.G110-1
Value: gosec.G110-1
Identifier type: owasp
Name: A03:2021 - Injection
Value: A03:2021
Identifier type: owasp
Name: A1:2017 - Injection
Value: A1:2017
Identifier type: gosec_rule_id
Name: Gosec Rule ID G110
Value: G110
Finding 22127: Uncontrolled Resource Consumption (Slowloris)
| Severity |
Status |
Date discovered |
Age |
Reporter |
CWE |
|
Medium
|
Active, Verified |
Aug. 22, 2024 |
0 days |
Infra Admin (infrasec_nunet) |
400
|
Location
| File Path |
| utils/network_test.go |
CVSS v3
None
Description
Scanner: Semgrep
Go's `net/http` serve functions may be vulnerable to resource consumption attacks if timeouts
are not properly configured
prior to starting the HTTP server. An adversary may open up thousands of connections but never
complete sending all data,
or never terminate the connections. This may lead to the server no longer accepting new
connections.
To protect against this style of resource consumption attack, timeouts should be set in the
`net/http` server prior to calling
the listen or serve functions. What this means is that the default `http.ListenAndServe` and
`http.Serve` functions should not
be used in a production setting as they are unable to have timeouts configured. Instead a
custom `http.Server` object must be
created with the timeouts configured.
Example setting timeouts on a `net/http` server:
```
// All values chosen below are dependent on application logic and
// should be tailored per use-case
srv := &http.Server{
Addr: "localhost:8000",
// ReadHeaderTimeout is the amount of time allowed to read
// request headers. The connection's read deadline is reset
// after reading the headers and the Handler can decide what
// is considered too slow for the body. If ReadHeaderTimeout
// is zero, the value of ReadTimeout is used. If both are
// zero, there is no timeout.
ReadHeaderTimeout: 15 * time.Second,
// ReadTimeout is the maximum duration for reading the entire
// request, including the body. A zero or negative value means
// there will be no timeout.
//
// Because ReadTimeout does not let Handlers make per-request
// decisions on each request body's acceptable deadline or
// upload rate, most users will prefer to use
// ReadHeaderTimeout. It is valid to use them both.
ReadTimeout: 15 * time.Second,
// WriteTimeout is the maximum duration before timing out
// writes of the response. It is reset whenever a new
// request's header is read. Like ReadTimeout, it does not
// let Handlers make decisions on a per-request basis.
// A zero or negative value means there will be no timeout.
WriteTimeout: 10 * time.Second,
// IdleTimeout is the maximum amount of time to wait for the
// next request when keep-alives are enabled. If IdleTimeout
// is zero, the value of ReadTimeout is used. If both are
// zero, there is no timeout.
IdleTimeout: 30 * time.Second,
}
// For per request timeouts applications can wrap all `http.HandlerFunc(...)` in
// `http.TimeoutHandler`` and specify a timeout, but note the TimeoutHandler does not
// start ticking until all headers have been read.
// Listen with our custom server with timeouts configured
if err := srv.ListenAndServe(); err != nil {
log.Fatal(err)
}
```
For more information on the `http.Server` timeouts, see: https://pkg.go.dev/net/http#Server
For information on setting request based timeouts, see:
https://pkg.go.dev/net/http#TimeoutHandler
For more information on the Slowloris attack see:
https://en.wikipedia.org/wiki/Slowloris_(computer_security)
Mitigation
Impact
None
References
Identifier type: semgrep_id
Name: gosec.G114-1
Value: gosec.G114-1
Identifier type: owasp
Name: A05:2021 - Security Misconfiguration
Value: A05:2021
Identifier type: owasp
Name: A6:2017 - Security Misconfiguration
Value: A6:2017
Identifier type: gosec_rule_id
Name: Gosec Rule ID G112
Value: G112
Identifier type: gosec_rule_id
Name: Gosec Rule ID G114
Value: G114
Finding 22128: Incorrect Permission Assignment for Critical Resource
| Severity |
Status |
Date discovered |
Age |
Reporter |
CWE |
|
Medium
|
Active, Verified |
Aug. 22, 2024 |
0 days |
Infra Admin (infrasec_nunet) |
732
|
CVSS v3
None
Description
Scanner: Semgrep
The application was found setting directory permissions to overly permissive values. Consider
using the following values if the application user is the only process to access
files in the directory specified:
- 0700 - read/write access to the files in the directory
Another common value is `0750` which allows the application user read/write access and group
users to read the files contained in the directory.
Example creating a directory with read/write permissions for only the application user:
```
err := os.Mkdir("directory", 0700)
if err != nil {
log.Fatal(err)
}
```
For all other values please see:
https://en.wikipedia.org/wiki/File-system_permissions#Numeric_notation
Mitigation
Impact
None
References
Identifier type: semgrep_id
Name: gosec.G301-1
Value: gosec.G301-1
Identifier type: owasp
Name: A01:2021 - Broken Access Control
Value: A01:2021
Identifier type: owasp
Name: A5:2017 - Broken Access Control
Value: A5:2017
Identifier type: gosec_rule_id
Name: Gosec Rule ID G301
Value: G301
Finding 22129: Incorrect Permission Assignment for Critical Resource
| Severity |
Status |
Date discovered |
Age |
Reporter |
CWE |
|
Medium
|
Active, Verified |
Aug. 22, 2024 |
0 days |
Infra Admin (infrasec_nunet) |
732
|
Location
| File Path |
| utils/cardano/cardano.go |
CVSS v3
None
Description
Scanner: Semgrep
The application was found setting file permissions to overly permissive values. Consider
using the following values if the application user is the only process to access
the file:
- 0400 - read only access to the file
- 0200 - write only access to the file
- 0600 - read/write access to the file
Example creating a file with read/write permissions for the application user:
```
f, err := os.OpenFile("file.txt", os.O_CREATE, 0600)
if err != nil {
log.Fatal(err)
}
defer f.Close()
// continue to work with file here
```
For all other values please see:
https://en.wikipedia.org/wiki/File-system_permissions#Numeric_notation
Mitigation
Impact
None
References
Identifier type: semgrep_id
Name: gosec.G302-1
Value: gosec.G302-1
Identifier type: owasp
Name: A01:2021 - Broken Access Control
Value: A01:2021
Identifier type: owasp
Name: A5:2017 - Broken Access Control
Value: A5:2017
Identifier type: gosec_rule_id
Name: Gosec Rule ID G302
Value: G302
Finding 22130: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
| Severity |
Status |
Date discovered |
Age |
Reporter |
CWE |
|
Medium
|
Active, Verified |
Aug. 22, 2024 |
0 days |
Infra Admin (infrasec_nunet) |
22
|
Location
| File Path |
| internal/config/load.go |
CVSS v3
None
Description
Scanner: Semgrep
The application dynamically constructs file or path information. If the path
information comes from user input, it could be abused to read sensitive files,
access other users data or aid in exploitation to gain further system access.
User input should never be used in constructing paths or files for interacting
with the filesystem. This includes filenames supplied by user uploads or downloads.
If possible, consider hashing user input or replacing it with unique values.
Additionally, use `filepath.Base` to only use the filename and not path information.
Always validate the full path prior to opening or writing to any file.
Example using `filepath.Base`, generating a unique filename without using
user input to construct filepath information:
```
type userData struct {
id string
userFilename string
}
func newUserData(userFilename string) userData {
return userData{
id: randomFileID(), // random id as the filename
userFilename: userFilename,
}
}
// randomFileID generates a random id, to be used as a filename
func randomFileID() string {
id := make([]byte, 16)
if _, err := io.ReadFull(rand.Reader, id); err != nil {
log.Fatal(err)
}
return hex.EncodeToString(id)
}
func main() {
// user input, saved only as a reference
data := newUserData("../../possibly/malicious")
// restrict all file access to this path
const basePath = "/tmp/"
// resolve the full path, but only use our random generated id
resolvedPath, err := filepath.Join(basePath, filepath.Base(data.id))
if err != nil {
log.Fatal(err)
}
// verify the path is prefixed with our basePath
if !strings.HasPrefix(resolvedPath, basePath) {
log.Fatal("path does not start with basePath")
}
// process / work with file
}
```
For more information on path traversal issues see OWASP:
https://owasp.org/www-community/attacks/Path_Traversal
Mitigation
Impact
None
References
Identifier type: semgrep_id
Name: gosec.G304-1
Value: gosec.G304-1
Identifier type: owasp
Name: A01:2021 - Broken Access Control
Value: A01:2021
Identifier type: owasp
Name: A5:2017 - Broken Access Control
Value: A5:2017
Identifier type: gosec_rule_id
Name: Gosec Rule ID G304
Value: G304