Findings

High

Finding 28554: Improper Neutralization of Special Elements Used in an OS Command ('OS Command Injection')
Severity Status Date discovered Age Reporter CWE
High Active, Verified Oct. 8, 2024 0 days Infra Admin (infrasec_nunet) 78
Location
Line Number
123
File Path
cmd/config.go
CVSS v3
None
Description
Scanner: Semgrep
OS command injection is a critical vulnerability that can lead to a full system
compromise as it may allow an adversary to pass in arbitrary commands or arguments
to be executed.

User input should never be used in constructing commands or command arguments
to functions which execute OS commands. This includes filenames supplied by
user uploads or downloads.

Ensure your application does not:

- Use user-supplied information in the process name to execute.
- Use user-supplied information in an OS command execution function which does
not escape shell meta-characters.
- Use user-supplied information in arguments to OS commands.

The application should have a hardcoded set of arguments that are to be passed
to OS commands. If filenames are being passed to these functions, it is
recommended that a hash of the filename be used instead, or some other unique
identifier. It is strongly recommended that a native library that implements
the same functionality be used instead of using OS system commands, due to the
risk of unknown attacks against third party commands.

If operating in Windows environments, when specifying the OS command, ensure
the application uses the full path
information, otherwise the OS may attempt to look up which process to execute
and could be vulnerable to untrusted search path vulnerabilities (CWE-426).

Example of safely executing an OS command:
```
userData := []byte("user data")
// create a temporary file in the application specific directory
f, err := ioutil.TempFile("/var/app/restricted", "temp-*.dat")
if err != nil {
  log.Fatal(err)
}

if _, err := f.Write(userData); err != nil {
  log.Fatal(err)
}

if err := f.Close(); err != nil {
  log.Fatal(err)
}

// pass the full path to the binary and the name of the temporary file
// instead of any user supplied filename
out, err := exec.Command("/bin/cat", f.Name()).Output()
if err != nil {
  log.Fatal(err)
}
```

For more information on OS command injection, see OWASP's guide:
https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html

Mitigation

                 
                    
Impact
None
References
Identifier type: semgrep_id
Name: gosec.G204-1
Value: gosec.G204-1

Identifier type: owasp
Name: A03:2021 - Injection
Value: A03:2021

Identifier type: owasp
Name: A1:2017 - Injection
Value: A1:2017

Identifier type: gosec_rule_id
Name: Gosec Rule ID G204
Value: G204

Finding 28555: Improper Neutralization of Special Elements Used in an OS Command ('OS Command Injection')
Severity Status Date discovered Age Reporter CWE
High Active, Verified Oct. 8, 2024 0 days Infra Admin (infrasec_nunet) 78
Location
Line Number
85
File Path
lib/did/ledger.go
CVSS v3
None
Description
Scanner: Semgrep
OS command injection is a critical vulnerability that can lead to a full system
compromise as it may allow an adversary to pass in arbitrary commands or arguments
to be executed.

User input should never be used in constructing commands or command arguments
to functions which execute OS commands. This includes filenames supplied by
user uploads or downloads.

Ensure your application does not:

- Use user-supplied information in the process name to execute.
- Use user-supplied information in an OS command execution function which does
not escape shell meta-characters.
- Use user-supplied information in arguments to OS commands.

The application should have a hardcoded set of arguments that are to be passed
to OS commands. If filenames are being passed to these functions, it is
recommended that a hash of the filename be used instead, or some other unique
identifier. It is strongly recommended that a native library that implements
the same functionality be used instead of using OS system commands, due to the
risk of unknown attacks against third party commands.

If operating in Windows environments, when specifying the OS command, ensure
the application uses the full path
information, otherwise the OS may attempt to look up which process to execute
and could be vulnerable to untrusted search path vulnerabilities (CWE-426).

Example of safely executing an OS command:
```
userData := []byte("user data")
// create a temporary file in the application specific directory
f, err := ioutil.TempFile("/var/app/restricted", "temp-*.dat")
if err != nil {
  log.Fatal(err)
}

if _, err := f.Write(userData); err != nil {
  log.Fatal(err)
}

if err := f.Close(); err != nil {
  log.Fatal(err)
}

// pass the full path to the binary and the name of the temporary file
// instead of any user supplied filename
out, err := exec.Command("/bin/cat", f.Name()).Output()
if err != nil {
  log.Fatal(err)
}
```

For more information on OS command injection, see OWASP's guide:
https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html

Mitigation

                 
                    
Impact
None
References
Identifier type: semgrep_id
Name: gosec.G204-1
Value: gosec.G204-1

Identifier type: owasp
Name: A03:2021 - Injection
Value: A03:2021

Identifier type: owasp
Name: A1:2017 - Injection
Value: A1:2017

Identifier type: gosec_rule_id
Name: Gosec Rule ID G204
Value: G204

Medium

Finding 28556: Active Debug Code (Pprof Enabled)
Severity Status Date discovered Age Reporter CWE
Medium Active, Verified Oct. 8, 2024 0 days Infra Admin (infrasec_nunet) 489
Location
Line Number
59
File Path
cmd/run.go
CVSS v3
None
Description
Scanner: Semgrep
Go has a built in profiling service that is enabled by starting an HTTP server with
`net/http/pprof` imported. The `/debug/pprof` endpoint does not require any
authentication and can be accessed by anonymous users. This profiling endpoint
can leak sensitive information and should not be enabled in production.

To remediate this, remove the `net/http/pprof` import from the file.

Mitigation

                 
                    
Impact
None
References
Identifier type: semgrep_id
Name: gosec.G108-1
Value: gosec.G108-1

Identifier type: owasp
Name: A05:2021 - Security Misconfiguration
Value: A05:2021

Identifier type: owasp
Name: A6:2017 - Security Misconfiguration
Value: A6:2017

Identifier type: gosec_rule_id
Name: Gosec Rule ID G108
Value: G108

Finding 28557: Uncontrolled Resource Consumption (Slowloris)
Severity Status Date discovered Age Reporter CWE
Medium Active, Verified Oct. 8, 2024 0 days Infra Admin (infrasec_nunet) 400
Location
Line Number
59
File Path
cmd/run.go
CVSS v3
None
Description
Scanner: Semgrep
Go's `net/http` serve functions may be vulnerable to resource consumption attacks if timeouts
are not properly configured
prior to starting the HTTP server. An adversary may open up thousands of connections but never
complete sending all data,
or never terminate the connections. This may lead to the server no longer accepting new
connections.

To protect against this style of resource consumption attack, timeouts should be set in the
`net/http` server prior to calling
the listen or serve functions. What this means is that the default `http.ListenAndServe` and
`http.Serve` functions should not
be used in a production setting as they are unable to have timeouts configured. Instead a
custom `http.Server` object must be
created with the timeouts configured.

Example setting timeouts on a `net/http` server:
```
// All values chosen below are dependent on application logic and
// should be tailored per use-case
srv := &http.Server{
  Addr: "localhost:8000",
  // ReadHeaderTimeout is the amount of time allowed to read
  // request headers. The connection's read deadline is reset
  // after reading the headers and the Handler can decide what
  // is considered too slow for the body. If ReadHeaderTimeout
  // is zero, the value of ReadTimeout is used. If both are
  // zero, there is no timeout.
  ReadHeaderTimeout: 15 * time.Second,

  // ReadTimeout is the maximum duration for reading the entire
  // request, including the body. A zero or negative value means
  // there will be no timeout.
  //
  // Because ReadTimeout does not let Handlers make per-request
  // decisions on each request body's acceptable deadline or
  // upload rate, most users will prefer to use
  // ReadHeaderTimeout. It is valid to use them both.
  ReadTimeout: 15 * time.Second,

  // WriteTimeout is the maximum duration before timing out
  // writes of the response. It is reset whenever a new
  // request's header is read. Like ReadTimeout, it does not
  // let Handlers make decisions on a per-request basis.
  // A zero or negative value means there will be no timeout.
  WriteTimeout: 10 * time.Second,

  // IdleTimeout is the maximum amount of time to wait for the
  // next request when keep-alives are enabled. If IdleTimeout
  // is zero, the value of ReadTimeout is used. If both are
  // zero, there is no timeout.
  IdleTimeout: 30 * time.Second,
}

// For per request timeouts applications can wrap all `http.HandlerFunc(...)` in
// `http.TimeoutHandler`` and specify a timeout, but note the TimeoutHandler does not
// start ticking until all headers have been read.

// Listen with our custom server with timeouts configured
if err := srv.ListenAndServe(); err != nil {
  log.Fatal(err)
}
```
For more information on the `http.Server` timeouts, see: https://pkg.go.dev/net/http#Server

For information on setting request based timeouts, see:
https://pkg.go.dev/net/http#TimeoutHandler

For more information on the Slowloris attack see:
https://en.wikipedia.org/wiki/Slowloris_(computer_security)

Mitigation

                 
                    
Impact
None
References
Identifier type: semgrep_id
Name: gosec.G114-1
Value: gosec.G114-1

Identifier type: owasp
Name: A05:2021 - Security Misconfiguration
Value: A05:2021

Identifier type: owasp
Name: A6:2017 - Security Misconfiguration
Value: A6:2017

Identifier type: gosec_rule_id
Name: Gosec Rule ID G112
Value: G112

Identifier type: gosec_rule_id
Name: Gosec Rule ID G114
Value: G114

Finding 28558: Incorrect Permission Assignment for Critical Resource
Severity Status Date discovered Age Reporter CWE
Medium Active, Verified Oct. 8, 2024 0 days Infra Admin (infrasec_nunet) 732
Location
Line Number
172
File Path
utils/utils.go
CVSS v3
None
Description
Scanner: Semgrep
The application was found setting directory permissions to overly permissive values. Consider
using the following values if the application user is the only process to access
files in the directory specified:
- 0700 - read/write access to the files in the directory

Another common value is `0750` which allows the application user read/write access and group
users to read the files contained in the directory.

Example creating a directory with read/write permissions for only the application user:
```
err := os.Mkdir("directory", 0700)
if err != nil {
  log.Fatal(err)
}
```

For all other values please see:
https://en.wikipedia.org/wiki/File-system_permissions#Numeric_notation

Mitigation

                 
                    
Impact
None
References
Identifier type: semgrep_id
Name: gosec.G301-1
Value: gosec.G301-1

Identifier type: owasp
Name: A01:2021 - Broken Access Control
Value: A01:2021

Identifier type: owasp
Name: A5:2017 - Broken Access Control
Value: A5:2017

Identifier type: gosec_rule_id
Name: Gosec Rule ID G301
Value: G301

Finding 28559: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Severity Status Date discovered Age Reporter CWE
Medium Active, Verified Oct. 8, 2024 0 days Infra Admin (infrasec_nunet) 22
Location
Line Number
182
File Path
dms/dms.go
CVSS v3
None
Description
Scanner: Semgrep
The application dynamically constructs file or path information. If the path
information comes from user input, it could be abused to read sensitive files,
access other users data or aid in exploitation to gain further system access.

User input should never be used in constructing paths or files for interacting
with the filesystem. This includes filenames supplied by user uploads or downloads.
If possible, consider hashing user input or replacing it with unique values.
Additionally, use `filepath.Base` to only use the filename and not path information.
Always validate the full path prior to opening or writing to any file.

Example using `filepath.Base`, generating a unique filename without using
user input to construct filepath information:
```
type userData struct {
    id           string
    userFilename string
}

func newUserData(userFilename string) userData {
    return userData{
        id:           randomFileID(), // random id as the filename
        userFilename: userFilename,
    }
}

// randomFileID generates a random id, to be used as a filename
func randomFileID() string {
    id := make([]byte, 16)
    if _, err := io.ReadFull(rand.Reader, id); err != nil {
        log.Fatal(err)
    }
    return hex.EncodeToString(id)
}

func main() {

    // user input, saved only as a reference
    data := newUserData("../../possibly/malicious")

    // restrict all file access to this path
    const basePath = "/tmp/"

    // resolve the full path, but only use our random generated id
    resolvedPath, err := filepath.Join(basePath, filepath.Base(data.id))
    if err != nil {
        log.Fatal(err)
    }

    // verify the path is prefixed with our basePath
    if !strings.HasPrefix(resolvedPath, basePath) {
        log.Fatal("path does not start with basePath")
    }
    // process / work with file
}
```

For more information on path traversal issues see OWASP:
https://owasp.org/www-community/attacks/Path_Traversal

Mitigation

                 
                    
Impact
None
References
Identifier type: semgrep_id
Name: gosec.G304-1
Value: gosec.G304-1

Identifier type: owasp
Name: A01:2021 - Broken Access Control
Value: A01:2021

Identifier type: owasp
Name: A5:2017 - Broken Access Control
Value: A5:2017

Identifier type: gosec_rule_id
Name: Gosec Rule ID G304
Value: G304

Finding 28560: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Severity Status Date discovered Age Reporter CWE
Medium Active, Verified Oct. 8, 2024 0 days Infra Admin (infrasec_nunet) 22
Location
Line Number
74
File Path
cmd/cap/util.go
CVSS v3
None
Description
Scanner: Semgrep
The application dynamically constructs file or path information. If the path
information comes from user input, it could be abused to read sensitive files,
access other users data or aid in exploitation to gain further system access.

User input should never be used in constructing paths or files for interacting
with the filesystem. This includes filenames supplied by user uploads or downloads.
If possible, consider hashing user input or replacing it with unique values.
Additionally, use `filepath.Base` to only use the filename and not path information.
Always validate the full path prior to opening or writing to any file.

Example using `filepath.Base`, generating a unique filename without using
user input to construct filepath information:
```
type userData struct {
    id           string
    userFilename string
}

func newUserData(userFilename string) userData {
    return userData{
        id:           randomFileID(), // random id as the filename
        userFilename: userFilename,
    }
}

// randomFileID generates a random id, to be used as a filename
func randomFileID() string {
    id := make([]byte, 16)
    if _, err := io.ReadFull(rand.Reader, id); err != nil {
        log.Fatal(err)
    }
    return hex.EncodeToString(id)
}

func main() {

    // user input, saved only as a reference
    data := newUserData("../../possibly/malicious")

    // restrict all file access to this path
    const basePath = "/tmp/"

    // resolve the full path, but only use our random generated id
    resolvedPath, err := filepath.Join(basePath, filepath.Base(data.id))
    if err != nil {
        log.Fatal(err)
    }

    // verify the path is prefixed with our basePath
    if !strings.HasPrefix(resolvedPath, basePath) {
        log.Fatal("path does not start with basePath")
    }
    // process / work with file
}
```

For more information on path traversal issues see OWASP:
https://owasp.org/www-community/attacks/Path_Traversal

Mitigation

                 
                    
Impact
None
References
Identifier type: semgrep_id
Name: gosec.G304-1
Value: gosec.G304-1

Identifier type: owasp
Name: A01:2021 - Broken Access Control
Value: A01:2021

Identifier type: owasp
Name: A5:2017 - Broken Access Control
Value: A5:2017

Identifier type: gosec_rule_id
Name: Gosec Rule ID G304
Value: G304