Skip to content

Commit

Permalink
🔒 Prevent second order command injection prevention (CWE-88, CWE-78)
Browse files Browse the repository at this point in the history
  • Loading branch information
@tiulpin
tiulpin committed Apr 23, 2024
1 parent 5240dc8 commit 3925fa7
Show file tree
Hide file tree
Showing 4 changed files with 35 additions and 3 deletions.
12 changes: 12 additions & 0 deletions common/qodana.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -250,3 +250,15 @@ export function getQodanaSha256MismatchMessage(
): string {
return `Downloaded Qodana CLI binary is corrupted. Expected SHA-256 checksum: ${expected}, actual checksum: ${actual}`
}

/**
* Validates the given branch name.
* @param branchName the branch name to sanitize.
*/
export function validateBranchName(branchName: string): string {
const validBranchNameRegex = /^[a-zA-Z0-9/\-_]+$/;
if (!validBranchNameRegex.test(branchName)) {
throw new Error("Invalid branch name: not allowed characters are used:" + branchName);
}
return branchName;
}
12 changes: 11 additions & 1 deletion scan/dist/index.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24318,7 +24318,8 @@ __export(qodana_exports, {
getQodanaUrl: () => getQodanaUrl,
isExecutionSuccessful: () => isExecutionSuccessful,
isNativeMode: () => isNativeMode,
sha256sum: () => sha256sum
sha256sum: () => sha256sum,
validateBranchName: () => validateBranchName
});
function getQodanaSha256(arch, platform) {
switch (`${platform}_${arch}`) {
Expand Down Expand Up @@ -24432,6 +24433,13 @@ function sha256sum(file) {
function getQodanaSha256MismatchMessage(expected, actual) {
return `Downloaded Qodana CLI binary is corrupted. Expected SHA-256 checksum: ${expected}, actual checksum: ${actual}`;
}
function validateBranchName(branchName) {
const validBranchNameRegex = /^[a-zA-Z0-9/\-_]+$/;
if (!validBranchNameRegex.test(branchName)) {
throw new Error("Invalid branch name: not allowed characters are used:" + branchName);
}
return branchName;
}
var import_crypto4, import_fs, SUPPORTED_PLATFORMS, SUPPORTED_ARCHS, FAIL_THRESHOLD_OUTPUT, QODANA_SARIF_NAME, QODANA_SHORT_SARIF_NAME, QODANA_REPORT_URL_NAME, QODANA_OPEN_IN_IDE_NAME, QODANA_LICENSES_MD, QODANA_LICENSES_JSON, EXECUTABLE, VERSION, COVERAGE_THRESHOLD, QodanaExitCode, NONE, BRANCH, PULL_REQUEST;
var init_qodana = __esm({
"../common/qodana.ts"() {
Expand Down Expand Up @@ -24471,6 +24479,7 @@ var init_qodana = __esm({
__name(getCoverageFromSarif, "getCoverageFromSarif");
__name(sha256sum, "sha256sum");
__name(getQodanaSha256MismatchMessage, "getQodanaSha256MismatchMessage");
__name(validateBranchName, "validateBranchName");
}
});

Expand Down Expand Up @@ -118519,6 +118528,7 @@ var require_utils8 = __commonJS({
if (((_a = c.payload.pull_request) === null || _a === void 0 ? void 0 : _a.head.ref) !== void 0) {
currentBranch = c.payload.pull_request.head.ref;
}
currentBranch = (0, qodana_12.validateBranchName)(currentBranch);
yield git(["config", "user.name", output_12.COMMIT_USER]);
yield git(["config", "user.email", output_12.COMMIT_EMAIL]);
yield git(["add", "."]);
Expand Down
4 changes: 3 additions & 1 deletion scan/src/utils.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,8 @@ import {
NONE,
PULL_REQUEST,
BRANCH,
isNativeMode
isNativeMode,
validateBranchName
} from '../../common/qodana'
import path from 'path'
import * as fs from 'fs'
Expand Down Expand Up @@ -110,6 +111,7 @@ export async function pushQuickFixes(
if (c.payload.pull_request?.head.ref !== undefined) {
currentBranch = c.payload.pull_request.head.ref
}
currentBranch = validateBranchName(currentBranch)
await git(['config', 'user.name', COMMIT_USER])
await git(['config', 'user.email', COMMIT_EMAIL])
await git(['add', '.'])
Expand Down
10 changes: 9 additions & 1 deletion vsts/QodanaScan/index.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,8 @@ __export(qodana_exports, {
getQodanaUrl: () => getQodanaUrl,
isExecutionSuccessful: () => isExecutionSuccessful,
isNativeMode: () => isNativeMode,
sha256sum: () => sha256sum
sha256sum: () => sha256sum,
validateBranchName: () => validateBranchName
});
function getQodanaSha256(arch, platform) {
switch (`${platform}_${arch}`) {
Expand Down Expand Up @@ -193,6 +194,13 @@ function sha256sum(file) {
function getQodanaSha256MismatchMessage(expected, actual) {
return `Downloaded Qodana CLI binary is corrupted. Expected SHA-256 checksum: ${expected}, actual checksum: ${actual}`;
}
function validateBranchName(branchName) {
const validBranchNameRegex = /^[a-zA-Z0-9/\-_]+$/;
if (!validBranchNameRegex.test(branchName)) {
throw new Error("Invalid branch name: not allowed characters are used:" + branchName);
}
return branchName;
}
var import_crypto, import_fs, SUPPORTED_PLATFORMS, SUPPORTED_ARCHS, FAIL_THRESHOLD_OUTPUT, QODANA_SARIF_NAME, QODANA_SHORT_SARIF_NAME, QODANA_REPORT_URL_NAME, QODANA_OPEN_IN_IDE_NAME, QODANA_LICENSES_MD, QODANA_LICENSES_JSON, EXECUTABLE, VERSION, COVERAGE_THRESHOLD, QodanaExitCode, NONE, BRANCH, PULL_REQUEST;
var init_qodana = __esm({
"../common/qodana.ts"() {
Expand Down

0 comments on commit 3925fa7

Please sign in to comment.