search

Nullify-Platform / Logger

Nullify logging library for backend services
https://github.com/Nullify-Platform
0 stars 0 forks source link

Vulnerabilities Dashboard - Code #49

Open nullify-latest[bot] opened 9 months ago

nullify-latest[bot] commented 9 months ago

Severity Threshold: πŸ”΅ MEDIUM

2 Potential vulnerability sources found within this repo

πŸ”΄ CRITICAL 🟑 HIGH πŸ”΅ MEDIUM βšͺ LOW
0 2 0 0

ID: 01JCW1AC4QXVB2CDG5YK50VNY7 Language: Containerfile Severity: 🟑 HIGH AVD-DS-0002

Image user should not be 'root'

Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. Read more: https://avd.aquasec.com/misconfig/ds002 https://github.com/Nullify-Platform/Logger/blob/8de36dde4e2a07590132793894c1a0a5e6f37add/Dockerfile#L1 # ID: 01JCW1AC4QXVB2CDG5YQ4KYFR0 Language: Go Severity: 🟑 HIGH CWE-918

Server-Side Request Forgery (SSRF)

Server-Side-Request-Forgery (SSRF) exploits backend systems that initiate requests to third parties. If user input is used in constructing or sending these requests, an attacker could supply malicious data to force the request to other systems or modify request data to cause unwanted actions.

Ensure user input is not used directly in constructing URLs or URIs when initiating requests to third party systems from back end systems. Care must also be taken when constructing payloads using user input. Where possible restrict to known URIs or payloads. Consider using a server side map where key's are used to return URLs such as https://site/goto?key=1 where {key: 1, url: 'http://some.url/', key: 2, url: 'http://...'}.

If you must use user supplied input for requesting URLs, it is strongly recommended that the HTTP client chosen allows you to customize and block certain IP ranges at the network level. By blocking RFC 1918 addresses or other network address ranges, you can limit the severity of a successful SSRF attack. Care must also be taken to block certain protocol or address formatting such as IPv6.

If you can not block address ranges at the client level, you may want to run the HTTP client as a protected user, or in a protected network where you can apply IP Table or firewall rules to block access to dangerous addresses. Finally, if none of the above protections are available, you could also run a custom HTTP proxy and force all requests through it to handle blocking dangerous addresses.

Example HTTP client that disallows access to loopback and RFC-1918 addresses

// IsDisallowedIP parses the ip to determine if we should allow the HTTP client to continue
func IsDisallowedIP(hostIP string) bool {
  ip := net.ParseIP(hostIP)
  return ip.IsMulticast() || ip.IsUnspecified() || ip.IsLoopback() || ip.IsPrivate()
}

// SafeTransport uses the net.Dial to connect, then if successful check if the resolved
// ip address is disallowed. We do this due to hosts such as localhost.lol being resolvable to
// potentially malicious URLs. We allow connection only for resolution purposes.
func SafeTransport(timeout time.Duration) *http.Transport {
  return &http.Transport{
    DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
      c, err := net.DialTimeout(network, addr, timeout)
      if err != nil {
        return nil, err
      }
      ip, _, _ := net.SplitHostPort(c.RemoteAddr().String())
      if IsDisallowedIP(ip) {
        return nil, errors.New("ip address is not allowed")
      }
      return c, err
    },
    DialTLS: func(network, addr string) (net.Conn, error) {
      dialer := &net.Dialer{Timeout: timeout}
      c, err := tls.DialWithDialer(dialer, network, addr, &tls.Config{})
      if err != nil {
        return nil, err
      }

      ip, _, _ := net.SplitHostPort(c.RemoteAddr().String())
      if IsDisallowedIP(ip) {
        return nil, errors.New("ip address is not allowed")
      }

      err = c.Handshake()
      if err != nil {
        return c, err
      }

      return c, c.Handshake()
    },
    TLSHandshakeTimeout: timeout,
  }
}

func httpRequest(requestUrl string) {
  const clientConnectTimeout = time.Second * 10
  httpClient := &http.Client{
    Transport: SafeTransport(clientConnectTimeout),
  }
  resp, err := httpClient.Get(requestUrl)
  if err != nil {
    log.Fatal(err)
  }
  defer resp.Body.Close()
  // work with resp
}

For more information on SSRF see OWASP: https://owasp.org/www-community/attacks/Server_Side_Request_Forgery

Read more: https://cwe.mitre.org/data/definitions/918.html https://github.com/Nullify-Platform/Logger/blob/8de36dde4e2a07590132793894c1a0a5e6f37add/pkg/logger/configure.go#L231

Reply with /nullify to interact with me like another developer

nullify-latest[bot] commented 6 months ago

New code security updates for commit 0fe645c41046dc129e5a8aaf6702455ec3c1adc8

New Fixed Allowlisted Unallowlisted
1 1 0 0
See Details ### New Findings | ID | Title | File | Line | CWE | |-|-|-|-|-| | 01HX5X8CFEZ31N39AP9C2V9W1J | Image user should not be 'root' | Dockerfile | 1 | 0 | ### New Fixed Findings | ID | Title | File | Line | CWE | |-|-|-|-|-| | 01HVMYPQVGSZ9VRV0EQFJA61B3 | Image user should not be 'root' | Dockerfile | 1 | 0 |
nullify-latest[bot] commented 6 months ago

New code security updates for commit 0e491289a0914a9225060c6f77bf06e5f9db41e3

New Fixed Allowlisted Unallowlisted
1 1 0 0
See Details ### New Findings | ID | Title | File | Line | CWE | |-|-|-|-|-| | 01HXQYMRM3PYSANAKAEEX4YNP9 | Image user should not be 'root' | Dockerfile | 1 | 0 | ### New Fixed Findings | ID | Title | File | Line | CWE | |-|-|-|-|-| | 01HX5X8CFEZ31N39AP9C2V9W1J | Image user should not be 'root' | Dockerfile | 1 | 0 |
nullify-latest[bot] commented 6 months ago

New code security updates for commit 13f8ddfa7296f3761a2802a331d8712453a9d1d3

New Fixed Allowlisted Unallowlisted
1 1 0 0
See Details ### New Findings | ID | Title | File | Line | CWE | |-|-|-|-|-| | 01HY9P6KC8CYTZB4DHT09Q20VH | Image user should not be 'root' | Dockerfile | 1 | 0 | ### New Fixed Findings | ID | Title | File | Line | CWE | |-|-|-|-|-| | 01HXQYMRM3PYSANAKAEEX4YNP9 | Image user should not be 'root' | Dockerfile | 1 | 0 |
nullify-latest[bot] commented 5 months ago

New code security updates for commit 632af004afefd7132f7f4017e31210d66196eaa8

New Fixed Allowlisted Unallowlisted
1 1 0 0
See Details ### New Findings | ID | Title | File | Line | CWE | |-|-|-|-|-| | 01HZ1HW9T58ST9SBXWAQS3MY1G | Image user should not be 'root' | Dockerfile | 1 | 0 | ### New Fixed Findings | ID | Title | File | Line | CWE | |-|-|-|-|-| | 01HY9P6KC8CYTZB4DHT09Q20VH | Image user should not be 'root' | Dockerfile | 1 | 0 |
nullify-latest[bot] commented 5 months ago

New code security updates for commit e65587b322f378a8598a0bc49e76f4ed07695a58

New Fixed Allowlisted Unallowlisted
1 1 0 0
See Details ### New Findings | ID | Title | File | Line | CWE | |-|-|-|-|-| | 01HZZSVBJSK6KW356CXSA9DF49 | Image user should not be 'root' | Dockerfile | 1 | 0 | ### New Fixed Findings | ID | Title | File | Line | CWE | |-|-|-|-|-| | 01HZ1HW9T58ST9SBXWAQS3MY1G | Image user should not be 'root' | Dockerfile | 1 | 0 |