search

onlaj / Piano-LED-Visualizer

Piano LED Visualizer: Connect an LED strip to your Raspberry Pi and create an immersive visual experience for your piano playing
MIT License
513 stars 111 forks source link

Fix Path Traversal Vulnerability #351

Closed porcupineyhairs closed 2 years ago

porcupineyhairs commented 2 years ago

Fixes #350

onlaj commented 2 years ago

Thank you for your contribution and the detailed explanation of the vulnerability. Although the application should only run on a local network and should not be vulnerable to attacks it is indeed a dangerous bug and should be patched.

I checked your pull request and it seems to work as expected, but PyCharm returns me a warning flask.helpers.safe_join' is deprecated and will be removed in Flask 2.1. Use 'werkzeug.utils.safe_join' instead.

I assume that adding import werkzeug and then changing safe_join to werkzeug.utils.safe_join should be enough to make it more future proof.

porcupineyhairs commented 2 years ago

@onlaj changes done! can you please request a GHSA advisory for this?

onlaj commented 2 years ago

Sure, I can do it. Should I copy into the description what you wrote in the https://github.com/onlaj/Piano-LED-Visualizer/issues/350?

porcupineyhairs commented 2 years ago

@onlaj Yes, please do. #350 should cover most of what you require

onlaj commented 2 years ago

Two more questions if you don't mind. What is the purpose of creating security advisory in that case? What should I put in "ecosystem" tab? chrome_A29Y1SoOM2

porcupineyhairs commented 2 years ago

@onlaj Ecosystem means the primary language ecosystem to which the project belongs. In this case, since the bug is in python code, you may select pip.

As for severity, please select assess severity using CVSS. Then please paste the following CVSS vector in the input. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L

For CWE, please put CWE-073. In the CVE field, select request CVE ID later. Github will go through the submission and issue a CVE. You can use this CVE ID to notify downstream users of the vulnerability and the fix.

onlaj commented 2 years ago

I made a draft and added you as collaborator, but I still don't fully understand what is it for. I can press "Request CVE" and it says that: Once requested, GitHub will review this advisory in order to assign a CVE. If I understand it correctly they will use it to notify other users about that vulnerability if it is found in their repositories, right?

porcupineyhairs commented 2 years ago

@onlaj I have made a bunch to the draft advisory. PTAL.

A CVE ID is used to identify a security vulnerability in a product. By issuing a CVE you allow the users of your software to be notified about a security vulnerability. If this software is used by other downstream libraries, a CVE would nudge them to upgrade to the patched version. Also sometimes, Github may even create a dependabot alert for users to auto-patch the bug.

onlaj commented 2 years ago

Ok, I understand now. Should I "Request CVE" or "Publish advisory"?

porcupineyhairs commented 2 years ago

@onlaj I don't know. You should be doing both. I think request CVE would automatically publish the advisory so try that.