pentaho / pentaho-platform

Pentaho BA Server Core
http://www.pentaho.com
Other
472 stars 723 forks source link

[DEVO-11106] - Fix the CodeQL GHA build for pentaho-platform #5751

Closed cardosov closed 2 weeks ago

hitachivantarasonarqube[bot] commented 2 weeks ago

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarQube

buildguy commented 2 weeks ago
[![🚨 Frogbot scanned this pull request and found the below:](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/vulnerabilitiesBannerPR.png)](https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot)

[🐸 JFrog Frogbot](https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot)
buildguy commented 2 weeks ago
count

at extensions/src/main/java/org/pentaho/platform/web/servlet/GetResource.java (line 125)

🎯 Static Application Security Testing (SAST) Vulnerability

| Severity | Finding | | :---------------------: | :-----------------------------------: | | ![](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/applicableHighSeverity.png)
High | Untrusted input is included in web page content |
Full description
### Overview XSS, or Cross-Site Scripting, is a type of vulnerability that allows an attacker to inject malicious code into a website or web application. This can allow the attacker to steal sensitive information from users, such as their cookies or login credentials, or to perform unauthorized actions on their behalf. ### Vulnerable example ```java public class xss_vuln { protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String username = request.getParameter("username"); //If username exists in the db - do something and write a response //if it doesn't exists - response.getWriter().println("Unable to find user " + username); response.setStatus(HttpServletResponse.SC_BAD_REQUEST); } } ``` In this example, a user-provided data is injected directly into the `response.getWriter().println` command. ### Remediation ```diff + import org.owasp.html.HtmlPolicyBuilder; + import org.owasp.html.PolicyFactory; public class xss_safe { protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String username = request.getParameter("username"); //If username exists in the db - do something and write a response //if it doesn't exists - + PolicyFactory policy = new HtmlPolicyBuilder().toFactory(); + String htmlResponse = policy.sanitize("Unable to find user " + username); + response.getWriter().println(htmlResponse); - response.getWriter().println("Unable to find user " + username); response.setStatus(HttpServletResponse.SC_BAD_REQUEST); } } ``` Using `PolicyFactory` library, we escape the user-provided data, before getting into the `response.getWriter().println` command.
Code Flows
Vulnerable data flow analysis result
↘️ `connection.getInputStream()` (at core/src/main/java/org/pentaho/platform/util/web/HttpUtil.java line 145) ↘️ `in` (at core/src/main/java/org/pentaho/platform/util/web/HttpUtil.java line 145) ↘️ `in` (at core/src/main/java/org/pentaho/platform/util/web/HttpUtil.java line 146) ↘️ `HttpUtil.getURLInputStream( getAddress() )` (at core/src/main/java/org/pentaho/platform/engine/services/actionsequence/ActionSequenceResource.java line 360) ↘️ `inputStream` (at core/src/main/java/org/pentaho/platform/engine/services/actionsequence/ActionSequenceResource.java line 360) ↘️ `inputStream` (at core/src/main/java/org/pentaho/platform/engine/services/actionsequence/ActionSequenceResource.java line 372) ↘️ `getInputStream( getAddress(), locale )` (at core/src/main/java/org/pentaho/platform/engine/services/actionsequence/ActionSequenceResource.java line 363) ↘️ `inputStream` (at core/src/main/java/org/pentaho/platform/engine/services/actionsequence/ActionSequenceResource.java line 363) ↘️ `inputStream` (at core/src/main/java/org/pentaho/platform/engine/services/actionsequence/ActionSequenceResource.java line 372) ↘️ `asqr.getInputStream( RepositoryFilePermission.READ, LocaleHelper.getLocale() )` (at extensions/src/main/java/org/pentaho/platform/web/servlet/GetResource.java line 96) ↘️ `in` (at extensions/src/main/java/org/pentaho/platform/web/servlet/GetResource.java line 96) ↘️ `in` (at extensions/src/main/java/org/pentaho/platform/web/servlet/GetResource.java line 124) ↘️ `in.read( buf )` (at extensions/src/main/java/org/pentaho/platform/web/servlet/GetResource.java line 124) ↘️ `count` (at extensions/src/main/java/org/pentaho/platform/web/servlet/GetResource.java line 124) ↘️ `count` (at extensions/src/main/java/org/pentaho/platform/web/servlet/GetResource.java line 125)
Vulnerable data flow analysis result
↘️ `connection.getInputStream()` (at core/src/main/java/org/pentaho/platform/util/web/HttpUtil.java line 145) ↘️ `in` (at core/src/main/java/org/pentaho/platform/util/web/HttpUtil.java line 145) ↘️ `in` (at core/src/main/java/org/pentaho/platform/util/web/HttpUtil.java line 146) ↘️ `HttpUtil.getURLInputStream( getAddress() )` (at core/src/main/java/org/pentaho/platform/engine/services/actionsequence/ActionSequenceResource.java line 360) ↘️ `inputStream` (at core/src/main/java/org/pentaho/platform/engine/services/actionsequence/ActionSequenceResource.java line 360) ↘️ `inputStream` (at core/src/main/java/org/pentaho/platform/engine/services/actionsequence/ActionSequenceResource.java line 372) ↘️ `asqr.getInputStream( RepositoryFilePermission.READ, LocaleHelper.getLocale() )` (at extensions/src/main/java/org/pentaho/platform/web/servlet/GetResource.java line 96) ↘️ `in` (at extensions/src/main/java/org/pentaho/platform/web/servlet/GetResource.java line 96) ↘️ `in` (at extensions/src/main/java/org/pentaho/platform/web/servlet/GetResource.java line 124) ↘️ `in.read( buf )` (at extensions/src/main/java/org/pentaho/platform/web/servlet/GetResource.java line 124) ↘️ `count` (at extensions/src/main/java/org/pentaho/platform/web/servlet/GetResource.java line 124) ↘️ `count` (at extensions/src/main/java/org/pentaho/platform/web/servlet/GetResource.java line 125)
Vulnerable data flow analysis result
↘️ `in.read( buf )` (at extensions/src/main/java/org/pentaho/platform/web/servlet/GetResource.java line 124) ↘️ `count` (at extensions/src/main/java/org/pentaho/platform/web/servlet/GetResource.java line 124) ↘️ `count` (at extensions/src/main/java/org/pentaho/platform/web/servlet/GetResource.java line 125)

[🐸 JFrog Frogbot](https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot)
buildguy commented 2 weeks ago
n

at extensions/src/main/java/org/pentaho/platform/web/servlet/GetImage.java (line 126)

🎯 Static Application Security Testing (SAST) Vulnerability

| Severity | Finding | | :---------------------: | :-----------------------------------: | | ![](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/applicableHighSeverity.png)
High | Untrusted stored value is included in web page content |
Full description
### Overview XSS, or Cross-Site Scripting, is a type of vulnerability that allows an attacker to inject malicious code into a website or web application. This can allow the attacker to steal sensitive information from users, such as their cookies or login credentials, or to perform unauthorized actions on their behalf. ### Vulnerable example ```java public class xss_vuln extends HttpServlet { protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String username = statement.executeQuery("SELECT username FROM users"); response.getWriter().println("Unable to find user " + username); response.setStatus(HttpServletResponse.SC_BAD_REQUEST); } } ``` In this example, stored data is injected directly into the `response.getWriter().println` command. ### Remediation ```diff + import org.owasp.html.HtmlPolicyBuilder; + import org.owasp.html.PolicyFactory; public class xss_safe extends HttpServlet { protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String username = statement.executeQuery("SELECT username FROM users"); + PolicyFactory policy = new HtmlPolicyBuilder().toFactory(); + String htmlResponse = policy.sanitize("Unable to find user " + username); + response.getWriter().println(htmlResponse); - response.getWriter().println("Unable to find user " + username); response.setStatus(HttpServletResponse.SC_BAD_REQUEST); } } ``` Using `PolicyFactory` library, we escape the user-provided data, before getting into the `response.getWriter().println` command.
Code Flows
Vulnerable data flow analysis result
↘️ `in.read( buffer )` (at extensions/src/main/java/org/pentaho/platform/web/servlet/GetImage.java line 125) ↘️ `n` (at extensions/src/main/java/org/pentaho/platform/web/servlet/GetImage.java line 125) ↘️ `n` (at extensions/src/main/java/org/pentaho/platform/web/servlet/GetImage.java line 126)

[🐸 JFrog Frogbot](https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot)
buildguy commented 2 weeks ago
n

at extensions/src/main/java/org/pentaho/platform/web/servlet/GetImage.java (line 126)

🎯 Static Application Security Testing (SAST) Vulnerability

| Severity | Finding | | :---------------------: | :-----------------------------------: | | ![](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/applicableHighSeverity.png)
High | Untrusted input is included in web page content |
Full description
### Overview XSS, or Cross-Site Scripting, is a type of vulnerability that allows an attacker to inject malicious code into a website or web application. This can allow the attacker to steal sensitive information from users, such as their cookies or login credentials, or to perform unauthorized actions on their behalf. ### Vulnerable example ```java public class xss_vuln { protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String username = request.getParameter("username"); //If username exists in the db - do something and write a response //if it doesn't exists - response.getWriter().println("Unable to find user " + username); response.setStatus(HttpServletResponse.SC_BAD_REQUEST); } } ``` In this example, a user-provided data is injected directly into the `response.getWriter().println` command. ### Remediation ```diff + import org.owasp.html.HtmlPolicyBuilder; + import org.owasp.html.PolicyFactory; public class xss_safe { protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String username = request.getParameter("username"); //If username exists in the db - do something and write a response //if it doesn't exists - + PolicyFactory policy = new HtmlPolicyBuilder().toFactory(); + String htmlResponse = policy.sanitize("Unable to find user " + username); + response.getWriter().println(htmlResponse); - response.getWriter().println("Unable to find user " + username); response.setStatus(HttpServletResponse.SC_BAD_REQUEST); } } ``` Using `PolicyFactory` library, we escape the user-provided data, before getting into the `response.getWriter().println` command.
Code Flows
Vulnerable data flow analysis result
↘️ `in.read( buffer )` (at extensions/src/main/java/org/pentaho/platform/web/servlet/GetImage.java line 125) ↘️ `n` (at extensions/src/main/java/org/pentaho/platform/web/servlet/GetImage.java line 125) ↘️ `n` (at extensions/src/main/java/org/pentaho/platform/web/servlet/GetImage.java line 126)

[🐸 JFrog Frogbot](https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot)
buildguy commented 2 weeks ago
buf

at extensions/src/main/java/org/pentaho/platform/web/servlet/GetResource.java (line 125)

🎯 Static Application Security Testing (SAST) Vulnerability

| Severity | Finding | | :---------------------: | :-----------------------------------: | | ![](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/applicableHighSeverity.png)
High | Untrusted input is included in web page content |
Full description
### Overview XSS, or Cross-Site Scripting, is a type of vulnerability that allows an attacker to inject malicious code into a website or web application. This can allow the attacker to steal sensitive information from users, such as their cookies or login credentials, or to perform unauthorized actions on their behalf. ### Vulnerable example ```java public class xss_vuln { protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String username = request.getParameter("username"); //If username exists in the db - do something and write a response //if it doesn't exists - response.getWriter().println("Unable to find user " + username); response.setStatus(HttpServletResponse.SC_BAD_REQUEST); } } ``` In this example, a user-provided data is injected directly into the `response.getWriter().println` command. ### Remediation ```diff + import org.owasp.html.HtmlPolicyBuilder; + import org.owasp.html.PolicyFactory; public class xss_safe { protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String username = request.getParameter("username"); //If username exists in the db - do something and write a response //if it doesn't exists - + PolicyFactory policy = new HtmlPolicyBuilder().toFactory(); + String htmlResponse = policy.sanitize("Unable to find user " + username); + response.getWriter().println(htmlResponse); - response.getWriter().println("Unable to find user " + username); response.setStatus(HttpServletResponse.SC_BAD_REQUEST); } } ``` Using `PolicyFactory` library, we escape the user-provided data, before getting into the `response.getWriter().println` command.
Code Flows
Vulnerable data flow analysis result
↘️ `connection.getInputStream()` (at core/src/main/java/org/pentaho/platform/util/web/HttpUtil.java line 145) ↘️ `in` (at core/src/main/java/org/pentaho/platform/util/web/HttpUtil.java line 145) ↘️ `in` (at core/src/main/java/org/pentaho/platform/util/web/HttpUtil.java line 146) ↘️ `HttpUtil.getURLInputStream( getAddress() )` (at core/src/main/java/org/pentaho/platform/engine/services/actionsequence/ActionSequenceResource.java line 360) ↘️ `inputStream` (at core/src/main/java/org/pentaho/platform/engine/services/actionsequence/ActionSequenceResource.java line 360) ↘️ `inputStream` (at core/src/main/java/org/pentaho/platform/engine/services/actionsequence/ActionSequenceResource.java line 372) ↘️ `getInputStream( getAddress(), locale )` (at core/src/main/java/org/pentaho/platform/engine/services/actionsequence/ActionSequenceResource.java line 363) ↘️ `inputStream` (at core/src/main/java/org/pentaho/platform/engine/services/actionsequence/ActionSequenceResource.java line 363) ↘️ `inputStream` (at core/src/main/java/org/pentaho/platform/engine/services/actionsequence/ActionSequenceResource.java line 372) ↘️ `asqr.getInputStream( RepositoryFilePermission.READ, LocaleHelper.getLocale() )` (at extensions/src/main/java/org/pentaho/platform/web/servlet/GetResource.java line 96) ↘️ `in` (at extensions/src/main/java/org/pentaho/platform/web/servlet/GetResource.java line 96) ↘️ `in` (at extensions/src/main/java/org/pentaho/platform/web/servlet/GetResource.java line 124) ↘️ `buf` (at extensions/src/main/java/org/pentaho/platform/web/servlet/GetResource.java line 124) ↘️ `buf` (at extensions/src/main/java/org/pentaho/platform/web/servlet/GetResource.java line 125)
Vulnerable data flow analysis result
↘️ `connection.getInputStream()` (at core/src/main/java/org/pentaho/platform/util/web/HttpUtil.java line 145) ↘️ `in` (at core/src/main/java/org/pentaho/platform/util/web/HttpUtil.java line 145) ↘️ `in` (at core/src/main/java/org/pentaho/platform/util/web/HttpUtil.java line 146) ↘️ `HttpUtil.getURLInputStream( getAddress() )` (at core/src/main/java/org/pentaho/platform/engine/services/actionsequence/ActionSequenceResource.java line 360) ↘️ `inputStream` (at core/src/main/java/org/pentaho/platform/engine/services/actionsequence/ActionSequenceResource.java line 360) ↘️ `inputStream` (at core/src/main/java/org/pentaho/platform/engine/services/actionsequence/ActionSequenceResource.java line 372) ↘️ `asqr.getInputStream( RepositoryFilePermission.READ, LocaleHelper.getLocale() )` (at extensions/src/main/java/org/pentaho/platform/web/servlet/GetResource.java line 96) ↘️ `in` (at extensions/src/main/java/org/pentaho/platform/web/servlet/GetResource.java line 96) ↘️ `in` (at extensions/src/main/java/org/pentaho/platform/web/servlet/GetResource.java line 124) ↘️ `buf` (at extensions/src/main/java/org/pentaho/platform/web/servlet/GetResource.java line 124) ↘️ `buf` (at extensions/src/main/java/org/pentaho/platform/web/servlet/GetResource.java line 125)

[🐸 JFrog Frogbot](https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot)
buildguy commented 2 weeks ago
response.setHeader( "content-disposition", "attachment;filename=" + resourceName )

at extensions/src/main/java/org/pentaho/platform/web/servlet/GetResource.java (line 107)

🎯 Static Application Security Testing (SAST) Vulnerability

| Severity | Finding | | :---------------------: | :-----------------------------------: | | ![](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/applicableMediumSeverity.png)
Medium | Untrusted input included in HTTP header |
Full description
### Overview HTTP Header Injection is a security vulnerability that arises when an attacker injects malicious content into an HTTP response header generated by a Java application. This injection can occur due to improper input validation or insufficient output encoding. As a result, the attacker might manipulate the headers to execute various attacks, such as Cross-Site Scripting (XSS) or Cross-Site Request Forgery (CSRF), potentially compromising the security and functionality of the application. ### Vulnerable example ```java public class header_inj_vuln { protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String email = request.getParameter("email"); String hostHeader = request.getHeader("HOST"); String token = generateSecretToken(); URL resetUrl = new URL("https", hostHeader, "/reset?token=" + token); sendResetPassword(email, resetUrl); } } ``` In this example, user-controlled data is injected into the https response header. ### Remediation Proper validation and encoding of user input before generating HTTP responses can help mitigate this vulnerability.
Code Flows
Vulnerable data flow analysis result
↘️ `request.getParameter( "resource" )` (at extensions/src/main/java/org/pentaho/platform/web/servlet/GetResource.java line 60) ↘️ `resource` (at extensions/src/main/java/org/pentaho/platform/web/servlet/GetResource.java line 60) ↘️ `resource` (at extensions/src/main/java/org/pentaho/platform/web/servlet/GetResource.java line 86) ↘️ `resourcePath` (at extensions/src/main/java/org/pentaho/platform/web/servlet/GetResource.java line 86) ↘️ `resourcePath` (at extensions/src/main/java/org/pentaho/platform/web/servlet/GetResource.java line 103) ↘️ `resourceName` (at extensions/src/main/java/org/pentaho/platform/web/servlet/GetResource.java line 103) ↘️ `resourceName` (at extensions/src/main/java/org/pentaho/platform/web/servlet/GetResource.java line 107) ↘️ `"attachment;filename=" + resourceName` (at extensions/src/main/java/org/pentaho/platform/web/servlet/GetResource.java line 107) ↘️ `response.setHeader( "content-disposition", "attachment;filename=" + resourceName )` (at extensions/src/main/java/org/pentaho/platform/web/servlet/GetResource.java line 107)
Vulnerable data flow analysis result
↘️ `request.getParameter( "resource" )` (at extensions/src/main/java/org/pentaho/platform/web/servlet/GetResource.java line 60) ↘️ `resource` (at extensions/src/main/java/org/pentaho/platform/web/servlet/GetResource.java line 60) ↘️ `resource` (at extensions/src/main/java/org/pentaho/platform/web/servlet/GetResource.java line 86) ↘️ `resourcePath` (at extensions/src/main/java/org/pentaho/platform/web/servlet/GetResource.java line 86) ↘️ `resourcePath` (at extensions/src/main/java/org/pentaho/platform/web/servlet/GetResource.java line 105) ↘️ `resourcePath.substring( resourcePath.lastIndexOf( "/" ) + 1 )` (at extensions/src/main/java/org/pentaho/platform/web/servlet/GetResource.java line 105) ↘️ `resourceName` (at extensions/src/main/java/org/pentaho/platform/web/servlet/GetResource.java line 105) ↘️ `resourceName` (at extensions/src/main/java/org/pentaho/platform/web/servlet/GetResource.java line 107) ↘️ `"attachment;filename=" + resourceName` (at extensions/src/main/java/org/pentaho/platform/web/servlet/GetResource.java line 107) ↘️ `response.setHeader( "content-disposition", "attachment;filename=" + resourceName )` (at extensions/src/main/java/org/pentaho/platform/web/servlet/GetResource.java line 107)

[🐸 JFrog Frogbot](https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot)
buildguy commented 2 weeks ago
response.sendRedirect( getErrorURL() )

at extensions/src/main/java/org/pentaho/platform/web/servlet/ProxyServlet.java (line 170)

🎯 Static Application Security Testing (SAST) Vulnerability

| Severity | Finding | | :---------------------: | :-----------------------------------: | | ![](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/applicableLowSeverity.png)
Low | Using untrusted URLs in HTTP redirect |
Full description
### Overview An open redirect is a type of vulnerability that occurs when a web application or website redirects a user to an arbitrary URL, without properly validating the destination URL. This can allow an attacker to redirect a user to a malicious website via a trusted website, potentially tricking the user into providing sensitive information or downloading malware. ### Vulnerable example ```java public class open_redirect_vuln { protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String url = request.getParameter("url"); response.sendRedirect(url); } } ``` In this example, a request parameter is incorporated without validation into a URL redirect. ### Remediation ```diff public class open_redirect_safe { protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String url = request.getParameter("url"); - response.sendRedirect(url); + if (url.equals(protocol + "://" + hostname + "/login")) { + response.sendRedirect(url); + } } } ``` Here we make sure that the redirection is limited to a url that starts with a known prefix, and ends with a known suffix, which prevents an attacker to redirect outside of out network.
Code Flows
Vulnerable data flow analysis result
↘️ `servletConfig.getInitParameter( "ErrorURL" )` (at extensions/src/main/java/org/pentaho/platform/web/servlet/ProxyServlet.java line 142) ↘️ `errorURL` (at extensions/src/main/java/org/pentaho/platform/web/servlet/ProxyServlet.java line 142) ↘️ `errorURL` (at extensions/src/main/java/org/pentaho/platform/web/servlet/ProxyServlet.java line 151) ↘️ `getErrorURL()` (at extensions/src/main/java/org/pentaho/platform/web/servlet/ProxyServlet.java line 170) ↘️ `response.sendRedirect( getErrorURL() )` (at extensions/src/main/java/org/pentaho/platform/web/servlet/ProxyServlet.java line 170)

[🐸 JFrog Frogbot](https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot)
buildguy commented 2 weeks ago

:x: Build failed in 1h 16m 9s

Build command:

mvn clean verify -B -e -Daudit -Djs.no.sandbox

:ok_hand: All tests passed!

Tests run: 2724, Failures: 0, Skipped: 5    Test Results


:information_source: This is an automatic message