Bundle publish-over-ssh plugin.

nuclearsandwich commented 2 years ago

This PR is stacked on top of #105 and should be rebased once that PR merges.

This plugin has been delisted citing unresolved security issues1.

Stored XSS vulnerability requiring Overall/Administer permissions. CVE-2022-23110
CSRF vulnerability. CVE-2022-23111
Missing permission check allowing connection tests to be performed using only Overall/Read permissions. CVE-2022-23112
Path traversal vulnerability requiring Item/Configure permissions. CVE-2022-23113
Password stored in plain text by Publish Over SSH Plugin. CVE-2022-23114

Many of these problems require administrator permissions to leverage but some of them are exploitable without. To mitigate this issue 330d9c666a7a53fca50f88acd4df8e33e7269a29 blocks these requests at the nginx reverse proxy layer.

v-lopez commented 2 years ago

Tested this on our private farm and worked great, although our plugin was already manually installed.

nuclearsandwich commented 2 years ago

Merging in order to deploy to test farm.

ros-infrastructure / cookbook-ros-buildfarm

Bundle publish-over-ssh plugin. #106