search

vmware-archive / projectmonitor

Big Visible Chart CI aggregator
http://ci.pivotallabs.com
BSD 2-Clause "Simplified" License
428 stars 120 forks source link

Security Vulnerabilities #127

Open steven-solomon opened 6 years ago

steven-solomon commented 6 years ago

I ran a Brakman scan. The result of the scan is below.

I want to assist in moving toward security scans being a part of Project Monitor's CI pipeline once the issues have been resolved.

== Warning Types ==

Command Injection: 5 Cross-Site Request Forgery: 1 Cross-Site Scripting: 1 Remote Code Execution: 3 SQL Injection: 3 Session Setting: 1

== Warnings ==

Confidence: High Category: Cross-Site Scripting Check: ContentTag Message: Rails 4.2.7 content_tag does not escape double quotes in attribute values (CVE-2016-6316). Upgrade to 4.2.7.1 File: Gemfile.lock Line: 290

Confidence: High Category: Remote Code Execution Check: UnsafeReflection Message: Unsafe reflection method constantize called with parameter value Code: params[:project][:type].constantize File: app/controllers/projects_controller.rb Line: 81

Confidence: High Category: Remote Code Execution Check: UnsafeReflection Message: Unsafe reflection method constantize called with parameter value Code: params[:project][:type].constantize File: app/controllers/projects_controller.rb Line: 52

Confidence: High Category: Remote Code Execution Check: UnsafeReflection Message: Unsafe reflection method constantize called with parameter value Code: params[:project][:type].constantize File: app/controllers/projects_controller.rb Line: 28

Confidence: High Category: SQL Injection Check: SQLCVEs Message: Rails 4.2.7 contains a SQL injection vulnerability (CVE-2016-6317). Upgrade to 4.2.7.1 File: Gemfile.lock Line: 290

Confidence: High Category: Session Setting Check: SessionSettings Message: Session secret should not be included in version control File: config/initializers/secret_token.rb Line: 7

Confidence: Medium Category: Command Injection Check: Execute Message: Possible command injection Code: cf auth #{username} #{password} File: lib/cf_authenticator.rb Line: 7

Confidence: Medium Category: Command Injection Check: Execute Message: Possible command injection Code: cf push #{env} File: lib/cf_deploy.rb Line: 70

Confidence: Medium Category: Command Injection Check: Execute Message: Possible command injection Code: git tag #{tag} #{commit_sha} -m "#{message}" File: lib/cf_git_tagger.rb Line: 5

Confidence: Medium Category: Command Injection Check: Execute Message: Possible command injection Code: cf t -o #{org} -s #{space} File: lib/cf_authenticator.rb Line: 16

Confidence: Medium Category: Command Injection Check: Execute Message: Possible command injection Code: git push origin #{tag} File: lib/cf_git_tagger.rb Line: 6

Confidence: Medium Category: Cross-Site Request Forgery Check: ForgerySetting Message: protect_from_forgery should be configured with 'with: :exception' File: app/controllers/application_controller.rb

Confidence: Medium Category: SQL Injection Check: SQL Message: Possible SQL injection Code: joins("INNER JOIN (#{" SELECT id,\n (CASE project_statuses.project_id\n WHEN @curType\n THEN @curRow := @curRow + 1\n ELSE @curRow := 1 AND @curType := project_statuses.project_id END\n ) AS rank\n FROM project_statuses,\n (SELECT @curRow := 0, @curType := '') r\n ORDER BY project_statuses.published_at desc, project_statuses.build_id desc\n".strip_heredoc}) rankings ON rankings.id = project_statuses.id") File: app/models/project_status.rb Line: 20

Confidence: Medium Category: SQL Injection Check: SQL Message: Possible SQL injection Code: joins("INNER JOIN (#{" SELECT id,\n (CASE payload_log_entries.project_id\n WHEN @curType\n THEN @curRow := @curRow + 1\n ELSE @curRow := 1 AND @curType := payload_log_entries.project_id END\n ) AS rank\n FROM payload_log_entries,\n (SELECT @curRow := 0, @curType := '') r\n ORDER BY payload_log_entries.created_at desc\n".strip_heredoc}) rankings ON rankings.id = payload_log_entries.id") File: app/models/payload_log_entry.rb Line: 20

steven-solomon commented 6 years ago

I'm considering implementing a factory method to construct the appropriate type of project in order to fix the constantize issues

steven-solomon commented 6 years ago

Tasks:

steven-solomon commented 6 years ago

One interesting thing I noticed. Due to the fact that the supported project types are loaded from project-meta.yml, there seems to be the ability to configure which CIs are supported. Is that a feature or a consequence of the implementation?