Skip to content

Commit

Permalink
Merge remote-tracking branch 'origin/main' into mangoiv/hsec-cabal
Browse files Browse the repository at this point in the history
  • Loading branch information
MangoIV committed Mar 17, 2024
2 parents 2de40ce + 5543e3b commit 6f724c9
Show file tree
Hide file tree
Showing 19 changed files with 300 additions and 75 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/call-check-advisories.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ jobs:
runs-on: ubuntu-20.04
needs: populate_cache
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
with:
path: source
# We need to retrieve full history to determine the correct
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/call-nix.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ jobs:
runs-on: ubuntu-22.04
steps:
- name: git checkout
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Install Nix
uses: DeterminateSystems/nix-installer-action@main
with:
Expand All @@ -29,12 +29,12 @@ jobs:
code_hash=$(git rev-parse HEAD:code)
echo "code-hash=$code_hash" >> "$GITHUB_OUTPUT"
- uses: actions/cache/save@v3
if: ${{ github.event_name == 'push' && github.ref_name == 'main' }}
with:
key: hsec-tools-${{ steps.code-hash.outputs.code-hash}}
path: ~/.local/dockerImages
- name: upload executable
uses: actions/upload-artifact@v3
if: ${{ github.event_name == 'push' && github.ref_name == 'main' }}
with:
name: hsec-tools-${{ github.sha }}
path: ~/.local/dockerImages
6 changes: 3 additions & 3 deletions .github/workflows/check-advisories.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ jobs:
should_skip: ${{ steps.skip_check.outputs.should_skip }}
steps:
- id: skip_check
uses: fkirc/[email protected].0
uses: fkirc/[email protected].1
with:
concurrent_skipping: "never"
skip_after_successful_duplicate: "true"
Expand All @@ -23,7 +23,7 @@ jobs:
changed_files: ${{ steps.process-changed-files.outputs.out }}
steps:
- id: skip_check
uses: fkirc/[email protected].0
uses: fkirc/[email protected].1
with:
concurrent_skipping: "never"
skip_after_successful_duplicate: "true"
Expand All @@ -45,7 +45,7 @@ jobs:
code_hash: ${{ steps.code-hash.outputs.code-hash }}
steps:
- name: git checkout
uses: actions/checkout@v3
uses: actions/checkout@v4
- id: code-hash
run: |
code_hash=$(git rev-parse HEAD:code)
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/haskell-ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ jobs:
should_skip: ${{ steps.skip_check.outputs.should_skip }}
steps:
- id: skip_check
uses: fkirc/[email protected].0
uses: fkirc/[email protected].1
with:
concurrent_skipping: "never"
skip_after_successful_duplicate: "true"
Expand Down Expand Up @@ -175,7 +175,7 @@ jobs:
key: ${{ runner.os }}-${{ matrix.compiler }}-tools-d8b62173
path: ~/.haskell-ci-tools
- name: checkout
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
path: source
- name: initial cabal.project for sdist
Expand Down
15 changes: 7 additions & 8 deletions .github/workflows/nix.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ jobs:
should_skip: ${{ steps.skip_check.outputs.should_skip }}
steps:
- id: skip_check
uses: fkirc/[email protected].0
uses: fkirc/[email protected].1
with:
concurrent_skipping: "never"
skip_after_successful_duplicate: "true"
Expand Down Expand Up @@ -56,10 +56,9 @@ jobs:
cp generatedWebsite/by-dates.html generatedWebsite/index.html
rm -Rf generatedWebsite/advisories || echo "Markdown links issue has been fixed"
- name: Deploy
uses: s0/git-publish-subdir-action@develop
env:
REPO: self
BRANCH: generated/gh-pages
FOLDER: generatedWebsite
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SQUASH_HISTORY: true
uses: peaceiris/actions-gh-pages@v3
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
publish_dir: ./generatedWebsite
publish_branch: generated/gh-pages
force_orphan: true
1 change: 1 addition & 0 deletions advisories/hackage/bz2/HSEC-2024-0002.md
1 change: 1 addition & 0 deletions advisories/hackage/bzlib-conduit/HSEC-2024-0002.md
61 changes: 61 additions & 0 deletions advisories/hackage/bzlib/HSEC-2024-0002.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
```toml
[advisory]
id = "HSEC-2024-0002"
cwe = [787]
keywords = ["corruption", "vendored-code", "language-c"]
aliases = ["CVE-2019-12900"]

[[references]]
type = "DISCUSSION"
url = "https://gnu.wildebeest.org/blog/mjw/2019/08/02/bzip2-and-the-cve-that-wasnt/"

[[references]]
type = "DISCUSSION"
url = "http://scary.beasts.org/security/CESA-2008-005.html"

[[references]]
type = "ADVISORY"
url = "https://access.redhat.com/security/cve/cve-2019-12900"

[[references]]
type = "FIX"
url = "https://sourceware.org/git/?p=bzip2.git;a=commit;h=7ed62bfb46e87a9e878712603469440e6882b184"

[[affected]]
package = "bzlib"
cvss = "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"

[[affected.versions]]
introduced = "0.4"
fixed = "0.5.2.0"

[[affected]]
package = "bz2"
cvss = "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"

[[affected.versions]]
introduced = "0.1.0.0"
fixed = "1.0.1.1"

[[affected]]
package = "bzlib-conduit"
cvss = "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"

[[affected.versions]]
introduced = "0.1.0.0"
fixed = "0.3.0.3"
```

# out-of-bounds write when there are many bzip2 selectors

A malicious bzip2 payload may produce a memory corruption
resulting in a denial of service and/or remote code execution.
Network services or command line utilities decompressing
untrusted bzip2 payloads are affected.

Note that the exploitation of this bug relies on an undefined
behavior that appears to be handled safely by current compilers.

The Haskell libraires are vulnerable when they are built using
the bundled C library source code, which is the default
in most cases.
30 changes: 30 additions & 0 deletions advisories/hackage/keter/HSEC-2024-0001.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
```toml
[advisory]
id = "HSEC-2024-0001"
cwe = [79]
keywords = ["http", "xss", "rxss", "historic"]

[[references]]
type = "FIX"
url = "https://github.com/snoyberg/keter/pull/246"

[[affected]]
package = "keter"
cvss = "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"
declarations."Keter.Proxy.toResponse" = ">= 0.3.4 && < 1.0.1"
declarations."Keter.Proxy.unknownHostResponse" = ">= 1.0.1 && < 1.8.4"

[[affected.versions]]
introduced = "0.3.4"
fixed = "1.8.4"
```

# Reflected XSS vulnerability in keter

Keter is an app-server/reverse-proxy often used with webapps build on Yesod web-framework.

In the logic handling VHost dispatch, Keter was echoing back `Host` header value, unescaped,
as part of an HTML error page. This constitutes a reflected-XSS vulnerability. Although
not readily exploitable directly from a browser (where `Host` header can't generally assume
arbitrary values), it may become such in presence of further weaknesses in components
upstream of Keter in the http proxying chain. Therefore, AC:High in CVSS evaluation.
1 change: 1 addition & 0 deletions code/cvss/test/Spec.hs
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ examples =
, ("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", 6.1, CVSS.Medium)
, ("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", 6.4, CVSS.Medium)
, ("CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", 3.1, CVSS.Low)
, ("CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", 4.0, CVSS.Medium)
, ("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", 9.9, CVSS.Critical)
, ("CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", 4.2, CVSS.Medium)
, ("CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C", 7.8, CVSS.High)
Expand Down
3 changes: 2 additions & 1 deletion code/hsec-tools/hsec-tools.cabal
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ library
, extra ^>=1.7.5
, filepath >=1.4 && <1.5
, hsec-core
, feed ==1.3.*
, lucid >=2.9.0
, mtl >=2.2 && <2.4
, osv
Expand All @@ -61,7 +62,7 @@ library
, safe >=0.3
, text >=1.2 && <3
, time >=1.9 && <1.14
, toml-parser ^>=1.3.0.0
, toml-parser ^>=2.0.0.0
, validation-selective >=0.1 && <1

hs-source-dirs: src
Expand Down
66 changes: 52 additions & 14 deletions code/hsec-tools/src/Security/Advisories/Generate/HTML.hs
Original file line number Diff line number Diff line change
Expand Up @@ -11,21 +11,24 @@ import Control.Monad (forM_)
import Data.List (sortOn)
import Data.List.Extra (groupSort)
import qualified Data.Map.Strict as Map
import Data.Maybe (listToMaybe)
import Data.Ord (Down (..))
import Data.Text (Text)
import qualified Data.Text as T
import qualified Data.Text.IO as T
import System.Exit (exitFailure)
import System.IO (stderr, hPrint)

import qualified Data.Text.Lazy as TL
import Data.Time (ZonedTime, zonedTimeToUTC)
import Distribution.Pretty (prettyShow)
import Lucid
import Validation (Validation(..))

import qualified Security.Advisories as Advisories
import Security.Advisories.Filesystem (listAdvisories)
import System.Directory (createDirectoryIfMissing)
import System.Exit (exitFailure)
import System.FilePath ((</>))
import Security.Advisories.Filesystem (listAdvisories)
import System.IO (hPrint, stderr)
import qualified Text.Atom.Feed as Feed
import qualified Text.Atom.Feed.Export as FeedExport
import Validation (Validation (..))

-- * Actions

Expand All @@ -41,33 +44,35 @@ renderAdvisoriesIndex src dst = do
Success advisories ->
return advisories

let renderToFile' path content = do
let renderHTMLToFile path content = do
putStrLn $ "Rendering " <> path
renderToFile path content

createDirectoryIfMissing False dst
let indexAdvisories = map toAdvisoryR advisories
renderToFile' (dst </> "by-dates.html") $ listByDates indexAdvisories
renderToFile' (dst </> "by-packages.html") $ listByPackages indexAdvisories
renderHTMLToFile (dst </> "by-dates.html") $ listByDates indexAdvisories
renderHTMLToFile (dst </> "by-packages.html") $ listByPackages indexAdvisories

let advisoriesDir = dst </> "advisory"
createDirectoryIfMissing False advisoriesDir
forM_ advisories $ \advisory ->
renderToFile' (advisoriesDir </> advisoryHtmlFilename (Advisories.advisoryId advisory)) $
renderHTMLToFile (advisoriesDir </> advisoryHtmlFilename (Advisories.advisoryId advisory)) $
inPage PageAdvisory $
div_ [class_ "pure-u-1"] $
toHtmlRaw (Advisories.advisoryHtml advisory)

writeFile (dst </> ".nojekyll") ""
putStrLn $ "Rendering " <> (dst </> "atom.xml")
writeFile (dst </> "atom.xml") $ T.unpack $ renderFeed indexAdvisories

-- * Rendering types

data AdvisoryR = AdvisoryR
{ advisoryId :: Advisories.HsecId,
advisorySummary :: Text,
advisoryAffected :: [AffectedPackageR]
advisoryAffected :: [AffectedPackageR],
advisoryModified :: ZonedTime
}
deriving stock (Eq, Show)
deriving stock (Show)

data AffectedPackageR = AffectedPackageR
{ packageName :: Text,
Expand Down Expand Up @@ -158,6 +163,7 @@ inPage page content =
head_ $ do
meta_ [charset_ "UTF-8"]
base_ [href_ $ baseUrlForPage page]
link_ [rel_ "alternate", type_ "application/atom+xml", href_ atomFeedUrl]
link_ [rel_ "stylesheet", href_ "https://cdn.jsdelivr.net/npm/[email protected]/build/pure-min.css", integrity_ "sha384-X38yfunGUhNzHpBaEBsWLO+A0HDYOQi8ufWDkZ0k9e0eXz/tH3II7uKZ9msv++Ls", crossorigin_ "anonymous"]
meta_ [name_ "viewport", content_ "width=device-width, initial-scale=1"]
title_ "Haskell Security.Advisories.Core"
Expand Down Expand Up @@ -204,7 +210,8 @@ toAdvisoryR x =
AdvisoryR
{ advisoryId = Advisories.advisoryId x,
advisorySummary = Advisories.advisorySummary x,
advisoryAffected = concatMap toAffectedPackageR $ Advisories.advisoryAffected x
advisoryAffected = concatMap toAffectedPackageR $ Advisories.advisoryAffected x,
advisoryModified = Advisories.advisoryModified x
}
where
toAffectedPackageR :: Advisories.Affected -> [AffectedPackageR]
Expand All @@ -215,3 +222,34 @@ toAdvisoryR x =
introduced = T.pack $ prettyShow $ Advisories.affectedVersionRangeIntroduced versionRange,
fixed = T.pack . prettyShow <$> Advisories.affectedVersionRangeFixed versionRange
}

-- * Atom/RSS feed

feed :: [AdvisoryR] -> Feed.Feed
feed advisories =
( Feed.nullFeed
atomFeedUrl
(Feed.TextString "Haskell Security Advisory DB") -- Title
(maybe "" (T.pack . show) $ listToMaybe $ sortOn (Down . zonedTimeToUTC . advisoryModified) advisories)
)
{ Feed.feedEntries = fmap toEntry advisories,
Feed.feedLinks = [Feed.nullLink advisoriesRootUrl]
}
where
toEntry advisory =
Feed.nullEntry
(advisoriesRootUrl <> "/" <> advisoryLink (advisoryId advisory))
(Feed.TextString $ advisorySummary advisory)
(T.pack $ show $ advisoryModified advisory)

renderFeed :: [AdvisoryR] -> Text
renderFeed =
maybe (error "Cannot render atom feed") TL.toStrict
. FeedExport.textFeed
. feed

advisoriesRootUrl :: T.Text
advisoriesRootUrl = "https://haskell.github.io/security-advisories"

atomFeedUrl :: T.Text
atomFeedUrl = advisoriesRootUrl <> "/atom.xml"
Loading

0 comments on commit 6f724c9

Please sign in to comment.