-
Notifications
You must be signed in to change notification settings - Fork 18
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge remote-tracking branch 'origin/main' into mangoiv/hsec-cabal
- Loading branch information
Showing
19 changed files
with
300 additions
and
75 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -9,7 +9,7 @@ jobs: | |
should_skip: ${{ steps.skip_check.outputs.should_skip }} | ||
steps: | ||
- id: skip_check | ||
uses: fkirc/[email protected].0 | ||
uses: fkirc/[email protected].1 | ||
with: | ||
concurrent_skipping: "never" | ||
skip_after_successful_duplicate: "true" | ||
|
@@ -23,7 +23,7 @@ jobs: | |
changed_files: ${{ steps.process-changed-files.outputs.out }} | ||
steps: | ||
- id: skip_check | ||
uses: fkirc/[email protected].0 | ||
uses: fkirc/[email protected].1 | ||
with: | ||
concurrent_skipping: "never" | ||
skip_after_successful_duplicate: "true" | ||
|
@@ -45,7 +45,7 @@ jobs: | |
code_hash: ${{ steps.code-hash.outputs.code-hash }} | ||
steps: | ||
- name: git checkout | ||
uses: actions/checkout@v3 | ||
uses: actions/checkout@v4 | ||
- id: code-hash | ||
run: | | ||
code_hash=$(git rev-parse HEAD:code) | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -24,7 +24,7 @@ jobs: | |
should_skip: ${{ steps.skip_check.outputs.should_skip }} | ||
steps: | ||
- id: skip_check | ||
uses: fkirc/[email protected].0 | ||
uses: fkirc/[email protected].1 | ||
with: | ||
concurrent_skipping: "never" | ||
skip_after_successful_duplicate: "true" | ||
|
@@ -175,7 +175,7 @@ jobs: | |
key: ${{ runner.os }}-${{ matrix.compiler }}-tools-d8b62173 | ||
path: ~/.haskell-ci-tools | ||
- name: checkout | ||
uses: actions/checkout@v3 | ||
uses: actions/checkout@v4 | ||
with: | ||
path: source | ||
- name: initial cabal.project for sdist | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -10,7 +10,7 @@ jobs: | |
should_skip: ${{ steps.skip_check.outputs.should_skip }} | ||
steps: | ||
- id: skip_check | ||
uses: fkirc/[email protected].0 | ||
uses: fkirc/[email protected].1 | ||
with: | ||
concurrent_skipping: "never" | ||
skip_after_successful_duplicate: "true" | ||
|
@@ -56,10 +56,9 @@ jobs: | |
cp generatedWebsite/by-dates.html generatedWebsite/index.html | ||
rm -Rf generatedWebsite/advisories || echo "Markdown links issue has been fixed" | ||
- name: Deploy | ||
uses: s0/git-publish-subdir-action@develop | ||
env: | ||
REPO: self | ||
BRANCH: generated/gh-pages | ||
FOLDER: generatedWebsite | ||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
SQUASH_HISTORY: true | ||
uses: peaceiris/actions-gh-pages@v3 | ||
with: | ||
github_token: ${{ secrets.GITHUB_TOKEN }} | ||
publish_dir: ./generatedWebsite | ||
publish_branch: generated/gh-pages | ||
force_orphan: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
../bzlib/HSEC-2024-0002.md |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
../bzlib/HSEC-2024-0002.md |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
```toml | ||
[advisory] | ||
id = "HSEC-2024-0002" | ||
cwe = [787] | ||
keywords = ["corruption", "vendored-code", "language-c"] | ||
aliases = ["CVE-2019-12900"] | ||
|
||
[[references]] | ||
type = "DISCUSSION" | ||
url = "https://gnu.wildebeest.org/blog/mjw/2019/08/02/bzip2-and-the-cve-that-wasnt/" | ||
|
||
[[references]] | ||
type = "DISCUSSION" | ||
url = "http://scary.beasts.org/security/CESA-2008-005.html" | ||
|
||
[[references]] | ||
type = "ADVISORY" | ||
url = "https://access.redhat.com/security/cve/cve-2019-12900" | ||
|
||
[[references]] | ||
type = "FIX" | ||
url = "https://sourceware.org/git/?p=bzip2.git;a=commit;h=7ed62bfb46e87a9e878712603469440e6882b184" | ||
|
||
[[affected]] | ||
package = "bzlib" | ||
cvss = "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" | ||
|
||
[[affected.versions]] | ||
introduced = "0.4" | ||
fixed = "0.5.2.0" | ||
|
||
[[affected]] | ||
package = "bz2" | ||
cvss = "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" | ||
|
||
[[affected.versions]] | ||
introduced = "0.1.0.0" | ||
fixed = "1.0.1.1" | ||
|
||
[[affected]] | ||
package = "bzlib-conduit" | ||
cvss = "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" | ||
|
||
[[affected.versions]] | ||
introduced = "0.1.0.0" | ||
fixed = "0.3.0.3" | ||
``` | ||
|
||
# out-of-bounds write when there are many bzip2 selectors | ||
|
||
A malicious bzip2 payload may produce a memory corruption | ||
resulting in a denial of service and/or remote code execution. | ||
Network services or command line utilities decompressing | ||
untrusted bzip2 payloads are affected. | ||
|
||
Note that the exploitation of this bug relies on an undefined | ||
behavior that appears to be handled safely by current compilers. | ||
|
||
The Haskell libraires are vulnerable when they are built using | ||
the bundled C library source code, which is the default | ||
in most cases. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
```toml | ||
[advisory] | ||
id = "HSEC-2024-0001" | ||
cwe = [79] | ||
keywords = ["http", "xss", "rxss", "historic"] | ||
|
||
[[references]] | ||
type = "FIX" | ||
url = "https://github.com/snoyberg/keter/pull/246" | ||
|
||
[[affected]] | ||
package = "keter" | ||
cvss = "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N" | ||
declarations."Keter.Proxy.toResponse" = ">= 0.3.4 && < 1.0.1" | ||
declarations."Keter.Proxy.unknownHostResponse" = ">= 1.0.1 && < 1.8.4" | ||
|
||
[[affected.versions]] | ||
introduced = "0.3.4" | ||
fixed = "1.8.4" | ||
``` | ||
|
||
# Reflected XSS vulnerability in keter | ||
|
||
Keter is an app-server/reverse-proxy often used with webapps build on Yesod web-framework. | ||
|
||
In the logic handling VHost dispatch, Keter was echoing back `Host` header value, unescaped, | ||
as part of an HTML error page. This constitutes a reflected-XSS vulnerability. Although | ||
not readily exploitable directly from a browser (where `Host` header can't generally assume | ||
arbitrary values), it may become such in presence of further weaknesses in components | ||
upstream of Keter in the http proxying chain. Therefore, AC:High in CVSS evaluation. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -11,21 +11,24 @@ import Control.Monad (forM_) | |
import Data.List (sortOn) | ||
import Data.List.Extra (groupSort) | ||
import qualified Data.Map.Strict as Map | ||
import Data.Maybe (listToMaybe) | ||
import Data.Ord (Down (..)) | ||
import Data.Text (Text) | ||
import qualified Data.Text as T | ||
import qualified Data.Text.IO as T | ||
import System.Exit (exitFailure) | ||
import System.IO (stderr, hPrint) | ||
|
||
import qualified Data.Text.Lazy as TL | ||
import Data.Time (ZonedTime, zonedTimeToUTC) | ||
import Distribution.Pretty (prettyShow) | ||
import Lucid | ||
import Validation (Validation(..)) | ||
|
||
import qualified Security.Advisories as Advisories | ||
import Security.Advisories.Filesystem (listAdvisories) | ||
import System.Directory (createDirectoryIfMissing) | ||
import System.Exit (exitFailure) | ||
import System.FilePath ((</>)) | ||
import Security.Advisories.Filesystem (listAdvisories) | ||
import System.IO (hPrint, stderr) | ||
import qualified Text.Atom.Feed as Feed | ||
import qualified Text.Atom.Feed.Export as FeedExport | ||
import Validation (Validation (..)) | ||
|
||
-- * Actions | ||
|
||
|
@@ -41,33 +44,35 @@ renderAdvisoriesIndex src dst = do | |
Success advisories -> | ||
return advisories | ||
|
||
let renderToFile' path content = do | ||
let renderHTMLToFile path content = do | ||
putStrLn $ "Rendering " <> path | ||
renderToFile path content | ||
|
||
createDirectoryIfMissing False dst | ||
let indexAdvisories = map toAdvisoryR advisories | ||
renderToFile' (dst </> "by-dates.html") $ listByDates indexAdvisories | ||
renderToFile' (dst </> "by-packages.html") $ listByPackages indexAdvisories | ||
renderHTMLToFile (dst </> "by-dates.html") $ listByDates indexAdvisories | ||
renderHTMLToFile (dst </> "by-packages.html") $ listByPackages indexAdvisories | ||
|
||
let advisoriesDir = dst </> "advisory" | ||
createDirectoryIfMissing False advisoriesDir | ||
forM_ advisories $ \advisory -> | ||
renderToFile' (advisoriesDir </> advisoryHtmlFilename (Advisories.advisoryId advisory)) $ | ||
renderHTMLToFile (advisoriesDir </> advisoryHtmlFilename (Advisories.advisoryId advisory)) $ | ||
inPage PageAdvisory $ | ||
div_ [class_ "pure-u-1"] $ | ||
toHtmlRaw (Advisories.advisoryHtml advisory) | ||
|
||
writeFile (dst </> ".nojekyll") "" | ||
putStrLn $ "Rendering " <> (dst </> "atom.xml") | ||
writeFile (dst </> "atom.xml") $ T.unpack $ renderFeed indexAdvisories | ||
|
||
-- * Rendering types | ||
|
||
data AdvisoryR = AdvisoryR | ||
{ advisoryId :: Advisories.HsecId, | ||
advisorySummary :: Text, | ||
advisoryAffected :: [AffectedPackageR] | ||
advisoryAffected :: [AffectedPackageR], | ||
advisoryModified :: ZonedTime | ||
} | ||
deriving stock (Eq, Show) | ||
deriving stock (Show) | ||
|
||
data AffectedPackageR = AffectedPackageR | ||
{ packageName :: Text, | ||
|
@@ -158,6 +163,7 @@ inPage page content = | |
head_ $ do | ||
meta_ [charset_ "UTF-8"] | ||
base_ [href_ $ baseUrlForPage page] | ||
link_ [rel_ "alternate", type_ "application/atom+xml", href_ atomFeedUrl] | ||
link_ [rel_ "stylesheet", href_ "https://cdn.jsdelivr.net/npm/[email protected]/build/pure-min.css", integrity_ "sha384-X38yfunGUhNzHpBaEBsWLO+A0HDYOQi8ufWDkZ0k9e0eXz/tH3II7uKZ9msv++Ls", crossorigin_ "anonymous"] | ||
meta_ [name_ "viewport", content_ "width=device-width, initial-scale=1"] | ||
title_ "Haskell Security.Advisories.Core" | ||
|
@@ -204,7 +210,8 @@ toAdvisoryR x = | |
AdvisoryR | ||
{ advisoryId = Advisories.advisoryId x, | ||
advisorySummary = Advisories.advisorySummary x, | ||
advisoryAffected = concatMap toAffectedPackageR $ Advisories.advisoryAffected x | ||
advisoryAffected = concatMap toAffectedPackageR $ Advisories.advisoryAffected x, | ||
advisoryModified = Advisories.advisoryModified x | ||
} | ||
where | ||
toAffectedPackageR :: Advisories.Affected -> [AffectedPackageR] | ||
|
@@ -215,3 +222,34 @@ toAdvisoryR x = | |
introduced = T.pack $ prettyShow $ Advisories.affectedVersionRangeIntroduced versionRange, | ||
fixed = T.pack . prettyShow <$> Advisories.affectedVersionRangeFixed versionRange | ||
} | ||
|
||
-- * Atom/RSS feed | ||
|
||
feed :: [AdvisoryR] -> Feed.Feed | ||
feed advisories = | ||
( Feed.nullFeed | ||
atomFeedUrl | ||
(Feed.TextString "Haskell Security Advisory DB") -- Title | ||
(maybe "" (T.pack . show) $ listToMaybe $ sortOn (Down . zonedTimeToUTC . advisoryModified) advisories) | ||
) | ||
{ Feed.feedEntries = fmap toEntry advisories, | ||
Feed.feedLinks = [Feed.nullLink advisoriesRootUrl] | ||
} | ||
where | ||
toEntry advisory = | ||
Feed.nullEntry | ||
(advisoriesRootUrl <> "/" <> advisoryLink (advisoryId advisory)) | ||
(Feed.TextString $ advisorySummary advisory) | ||
(T.pack $ show $ advisoryModified advisory) | ||
|
||
renderFeed :: [AdvisoryR] -> Text | ||
renderFeed = | ||
maybe (error "Cannot render atom feed") TL.toStrict | ||
. FeedExport.textFeed | ||
. feed | ||
|
||
advisoriesRootUrl :: T.Text | ||
advisoriesRootUrl = "https://haskell.github.io/security-advisories" | ||
|
||
atomFeedUrl :: T.Text | ||
atomFeedUrl = advisoriesRootUrl <> "/atom.xml" |
Oops, something went wrong.