Snyk finds some code quality issue that should be ignored. I'm using Snyk CLI:
"snyk code test"
✗ [High] Server-Side Request Forgery (SSRF)
Path: project/src/main/java/com/MyClass.java, line 140
Info: Unsanitized input from an HTTP parameter flows into org.apache.http.client.methods.HttpPost, where it is used as an URL to perform a request. This may result in a Server-Side Request Forgery vulnerability.
That's example.
I know to ignore something I need to put this in .snyk file.
I had trouble doing that so I've put 4 times same thing:
ignore:
'java/Ssrf':
- '*':
reason: None Given
expires: 2023-02-17T14:43:55.203Z
created: 2023-01-18T14:43:55.205Z
'CWE-918':
- '*':
reason: None Given
expires: 2023-02-17T14:43:55.203Z
created: 2023-01-18T14:43:55.205Z
java/Ssrf:
- '*':
reason: None Given
expires: 2023-02-17T14:43:55.203Z
created: 2023-01-18T14:43:55.205Z
CWE-918:
- '*':
reason: None Given
expires: 2023-02-17T14:43:55.203Z
created: 2023-01-18T14:43:55.205Z
But it still throws that problem.
I've added to 'snyk code test' --policy-path=.snyk - no help.
I've tried to use in the id 'Server-Side Request Forgery (SSRF)' <- no success.
All I see is ingoring dependency vulnerabilites in documentation. Is it possible to use that for code check?
I got CWE-918 and 'java/Ssrf' by calling that test to json:
"rules": [
{
"id": "java/Ssrf",
"name": "Ssrf",
"shortDescription": {
"text": "Server-Side Request Forgery (SSRF)"
},
"defaultConfiguration": {
"level": "error"
},
"precision": "very-high",
"repoDatasetSize": 233,
"cwe": [
"CWE-918"
]
}
Is it anyhow possible to do that?
Related
I'm using a URL query string to debug my viewer-request and viewer-response lambda#edge functions by returning the event as JSON to the frontend (FYI so I can check for the presence/absence of certain things via an external monitoring tool).
This works fine with the viewer-request: if I go to https://example.org/?debug_viewer_request_event I get a JSON of the viewer-request event:
import json
def lambda_handler(event, context):
request = event["Records"][0]["cf"]["request"]
if "debug_viewer_request_event" in request["querystring"]:
response = {
"status": "200",
"statusDescription": "OK",
"headers": {
"cache-control": [
{
"key": "Cache-Control",
"value": "no-cache"
}
],
"content-type": [
{
"key": "Content-Type",
"value": "application/json"
}
]
},
"body": json.dumps(event)
}
return response
# rest of viewer-request logic...
Testing with cURL:
curl -i https://example.org/?debug_viewer_request_event
HTTP/2 200
content-type: application/json
content-length: 854
server: CloudFront
date: Mon, 26 Apr 2021 06:05:28 GMT
cache-control: no-cache
x-cache: LambdaGeneratedResponse from cloudfront
via: 1.1 xxxxxxxxxxx.cloudfront.net (CloudFront)
x-amz-cf-pop: AMS50-C1
x-amz-cf-id: pU0ItvQA1-r5v3yR1Dl6Z3VpPW_EuuUCHhnOD60uLhng...
{"Records": [{"cf": {"config": {"distributionDomainName": "xxxxxxx.cloudfront.net", "distributionId": "xxxxxxx", "eventType": "viewer-request", "requestId": "pU0ItvQA1-r5v3yR1Dl6Z3VpPW_EuuUCHhnOD60uLhng...
However when I do the same with the viewer-response I get a 502 error:
the code is the same except debug_viewer_request_event is debug_viewer_response_event
if I don't include the debug query string, the response is 200 OK so I know overall both lambdas are working properly (with the exception of the debug for the viewer-response)
Here is the cURL output:
curl -i https://example.org/?debug_viewer_response_event
HTTP/2 502
content-type: text/html
content-length: 1013
server: CloudFront
date: Mon, 26 Apr 2021 06:07:39 GMT
x-cache: LambdaValidationError from cloudfront
via: 1.1 xxxxxxxxx.cloudfront.net (CloudFront)
x-amz-cf-pop: AMS50-C1
x-amz-cf-id: NqXQ-FFEsIX-fEt8IvlHFTYoQdrZSGPScq1H-KNwVWR0-xxxxxx
The Lambda function result failed validation: The function tried to add, delete, or change a read-only header
If I look at the docs, the list of "Read-only Headers for CloudFront Viewer Response Events" is:
Content-Encoding
Content-Length
Transfer-Encoding
Warning
Via
As far as I can see I'm not directly changing any of these headers, but I'm guessing because I'm modifying the response, headers such as Content-Length are modified
Q: Is there a way to return the viewer-response event as JSON to the frontend for debugging or is it simply not possible due to not being able to change Content-Length?
As far as I can see I'm not directly changing any of these headers,
but I'm guessing because I'm modifying the response, headers such as
Content-Length are modified
I agree, I think your issue is that you are returning the response instead of calling
callback(null, response);
where callback should be the third argument to your lambda handler func:
def lambda_handler(event, context, callback):
Since content-length is not mutable, we should assume (and I checked this is true in practice at least for viewer request functions), cloudfront will generate it for you when you generate a response in the edge function.
I have deployed an API-Platform app using JWT token to ElasticBeanstalk which, as usual, works fine in my local server.
On EB though it is denying access to logged in users despite the correct BearerToken being provided.
This is the error thrown:
{
"errors": [
{
"message": "Access Denied.",
"extensions": {
"category": "graphql"
},
"locations": [
{
"line": 6,
"column": 9
}
],
"path": [
"retrievedQueryUser"
]
}
],
"data": {
"retrievedQueryUser": null
}
}
The query in question attempts to retrieve user profile info through the below graphql config:
* "retrievedQuery"={
* "item_query"=UserProfileResolver::class,
* "normalization_context"={"groups"={"get-owner"}},
* "security"="is_granted('IS_AUTHENTICATED_FULLY') and object == user"
* },
So, it should be a simple matter of checking if the users IS_AUTHENTICATED_FULLY and if it is the user him/herself trying to execute the query.
Far as I could tell, by dump below on /vendor/symfony/security-core/Authorization/AuthorizationChecker.php, it's failing to retrieve a token.
var_dump($this->tokenStorage->getToken()->getUser()->getUsername());
I did a cursory comparison of phpinfo() between my local installation and the one at AWS-EB and could not find any obvious mismatch.
This is the config for JWT at /config/packages/lexik_jwt_authentication.yaml.
lexik_jwt_authentication:
secret_key: '%env(resolve:JWT_SECRET_KEY)%'
public_key: '%env(resolve:JWT_PUBLIC_KEY)%'
pass_phrase: '%env(JWT_PASSPHRASE)%'
user_identity_field: email
token_ttl: 1800
Just to confirm that the users are able to login. It's passing through the isGranted() check that fails.
Any ideas?
EDIT - add `/config/packages/security.yaml
security:
# https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
encoders:
App\Entity\User:
algorithm: auto
#algorithm: bcrypt
#algorithm: argon2i
cost: 12
providers:
database:
entity:
class: App\Entity\User
property: email
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
refresh:
pattern: ^/api/token/refresh
stateless: true
anonymous: true
api:
pattern: ^/api
stateless: true
anonymous: true
json_login:
check_path: /api/login_check
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
guard:
authenticators:
- app.google_login_authenticator
- App\Security\TokenAuthenticator
entry_point: App\Security\TokenAuthenticator
user_checker: App\Security\UserEnabledChecker
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin, roles: ROLE_SUPERADMIN }
- { path: ^/api/token/refresh, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api, roles: IS_AUTHENTICATED_ANONYMOUSLY }
role_hierarchy:
ROLE_PROVIDER: ROLE_USER
ROLE_ADMIN: [ROLE_PROVIDER, ROLE_EDITOR]
ROLE_SUPERADMIN: ROLE_ADMIN
Upon further research I found out that Apache was stripping the authorization token from the request.
On the method supports of /lexik/jwt-authenticator-bundle/Security/Guard/JWTTokenAuthenticator, the dump as below will not include the token on AWS:
var_dump($request->headers->all());
var_dump($_SERVER);
As per this question, this is an issue of Apache configuration which is not accepting the authorization headers.
The indicated solution is to add the following to .htaccess:
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
This resolves the issue, though one should note that the local Apache installation works fine without the above edit to .htaccess.
So, it should also be possible to change Apache config directly, but I could not find how to go about it.
EDIT: Later I found a specific instruction on 'JWT-Token' docs as follows, that confirm that solution on this link.
I currently am working on adding a new secret for our project which usually stores secrets in Kubernetes. I pretty much mimicked all the other secrets that I could find, so it would seem that everything should be correct. However, it's not working and giving me for: "kubernetes/template/secrets.yml": error decoding from json: illegal base64 data at input byte 0. I'm not sure if this is an issue from within Kubernetes or from my script.
The secrets file looks something like this:
secrets.yml
apiVersion: v1
kind: Secret
metadata:
…
type: Opaque
data:
SECRET_A: {SECRET_A}
SECRET_B: {SECRET_B}
deployk8.sh
set -e
sed -i "s,{SECRET_A},${SECRET_A},g" kubernetes/template/secrets.yml
sed -i "s,{SECRET_B},${SECRET_B},g" kubernetes/template/secrets.yml # The new one
kubectl --record --namespace=${...} --token ${...} --cluster ${...} apply -f kubernetes/template/secrets.yml
When I run kubectl get secret my-secret -o json, I get something similar to this:
{
"apiVersion": "v1",
"data": {
"SECRET_A": "abcdefghijklmnopqrstuvwxyz123456",
"SECRET_B": "abcdefghijklmnopqrstuvwxyz1234567890abcd"
},
"kind": "Secret",
"metadata": {
"annotations": {
"kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"v1\",\"data\":{\"SECRET_A\":\"abcdefghijklmnopqrstuvwxyz123456\"},\"kind\":\"Secret\",\"metadata\":{\"annotations\":{\"kubernetes.io/change-cause\":\"kubectl apply --record=true --namespace=ns --token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx --cluster=my_cluster --filename=kubernetes/template/secrets.yml\"},\"labels\":{\"app\":\"my-app\",\"env\":\"dev\"},\"name\":\"my-app-dev\",\"namespace\":\"ns\"},\"type\":\"Opaque\"}\n",
"kubernetes.io/change-cause": "kubectl apply --record=true --namespace=ns --token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx--cluster=my_cluster --filename=kubernetes/template/secrets.yml"
},
"creationTimestamp": "20XX-XX-XXTXX:XX:XXZ",
"labels": {
"app": "my-app",
"env": "dev"
},
"name": "my-app-dev",
"namespace": "ns",
"resourceVersion": "0000000000",
"selfLink": "/api/v1/namespaces/ns/secrets/my-app-dev",
"uid": "00000000-0000-0000-0000-000000000000"
},
"type": "Opaque"
}
The entire error looks something like this:
kubectl --record --namespace=${...} --token ${...} --cluster ${...} apply -f
kubernetes/template/secrets.yml
Error from server: error when applying patch:
[inset output from above, but with:
{\"SECRET_A\":\"abcdefghijklmnopqrstuvwxyz123456\",\"SECRET_B\":\"$SECRET_B\"}]
to:
[transformed output from above, but with:
Object: &{map["apiVersion":"v1" "data":map["SECRET_A":"abcdefghijklmnopqrstuvwxyz123456\" "SECRET_B":"abcdefghijklmnopqrstuvwxyz1234567890abcd"]]
I would really appreciate any help in figuring this out!
I think I found a resolution to my issue. It turns out that my environmental variable that I was pulling from that changed (i.e. SECRET_B should have been just been B). So, technically, SECRET_B didn't exist. Changing this managed to fix my issue. Thank you to everyone who tried to help!
You could use the stringData field like described here. That way you do not have to base64 the input. Note the field is write-only.
I have Artifactory pro license, and as the following pages provide, I called rest api.
https://www.jfrog.com/confluence/display/RTF/Artifactory+REST+API#ArtifactoryRESTAPI-CreateRepository
I have verified that all other APIs such as repository listing, account creation and listing works normally, but I have confirmed that the repository creation api does not work with 400 errors.
I wanted to see the error by changing the log level, but there was no information about why there was a 400 error at the trace log level.
Below are related logs:
2018-06-15 10:31:34,028 [http-nio-8081-exec-15] [TRACE] (o.a.a.d.r.DockerV2AuthenticationFilter:84) - DockerV2AuthenticationFilter path: /api/repositories/newrepo
2018-06-15 10:31:34,028 [http-nio-8081-exec-15] [DEBUG] (o.a.w.s.a.AuthenticationFilterUtils:105) - Entering ArtifactorySsoAuthenticationFilter.getRemoteUserName
2018-06-15 10:31:34,028 [http-nio-8081-exec-15] [DEBUG] (o.a.w.s.AccessFilter:299) - Cached key has been found for request: '/artifactory/api/repositories/newrepo' with method: 'PUT'
2018-06-15 10:31:34,028 [http-nio-8081-exec-15] [TRACE] (o.a.s.PasswordDecryptingManager:95) - Received authentication request for org.artifactory.security.props.auth.PropsAuthenticationToken#3dc5bccf: Principal: null; Credentials: [PROTECTED]; Authenticated: false; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: {IP}; SessionId: null; Not granted any authorities
2018-06-15 10:31:34,029 [http-nio-8081-exec-15] [DEBUG] (o.j.a.c.h.AccessHttpClient:109) - Executing : GET http://localhost:8040/access/api/v1/users/?cd=apiKey_shash%3DGprGDe&exactKeyMatch=false
2018-06-15 10:31:34,035 [http-nio-8081-exec-15] [DEBUG] (o.a.w.s.AccessFilter:305) - Header authentication org.artifactory.security.props.auth.PropsAuthenticationToken#c20ca8df: Principal: admin; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#b364: RemoteIpAddress: {IP}; SessionId: null; Granted Authorities: admin, user found in cache.
2018-06-15 10:31:34,035 [http-nio-8081-exec-15] [DEBUG] (o.a.w.s.RepoFilter :100) - Entering request PUT (10.191.128.129) /api/repositories/newrepo.
2018-06-15 10:31:34,038 [http-nio-8081-exec-15] [DEBUG] (o.a.w.s.RepoFilter :188) - Exiting request PUT (10.191.128.129) /api/repositories/newrepo
Updated
My Artifactory Version: 6.0.2
Reponse Message from Artifactory:
{
"errors" : [ {
"status" : 400,
"message" : "No valid type of repository found.\n"
} ]
}
Repository Create JSON Message*:
{
"key": "newrepo",
"rclass: "local",
"packageType": "docker",
"dockerApiVersion": "V2",
"includesPattern": "**/*",
"excludesPattern": "",
"repoLayoutRef": "simple-default",
"description": "",
"checksumPolicyType": "client-checksums",
"blackedOut": false,
"propertySets": ["artifactory"]
}
The error in this block is on purpose, and the code highlighting finds it quite nicely, but when this post was originally made, highlighting was not available on SO.
In your JSON you are missing " after the rclass.
You wrote ' "rclass: ' and it should be ' "rclass": '
Once fixing this the command should work properly.
Good luck :)
curl -iuadmin:password -X PUT http://localhost:8081/artifactory/api/repositories/newrepo -H "Content-type:application/vnd.org.jfrog.artifactory.repositories.LocalRepositoryConfiguration+json" -T repo_temp.json
HTTP/1.1 100 Continue
HTTP/1.1 200 OK
Server: Artifactory/5.11.0
X-Artifactory-Id: bea9f3f68aa06e62:4db81752:1643a9cff9e:-8000
Content-Type: text/plain
Transfer-Encoding: chunked
Date: Tue, 26 Jun 2018 06:57:24 GMT
Successfully created repository 'newrepo'
repo_temp.json:
{
"key": "newrepo",
"rclass": "local",
"packageType": "docker",
"dockerApiVersion": "V2",
"includesPattern": "**/*",
"excludesPattern": "",
"repoLayoutRef": "simple-default",
"description": "",
"checksumPolicyType": "client-checksums",
"blackedOut": false,
"propertySets": ["artifactory"]
}
This error is (somehow) returned by Artifactory if the content-type header contains the charset, for example: Content-Type: application/json; charset=UTF-8
Try with simply Content-Type: application/json
I cloned the github project of figway in order to query the attributes of the entities to the orion but i'm getting an error in all python scripts:
File "GetEntity.py", line 37, in <module>
config = ConfigParser.RawConfigParser(allow_no_value=True)
TypeError: __init__() got an unexpected keyword argument 'allow_no_value'
I called it like -> python GetEntity.py Room
Some tips to investigate what is going on:
You should be using Python2.7 to run these scripts. Can you please let me know which version and OS are you using?
We have updated FIGWAY last week. Can you please clone it again if you did it before?
You should be using the new scripts at folder: /python-IDAS4/ContextBroker
With the previous assumptions you should get something like this (as long as that entity does not exist on that ContextBroker at the time being):
i6#raspberrypi ~/github/fiware-figway/python-IDAS4/ContextBroker $ python GetEntity.py Room
* Asking to http://130.206.80.40:1026/ngsi10/queryContext
* Headers: {'Fiware-Service': 'OpenIoT', 'content-type': 'application/json', 'accept': 'application/json', 'X-Auth-Token': 'NULL'}
* Sending PAYLOAD:
{
"entities": [
{
"type": "",
"id": "Room",
"isPattern": "false"
}
],
"attributes": []
}
...
* Status Code: 200
* Response:
{
"errorCode" : {
"code" : "404",
"reasonPhrase" : "No context element found"
}
}