Skip to content

Fetch/update#3

Open
NamSupawan wants to merge 150 commits intomainfrom
fetch/update
Open

Fetch/update#3
NamSupawan wants to merge 150 commits intomainfrom
fetch/update

Conversation

@NamSupawan
Copy link
Copy Markdown

@NamSupawan NamSupawan commented Feb 8, 2025

No description provided.

github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 8, 2025
View reviewed changes
app/controllers/firewalls_controller.rb
def get_allowed_ip_addresses(name)
command = "sudo ipset list #{name} | awk 'NR > 7 { print $1 }'"

output, status = Open3.capture2e(command)

Check failure

Code scanning / CodeQL

Uncontrolled command line Critical

This command depends on a
user-provided value
Loading
.

Copilot Autofix

AI about 1 year ago

To fix the problem, we need to ensure that user input is not directly used to construct and execute shell commands. Instead, we should validate and sanitize the user input to ensure it is safe. One way to do this is to use a whitelist of allowed values or to use parameterized commands where possible.

In this specific case, we can validate the rules_name parameter to ensure it only contains safe characters (e.g., alphanumeric characters and underscores). This will prevent any malicious input from being executed as a command.

Suggested changeset 1
app/controllers/firewalls_controller.rb

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/app/controllers/firewalls_controller.rb b/app/controllers/firewalls_controller.rb
--- a/app/controllers/firewalls_controller.rb
+++ b/app/controllers/firewalls_controller.rb
@@ -46,3 +46,3 @@
     
-    if rules_name
+    if rules_name && rules_name.match?(/\A\w+\z/)
       @allowed_ips_output = get_allowed_ip_addresses(rules_name)
@@ -66,5 +66,6 @@
   def get_allowed_ip_addresses(name)
-    command = "sudo ipset list #{name} | awk 'NR > 7 { print $1 }'"
+    command = ["sudo", "ipset", "list", name]
+    awk_command = "awk 'NR > 7 { print $1 }'"
     
-    output, status = Open3.capture2e(command)
+    output, status = Open3.capture2e(command.join(' ') + " | " + awk_command)
     
EOF
@@ -46,3 +46,3 @@

if rules_name
if rules_name && rules_name.match?(/\A\w+\z/)
@allowed_ips_output = get_allowed_ip_addresses(rules_name)
@@ -66,5 +66,6 @@
def get_allowed_ip_addresses(name)
command = "sudo ipset list #{name} | awk 'NR > 7 { print $1 }'"
command = ["sudo", "ipset", "list", name]
awk_command = "awk 'NR > 7 { print $1 }'"

output, status = Open3.capture2e(command)
output, status = Open3.capture2e(command.join(' ') + " | " + awk_command)

Copilot is powered by AI and may make mistakes. Always verify output.
app/controllers/vpn_devices_controller.rb
config_file = params[:config_file]
output, status = Open3.capture2e("sudo wg-quick up #{config_file}")

output, status = Open3.capture2e("sudo wg-quick up #{config_file}")

Check failure

Code scanning / CodeQL

Uncontrolled command line Critical

This command depends on a
user-provided value
Loading
.

Copilot Autofix

AI 10 months ago

To fix the issue, we need to ensure that the config_file parameter is validated and sanitized before being used in the shell command. The best approach is to:

  1. Validate the config_file parameter to ensure it only contains safe, expected values (e.g., filenames or paths).
  2. Avoid direct interpolation of user input into the shell command. Instead, use an array form of Open3.capture2e to safely pass arguments to the command, which avoids shell interpretation.

The changes will involve:

  • Adding validation logic for config_file to ensure it is a valid filename or path.
  • Modifying the Open3.capture2e call to use the array form for safer command execution.
Suggested changeset 1
app/controllers/vpn_devices_controller.rb

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/app/controllers/vpn_devices_controller.rb b/app/controllers/vpn_devices_controller.rb
--- a/app/controllers/vpn_devices_controller.rb
+++ b/app/controllers/vpn_devices_controller.rb
@@ -52,3 +52,6 @@
     config_file = params[:config_file]
-    output, status = Open3.capture2e("sudo wg-quick up #{config_file}")   
+    unless config_file =~ /\A[\w\-.\/]+\z/
+      redirect_to new_vpn_device_path, alert: 'Invalid configuration file name.' and return
+    end
+    output, status = Open3.capture2e('sudo', 'wg-quick', 'up', config_file)
     if status.success?
EOF
@@ -52,3 +52,6 @@
config_file = params[:config_file]
output, status = Open3.capture2e("sudo wg-quick up #{config_file}")
unless config_file =~ /\A[\w\-.\/]+\z/
redirect_to new_vpn_device_path, alert: 'Invalid configuration file name.' and return
end
output, status = Open3.capture2e('sudo', 'wg-quick', 'up', config_file)
if status.success?
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@NamSupawan @github-advanced-security