chore: fix security issues (#45)

netboxlabs · Dec 31, 2024 · 186853e · 186853e
1 parent 81688cd
commit 186853e
Show file tree

Hide file tree

Showing 7 changed files with 40 additions and 36 deletions.
diff --git a/.github/workflows/device-discovery-lint-tests.yaml b/.github/workflows/device-discovery-lint-tests.yaml
@@ -14,6 +14,10 @@ concurrency:
   group: ${{ github.workflow }}
   cancel-in-progress: false
 
+permissions:
+  contents: write
+  pull-requests: write
+
 env:
   BE_DIR: device-discovery
 
@@ -46,7 +50,7 @@ jobs:
         pytest --junitxml=pytest.xml --cov-report=term-missing:skip-covered --cov=device_discovery/ | tee pytest-coverage.txt
 
     - name: Pytest coverage comment
-      uses: MishaKav/pytest-coverage-comment@main
+      uses: MishaKav/pytest-coverage-comment@81882822c5b22af01f91bd3eacb1cefb6ad73dc2 #v1.1.53
       with:
         pytest-coverage-path: ${{ env.BE_DIR }}/pytest-coverage.txt
         junitxml-path: ${{ env.BE_DIR }}/pytest.xml

diff --git a/.github/workflows/device-discovery-release.yaml b/.github/workflows/device-discovery-release.yaml
@@ -46,7 +46,7 @@ jobs:
         with:
           node-version: "lts/*"
       - name: Write package.json
-        uses: DamianReeves/write-file-action@master
+        uses: DamianReeves/write-file-action@6929a9a6d1807689191dcc8bbe62b54d70a32b42 #v1.3
         with:
           path: ./package.json
           write-mode: overwrite
@@ -60,7 +60,7 @@ jobs:
               }
             }
       - name: Write .releaserc.json
-        uses: DamianReeves/write-file-action@master
+        uses: DamianReeves/write-file-action@6929a9a6d1807689191dcc8bbe62b54d70a32b42 #v1.3
         with:
           path: ./.releaserc.json
           write-mode: overwrite
@@ -172,7 +172,7 @@ jobs:
           retention-days: 30
           if-no-files-found: error
       - name: Publish release distributions to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@67339c736fd9354cd4f8cb0b744f2b82a74b5c70 #v1.12.3
         with:
           packages-dir: ${{env.APP_NAME}}/dist
 
@@ -187,7 +187,7 @@ jobs:
         with:
           node-version: "lts/*"
       - name: Write package.json
-        uses: DamianReeves/write-file-action@master
+        uses: DamianReeves/write-file-action@6929a9a6d1807689191dcc8bbe62b54d70a32b42 #v1.3
         with:
           path: ./package.json
           write-mode: overwrite
@@ -201,7 +201,7 @@ jobs:
               }
             }
       - name: Write .releaserc.json
-        uses: DamianReeves/write-file-action@master
+        uses: DamianReeves/write-file-action@6929a9a6d1807689191dcc8bbe62b54d70a32b42 #v1.3
         with:
           path: ./.releaserc.json
           write-mode: overwrite

diff --git a/.github/workflows/network-discovery-lint.yaml b/.github/workflows/network-discovery-lint.yaml
@@ -21,15 +21,13 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
       - name: Setup Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
-          go-version: '1.23'
+          go-version: '1.23.x'
           check-latest: true
       - name: Lint
-        uses: golangci/golangci-lint-action@v3
+        uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 #v6.1.1
         with:
           version: v1.62
           working-directory: network-discovery
-          args: --config ../.github/golangci.yaml
-          skip-pkg-cache: true
-          skip-build-cache: true
+          args: --config ../.github/golangci.yaml
diff --git a/.github/workflows/network-discovery-release.yaml b/.github/workflows/network-discovery-release.yaml
@@ -14,7 +14,7 @@ concurrency:
 env:
   GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   SEMANTIC_RELEASE_PACKAGE: ${{ github.repository }}
-  GO_VERSION: '1.23'
+  GO_VERSION: '1.23.x'
   APP_NAME: network-discovery
 
 permissions:
@@ -33,7 +33,7 @@ jobs:
         with:
           node-version: "lts/*"
       - name: Write package.json
-        uses: DamianReeves/write-file-action@master
+        uses: DamianReeves/write-file-action@6929a9a6d1807689191dcc8bbe62b54d70a32b42 #v1.3
         with:
           path: ./package.json
           write-mode: overwrite
@@ -47,7 +47,7 @@ jobs:
               }
             }
       - name: Write .releaserc.json
-        uses: DamianReeves/write-file-action@master
+        uses: DamianReeves/write-file-action@6929a9a6d1807689191dcc8bbe62b54d70a32b42 #v1.3
         with:
           path: ./.releaserc.json
           write-mode: overwrite
@@ -131,13 +131,13 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf #v3.2.0
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 #v3.8.0
 
       - name: Login to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 #v3.3.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -148,7 +148,7 @@ jobs:
           echo $BUILD_VERSION > ./network-discovery/version/BUILD_VERSION.txt
 
       - name: Build image and push
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 #v6.10.0
         with:
           context: network-discovery
           file: network-discovery/docker/Dockerfile
@@ -173,7 +173,7 @@ jobs:
         with:
           node-version: "lts/*"
       - name: Write package.json
-        uses: DamianReeves/write-file-action@master
+        uses: DamianReeves/write-file-action@6929a9a6d1807689191dcc8bbe62b54d70a32b42 #v1.3
         with:
           path: ./package.json
           write-mode: overwrite
@@ -187,7 +187,7 @@ jobs:
               }
             }
       - name: Write .releaserc.json
-        uses: DamianReeves/write-file-action@master
+        uses: DamianReeves/write-file-action@6929a9a6d1807689191dcc8bbe62b54d70a32b42 #v1.3
         with:
           path: ./.releaserc.json
           write-mode: overwrite

diff --git a/.github/workflows/network-discovery-tests.yaml b/.github/workflows/network-discovery-tests.yaml
@@ -30,9 +30,9 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
       - name: Setup Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@v5
         with:
-          go-version: '1.23'
+          go-version: '1.23.x'
           check-latest: true
       - name: Run go build
         run: go build ./...
@@ -52,14 +52,14 @@ jobs:
         if: always()
         run: cat .coverage/test-report.md
       - name: Find comment
-        uses: peter-evans/find-comment@v3
+        uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e #v3.1.0
         id: existing-comment
         with:
           issue-number: ${{ github.event.pull_request.number }}
           comment-author: 'github-actions[bot]'
           body-includes: Go test coverage
       - name: Post comment
-        uses: peter-evans/create-or-update-comment@v4
+        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 #v4.0.0
         with:
           comment-id: ${{ steps.existing-comment.outputs.comment-id }}
           issue-number: ${{ github.event.pull_request.number }}

diff --git a/device-discovery/device_discovery/policy/runner.py b/device-discovery/device_discovery/policy/runner.py
@@ -42,7 +42,7 @@ def setup(self, name: str, config: Config, scopes: list[Napalm]):
             scopes: scope data for the devices.
 
         """
-        self.name = name
+        self.name = name.replace('\r\n', '').replace('\n', '')
         self.config = config
 
         if self.config is None:
@@ -52,21 +52,22 @@ def setup(self, name: str, config: Config, scopes: list[Napalm]):
 
         self.scheduler.start()
         for scope in scopes:
+            sanitized_hostname = scope.hostname.replace('\r\n', '').replace('\n', '')
             if scope.driver and scope.driver not in supported_drivers:
                 self.scheduler.shutdown()
                 raise Exception(
-                    f"Policy {self.name}, Hostname {scope.hostname}: specified driver '{scope.driver}' "
+                    f"Policy {self.name}, Hostname {sanitized_hostname}: specified driver '{scope.driver}' "
                     f"was not found in the current installed drivers list: {supported_drivers}."
                 )
 
             if self.config.schedule is not None:
                 logger.info(
-                    f"Policy {self.name}, Hostname {scope.hostname}: Scheduled to run with '{self.config.schedule}'"
+                    f"Policy {self.name}, Hostname {sanitized_hostname}: Scheduled to run with '{self.config.schedule}'"
                 )
                 trigger = CronTrigger.from_crontab(self.config.schedule)
             else:
                 logger.info(
-                    f"Policy {self.name}, Hostname {scope.hostname}: One-time run"
+                    f"Policy {self.name}, Hostname {sanitized_hostname}: One-time run"
                 )
                 trigger = DateTrigger(run_date=datetime.now() + timedelta(seconds=1))
 
@@ -89,32 +90,33 @@ def run(self, id: str, scope: Napalm, config: Config):
             config: Configuration data containing site information.
 
         """
+        sanitized_hostname = scope.hostname.replace('\r\n', '').replace('\n', '')
         if scope.driver is None:
             logger.info(
-                f"Policy {self.name}, Hostname {scope.hostname}: Driver not informed, discovering it"
+                f"Policy {self.name}, Hostname {sanitized_hostname}: Driver not informed, discovering it"
             )
             scope.driver = discover_device_driver(scope)
             if scope.driver is None:
                 self.status = Status.FAILED
                 logger.error(
-                    f"Policy {self.name}, Hostname {scope.hostname}: Not able to discover device driver"
+                    f"Policy {self.name}, Hostname {sanitized_hostname}: Not able to discover device driver"
                 )
                 try:
                     self.scheduler.remove_job(id)
                 except Exception as e:
                     logger.error(
-                        f"Policy {self.name}, Hostname {scope.hostname}: Error removing job: {e}"
+                        f"Policy {self.name}, Hostname {sanitized_hostname}: Error removing job: {e}"
                     )
                 return
 
         logger.info(
-            f"Policy {self.name}, Hostname {scope.hostname}: Get driver '{scope.driver}'"
+            f"Policy {self.name}, Hostname {sanitized_hostname}: Get driver '{scope.driver}'"
         )
 
         try:
             np_driver = get_network_driver(scope.driver)
             logger.info(
-                f"Policy {self.name}, Hostname {scope.hostname}: Getting information"
+                f"Policy {self.name}, Hostname {sanitized_hostname}: Getting information"
             )
             with np_driver(
                 scope.hostname,
@@ -132,7 +134,7 @@ def run(self, id: str, scope: Napalm, config: Config):
                 }
                 Client().ingest(scope.hostname, data)
         except Exception as e:
-            logger.error(f"Policy {self.name}, Hostname {scope.hostname}: {e}")
+            logger.error(f"Policy {self.name}, Hostname {sanitized_hostname}: {e}")
 
     def stop(self):
         """Stop the policy runner."""

diff --git a/network-discovery/cmd/main.go b/network-discovery/cmd/main.go
@@ -30,7 +30,7 @@ func resolveEnv(value string) string {
 		if envValue != "" {
 			return envValue
 		}
-		fmt.Printf("error: environment variable %s is not set\n", envVar)
+		fmt.Printf("error: a provided environment variable is not set\n")
 		os.Exit(1)
 	}
 	// Return the original value if no substitution occurs