From 186853e54b4db5012911ca077d62c1e17777ae75 Mon Sep 17 00:00:00 2001 From: Leonardo Parente <23251360+leoparente@users.noreply.github.com> Date: Tue, 31 Dec 2024 12:30:47 -0300 Subject: [PATCH] chore: fix security issues (#45) --- .../device-discovery-lint-tests.yaml | 6 ++++- .../workflows/device-discovery-release.yaml | 10 ++++----- .github/workflows/network-discovery-lint.yaml | 10 ++++----- .../workflows/network-discovery-release.yaml | 18 +++++++-------- .../workflows/network-discovery-tests.yaml | 8 +++---- .../device_discovery/policy/runner.py | 22 ++++++++++--------- network-discovery/cmd/main.go | 2 +- 7 files changed, 40 insertions(+), 36 deletions(-) diff --git a/.github/workflows/device-discovery-lint-tests.yaml b/.github/workflows/device-discovery-lint-tests.yaml index a68230c..45e6776 100644 --- a/.github/workflows/device-discovery-lint-tests.yaml +++ b/.github/workflows/device-discovery-lint-tests.yaml @@ -14,6 +14,10 @@ concurrency: group: ${{ github.workflow }} cancel-in-progress: false +permissions: + contents: write + pull-requests: write + env: BE_DIR: device-discovery @@ -46,7 +50,7 @@ jobs: pytest --junitxml=pytest.xml --cov-report=term-missing:skip-covered --cov=device_discovery/ | tee pytest-coverage.txt - name: Pytest coverage comment - uses: MishaKav/pytest-coverage-comment@main + uses: MishaKav/pytest-coverage-comment@81882822c5b22af01f91bd3eacb1cefb6ad73dc2 #v1.1.53 with: pytest-coverage-path: ${{ env.BE_DIR }}/pytest-coverage.txt junitxml-path: ${{ env.BE_DIR }}/pytest.xml diff --git a/.github/workflows/device-discovery-release.yaml b/.github/workflows/device-discovery-release.yaml index bed366e..030d7a7 100644 --- a/.github/workflows/device-discovery-release.yaml +++ b/.github/workflows/device-discovery-release.yaml @@ -46,7 +46,7 @@ jobs: with: node-version: "lts/*" - name: Write package.json - uses: DamianReeves/write-file-action@master + uses: DamianReeves/write-file-action@6929a9a6d1807689191dcc8bbe62b54d70a32b42 #v1.3 with: path: ./package.json write-mode: overwrite @@ -60,7 +60,7 @@ jobs: } } - name: Write .releaserc.json - uses: DamianReeves/write-file-action@master + uses: DamianReeves/write-file-action@6929a9a6d1807689191dcc8bbe62b54d70a32b42 #v1.3 with: path: ./.releaserc.json write-mode: overwrite @@ -172,7 +172,7 @@ jobs: retention-days: 30 if-no-files-found: error - name: Publish release distributions to PyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@67339c736fd9354cd4f8cb0b744f2b82a74b5c70 #v1.12.3 with: packages-dir: ${{env.APP_NAME}}/dist @@ -187,7 +187,7 @@ jobs: with: node-version: "lts/*" - name: Write package.json - uses: DamianReeves/write-file-action@master + uses: DamianReeves/write-file-action@6929a9a6d1807689191dcc8bbe62b54d70a32b42 #v1.3 with: path: ./package.json write-mode: overwrite @@ -201,7 +201,7 @@ jobs: } } - name: Write .releaserc.json - uses: DamianReeves/write-file-action@master + uses: DamianReeves/write-file-action@6929a9a6d1807689191dcc8bbe62b54d70a32b42 #v1.3 with: path: ./.releaserc.json write-mode: overwrite diff --git a/.github/workflows/network-discovery-lint.yaml b/.github/workflows/network-discovery-lint.yaml index 326538b..be1936a 100644 --- a/.github/workflows/network-discovery-lint.yaml +++ b/.github/workflows/network-discovery-lint.yaml @@ -21,15 +21,13 @@ jobs: - name: Checkout uses: actions/checkout@v4 - name: Setup Go - uses: actions/setup-go@v4 + uses: actions/setup-go@v5 with: - go-version: '1.23' + go-version: '1.23.x' check-latest: true - name: Lint - uses: golangci/golangci-lint-action@v3 + uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 #v6.1.1 with: version: v1.62 working-directory: network-discovery - args: --config ../.github/golangci.yaml - skip-pkg-cache: true - skip-build-cache: true \ No newline at end of file + args: --config ../.github/golangci.yaml \ No newline at end of file diff --git a/.github/workflows/network-discovery-release.yaml b/.github/workflows/network-discovery-release.yaml index 7cb8d38..01ffdee 100644 --- a/.github/workflows/network-discovery-release.yaml +++ b/.github/workflows/network-discovery-release.yaml @@ -14,7 +14,7 @@ concurrency: env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} SEMANTIC_RELEASE_PACKAGE: ${{ github.repository }} - GO_VERSION: '1.23' + GO_VERSION: '1.23.x' APP_NAME: network-discovery permissions: @@ -33,7 +33,7 @@ jobs: with: node-version: "lts/*" - name: Write package.json - uses: DamianReeves/write-file-action@master + uses: DamianReeves/write-file-action@6929a9a6d1807689191dcc8bbe62b54d70a32b42 #v1.3 with: path: ./package.json write-mode: overwrite @@ -47,7 +47,7 @@ jobs: } } - name: Write .releaserc.json - uses: DamianReeves/write-file-action@master + uses: DamianReeves/write-file-action@6929a9a6d1807689191dcc8bbe62b54d70a32b42 #v1.3 with: path: ./.releaserc.json write-mode: overwrite @@ -131,13 +131,13 @@ jobs: uses: actions/checkout@v4 - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf #v3.2.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 #v3.8.0 - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 #v3.3.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} @@ -148,7 +148,7 @@ jobs: echo $BUILD_VERSION > ./network-discovery/version/BUILD_VERSION.txt - name: Build image and push - uses: docker/build-push-action@v6 + uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 #v6.10.0 with: context: network-discovery file: network-discovery/docker/Dockerfile @@ -173,7 +173,7 @@ jobs: with: node-version: "lts/*" - name: Write package.json - uses: DamianReeves/write-file-action@master + uses: DamianReeves/write-file-action@6929a9a6d1807689191dcc8bbe62b54d70a32b42 #v1.3 with: path: ./package.json write-mode: overwrite @@ -187,7 +187,7 @@ jobs: } } - name: Write .releaserc.json - uses: DamianReeves/write-file-action@master + uses: DamianReeves/write-file-action@6929a9a6d1807689191dcc8bbe62b54d70a32b42 #v1.3 with: path: ./.releaserc.json write-mode: overwrite diff --git a/.github/workflows/network-discovery-tests.yaml b/.github/workflows/network-discovery-tests.yaml index a9c6354..870b507 100644 --- a/.github/workflows/network-discovery-tests.yaml +++ b/.github/workflows/network-discovery-tests.yaml @@ -30,9 +30,9 @@ jobs: - name: Checkout uses: actions/checkout@v4 - name: Setup Go - uses: actions/setup-go@v4 + uses: actions/setup-go@v5 with: - go-version: '1.23' + go-version: '1.23.x' check-latest: true - name: Run go build run: go build ./... @@ -52,14 +52,14 @@ jobs: if: always() run: cat .coverage/test-report.md - name: Find comment - uses: peter-evans/find-comment@v3 + uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e #v3.1.0 id: existing-comment with: issue-number: ${{ github.event.pull_request.number }} comment-author: 'github-actions[bot]' body-includes: Go test coverage - name: Post comment - uses: peter-evans/create-or-update-comment@v4 + uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 #v4.0.0 with: comment-id: ${{ steps.existing-comment.outputs.comment-id }} issue-number: ${{ github.event.pull_request.number }} diff --git a/device-discovery/device_discovery/policy/runner.py b/device-discovery/device_discovery/policy/runner.py index ee135e8..e6c6ead 100644 --- a/device-discovery/device_discovery/policy/runner.py +++ b/device-discovery/device_discovery/policy/runner.py @@ -42,7 +42,7 @@ def setup(self, name: str, config: Config, scopes: list[Napalm]): scopes: scope data for the devices. """ - self.name = name + self.name = name.replace('\r\n', '').replace('\n', '') self.config = config if self.config is None: @@ -52,21 +52,22 @@ def setup(self, name: str, config: Config, scopes: list[Napalm]): self.scheduler.start() for scope in scopes: + sanitized_hostname = scope.hostname.replace('\r\n', '').replace('\n', '') if scope.driver and scope.driver not in supported_drivers: self.scheduler.shutdown() raise Exception( - f"Policy {self.name}, Hostname {scope.hostname}: specified driver '{scope.driver}' " + f"Policy {self.name}, Hostname {sanitized_hostname}: specified driver '{scope.driver}' " f"was not found in the current installed drivers list: {supported_drivers}." ) if self.config.schedule is not None: logger.info( - f"Policy {self.name}, Hostname {scope.hostname}: Scheduled to run with '{self.config.schedule}'" + f"Policy {self.name}, Hostname {sanitized_hostname}: Scheduled to run with '{self.config.schedule}'" ) trigger = CronTrigger.from_crontab(self.config.schedule) else: logger.info( - f"Policy {self.name}, Hostname {scope.hostname}: One-time run" + f"Policy {self.name}, Hostname {sanitized_hostname}: One-time run" ) trigger = DateTrigger(run_date=datetime.now() + timedelta(seconds=1)) @@ -89,32 +90,33 @@ def run(self, id: str, scope: Napalm, config: Config): config: Configuration data containing site information. """ + sanitized_hostname = scope.hostname.replace('\r\n', '').replace('\n', '') if scope.driver is None: logger.info( - f"Policy {self.name}, Hostname {scope.hostname}: Driver not informed, discovering it" + f"Policy {self.name}, Hostname {sanitized_hostname}: Driver not informed, discovering it" ) scope.driver = discover_device_driver(scope) if scope.driver is None: self.status = Status.FAILED logger.error( - f"Policy {self.name}, Hostname {scope.hostname}: Not able to discover device driver" + f"Policy {self.name}, Hostname {sanitized_hostname}: Not able to discover device driver" ) try: self.scheduler.remove_job(id) except Exception as e: logger.error( - f"Policy {self.name}, Hostname {scope.hostname}: Error removing job: {e}" + f"Policy {self.name}, Hostname {sanitized_hostname}: Error removing job: {e}" ) return logger.info( - f"Policy {self.name}, Hostname {scope.hostname}: Get driver '{scope.driver}'" + f"Policy {self.name}, Hostname {sanitized_hostname}: Get driver '{scope.driver}'" ) try: np_driver = get_network_driver(scope.driver) logger.info( - f"Policy {self.name}, Hostname {scope.hostname}: Getting information" + f"Policy {self.name}, Hostname {sanitized_hostname}: Getting information" ) with np_driver( scope.hostname, @@ -132,7 +134,7 @@ def run(self, id: str, scope: Napalm, config: Config): } Client().ingest(scope.hostname, data) except Exception as e: - logger.error(f"Policy {self.name}, Hostname {scope.hostname}: {e}") + logger.error(f"Policy {self.name}, Hostname {sanitized_hostname}: {e}") def stop(self): """Stop the policy runner.""" diff --git a/network-discovery/cmd/main.go b/network-discovery/cmd/main.go index e57c271..dc86ae2 100644 --- a/network-discovery/cmd/main.go +++ b/network-discovery/cmd/main.go @@ -30,7 +30,7 @@ func resolveEnv(value string) string { if envValue != "" { return envValue } - fmt.Printf("error: environment variable %s is not set\n", envVar) + fmt.Printf("error: a provided environment variable is not set\n") os.Exit(1) } // Return the original value if no substitution occurs