github.com/khulnasoft-lab/tunnel-db@v0.0.0-20231117205118-74e1113bd007/pkg/vulnsrc/ghsa/ghsa_test.go (about) 1 package ghsa_test 2 3 import ( 4 "path/filepath" 5 "testing" 6 7 "github.com/khulnasoft-lab/tunnel-db/pkg/types" 8 "github.com/khulnasoft-lab/tunnel-db/pkg/vulnsrc/ghsa" 9 "github.com/khulnasoft-lab/tunnel-db/pkg/vulnsrc/vulnerability" 10 "github.com/khulnasoft-lab/tunnel-db/pkg/vulnsrctest" 11 ) 12 13 func TestVulnSrc_Update(t *testing.T) { 14 tests := []struct { 15 name string 16 dir string 17 wantValues []vulnsrctest.WantValues 18 wantErr string 19 }{ 20 { 21 name: "happy path", 22 dir: filepath.Join("testdata", "happy"), 23 wantValues: []vulnsrctest.WantValues{ 24 { 25 Key: []string{ 26 "data-source", 27 "maven::GitHub Security Advisory Maven", 28 }, 29 Value: types.DataSource{ 30 ID: vulnerability.GHSA, 31 Name: "GitHub Security Advisory Maven", 32 URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven", 33 }, 34 }, 35 { 36 Key: []string{ 37 "advisory-detail", 38 "CVE-2018-1196", 39 "maven::GitHub Security Advisory Maven", 40 "org.springframework.boot:spring-boot", 41 }, 42 Value: types.Advisory{ 43 VendorIDs: []string{ 44 "GHSA-xx65-cc7g-9pfp", 45 }, 46 PatchedVersions: []string{"1.5.10"}, 47 VulnerableVersions: []string{">=1.5.0, <1.5.10"}, 48 }, 49 }, 50 { 51 Key: []string{ 52 "vulnerability-detail", 53 "CVE-2018-1196", 54 "ghsa", 55 }, 56 Value: types.VulnerabilityDetail{ 57 Title: "Moderate severity vulnerability that affects org.springframework.boot:spring-boot", 58 Description: "Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service. The script included with Spring Boot 1.5.9 and earlier and 2.0.0.M1 through 2.0.0.M7 is susceptible to a symlink attack which allows the \"run_user\" to overwrite and take ownership of any file on the same system. In order to instigate the attack, the application must be installed as a service and the \"run_user\" requires shell access to the server. Spring Boot application that are not installed as a service, or are not using the embedded launch script are not susceptible.", 59 References: []string{ 60 "https://nvd.nist.gov/vuln/detail/CVE-2018-1196", 61 "https://github.com/advisories/GHSA-xx65-cc7g-9pfp", 62 "https://pivotal.io/security/cve-2018-1196", 63 }, 64 Severity: types.SeverityMedium, 65 CvssVectorV3: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", 66 CvssScoreV3: 5.9, 67 }, 68 }, 69 { 70 Key: []string{ 71 "vulnerability-id", 72 "CVE-2018-1196", 73 }, 74 Value: map[string]interface{}{}, 75 }, 76 { 77 Key: []string{ 78 "data-source", 79 "cargo::GitHub Security Advisory Rust", 80 }, 81 Value: types.DataSource{ 82 ID: vulnerability.GHSA, 83 Name: "GitHub Security Advisory Rust", 84 URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Arust", 85 }, 86 }, 87 { 88 Key: []string{ 89 "advisory-detail", 90 "CVE-2020-25792", 91 "cargo::GitHub Security Advisory Rust", 92 "sized-chunks", 93 }, 94 Value: types.Advisory{ 95 VendorIDs: []string{ 96 "GHSA-mp6f-p9gp-vpj9", 97 }, 98 PatchedVersions: []string{"0.6.3"}, 99 VulnerableVersions: []string{"<0.6.3"}, 100 }, 101 }, 102 { 103 Key: []string{ 104 "vulnerability-detail", 105 "CVE-2020-25792", 106 "ghsa", 107 }, 108 Value: types.VulnerabilityDetail{ 109 Title: "Array size is not checked in sized-chunks", 110 Description: "An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with pair().", 111 References: []string{ 112 "https://nvd.nist.gov/vuln/detail/CVE-2020-25792", 113 "https://github.com/bodil/sized-chunks/issues/11", 114 "https://github.com/bodil/sized-chunks", 115 "https://rustsec.org/advisories/RUSTSEC-2020-0041.html", 116 }, 117 Severity: types.SeverityHigh, 118 CvssVectorV3: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", 119 CvssScoreV3: 7.5, 120 }, 121 }, 122 { 123 Key: []string{ 124 "vulnerability-id", 125 "CVE-2020-25792", 126 }, 127 Value: map[string]interface{}{}, 128 }, 129 { 130 Key: []string{ 131 "data-source", 132 "go::GitHub Security Advisory Go", 133 }, 134 Value: types.DataSource{ 135 ID: vulnerability.GHSA, 136 Name: "GitHub Security Advisory Go", 137 URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago", 138 }, 139 }, 140 { 141 Key: []string{ 142 "advisory-detail", 143 "CVE-2020-8911", 144 "go::GitHub Security Advisory Go", 145 "github.com/aws/aws-sdk-go", 146 }, 147 Value: types.Advisory{ 148 VendorIDs: []string{ 149 "GHSA-f5pg-7wfw-84q9", 150 }, 151 PatchedVersions: []string{"1.34.0"}, 152 VulnerableVersions: []string{"<1.34.0"}, 153 }, 154 }, 155 { 156 Key: []string{ 157 "vulnerability-detail", 158 "CVE-2020-8911", 159 "ghsa", 160 }, 161 Value: types.VulnerabilityDetail{ 162 Title: "CBC padding oracle issue in AWS S3 Crypto SDK for golang", 163 Description: "### Summary\n\nThe golang AWS S3 Crypto SDK is impacted by an issue that can result in loss of confidentiality and message forgery. The attack requires write access to the bucket in question, and that the attacker has access to an endpoint that reveals decryption failures (without revealing the plaintext) and that when encrypting the CBC option was chosen as content cipher.\n\n### Risk/Severity\n\nThe vulnerability pose insider risks/privilege escalation risks, circumventing KMS controls for stored data.\n\n### Impact\n\nThis advisory describes the plaintext revealing vulnerabilities in the golang AWS S3 Crypto SDK, with a similar issue in the non \"strict\" versions of C++ and Java S3 Crypto SDKs being present as well.\n\nV1 prior to 1.34.0 of the S3 crypto SDK, allows users to encrypt files with AES-CBC, without computing a MAC on the data. Note that there is an alternative option of using AES-GCM, which is used in the examples of the documentation and not affected by this vulnerability, but by CVE-2020-8912.\n\nThis exposes a padding oracle vulnerability: If the attacker has write access to the S3 bucket and can observe whether or not an endpoint with access to the key can decrypt a file (without observing the file contents that the endpoint learns in the process), they can reconstruct the plaintext with (on average) `128*length(plaintext)` queries to the endpoint, by exploiting CBC's ability to manipulate the bytes of the next block and PKCS5 padding errors.\n\nThis issue is fixed in V2 of the API, by disabling encryption with CBC mode for new files. Old files, if they have been encrypted with CBC mode, remain vulnerable until they are reencrypted with AES-GCM.\n\n### Mitigation\n\nUsing the version 2 of the S3 crypto SDK will not produce vulnerable files anymore. Old files remain vulnerable to this problem if they were originally encrypted with CBC mode.\n\n### Proof of concept\n\nA [Proof of concept](https://github.com/sophieschmieg/exploits/tree/master/aws_s3_crypto_poc) is available in a separate github repository.\n\nThis particular issue is described in [padding_oracle_exploit.go](https://github.com/sophieschmieg/exploits/blob/master/aws_s3_crypto_poc/exploit/padding_oracle_exploit.go):\n\n```golang\nfunc PaddingOracleExploit(bucket string, key string, input *OnlineAttackInput) (string, error) {\n\tdata, header, err := input.S3Mock.GetObjectDirect(bucket, key)\n\tif alg := header.Get(\"X-Amz-Meta-X-Amz-Cek-Alg\"); alg != \"AES/CBC/PKCS5Padding\" {\n\t\treturn \"\", fmt.Errorf(\"Algorithm is %q, not CBC!\", alg)\n\t}\n\tlength, err := strconv.Atoi(header.Get(\"X-Amz-Meta-X-Amz-Unencrypted-Content-Length\"))\n\tpadding := byte(len(data) - length)\n\tplaintext := make([]byte, length)\n\tfor i := length - 1; i >= 0; i-- {\n\t\tnewLength := 16 * (i/16 + 1)\n\t\tdataCopy := make([]byte, newLength)\n\t\theaderCopy := header.Clone()\n\t\tcopy(dataCopy, data)\n\t\t// Set Padding\n\t\tnewPadding := byte(newLength - i)\n\t\tfor j := i + 1; j < newLength; j++ {\n\t\t\tvar oldValue byte\n\t\t\tif j >= length {\n\t\t\t\toldValue = padding\n\t\t\t} else {\n\t\t\t\toldValue = plaintext[j]\n\t\t\t}\n\t\t\tdataCopy, headerCopy, err = xorData(oldValue^newPadding, j, dataCopy, headerCopy)\n\t\t\tif err != nil {\n\t\t\t\treturn \"\", err\n\t\t\t}\n\t\t}\n\t\t// Guess\n\t\tfor c := 0; c < 256; c++ {\n\t\t\tdataCopy, headerCopy, err := xorData(byte(c)^newPadding, i, dataCopy, headerCopy)\n\t\t\tinput.S3Mock.PutObjectDirect(bucket, key+\"guess\", dataCopy, headerCopy)\n\t\t\tif input.Oracle(bucket, key+\"guess\") {\n\t\t\t\tplaintext[i] = byte(c)\n\t\t\t\tbreak\n\t\t\t}\n\t\t\tdataCopy, headerCopy, err = xorData(byte(c)^newPadding, i, dataCopy, headerCopy)\n\t\t}\n\t}\n\treturn string(plaintext), nil\n}\n```", 164 References: []string{ 165 "https://github.com/google/security-research/security/advisories/GHSA-f5pg-7wfw-84q9", 166 "https://nvd.nist.gov/vuln/detail/CVE-2020-8911", 167 "https://github.com/aws/aws-sdk-go/pull/3403", 168 "https://github.com/aws/aws-sdk-go/commit/1e84382fa1c0086362b5a4b68e068d4f8518d40e", 169 "https://github.com/aws/aws-sdk-go/commit/ae9b9fd92af132cfd8d879809d8611825ba135f4", 170 "https://aws.amazon.com/blogs/developer/updates-to-the-amazon-s3-encryption-client/?s=09", 171 "https://bugzilla.redhat.com/show_bug.cgi?id=1869800", 172 "https://github.com/aws/aws-sdk-go", 173 "https://github.com/sophieschmieg/exploits/tree/master/aws_s3_crypto_poc", 174 "https://pkg.go.dev/vuln/GO-2022-0646", 175 }, 176 Severity: types.SeverityMedium, 177 CvssVectorV3: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C", 178 CvssScoreV3: 8.8, 179 }, 180 }, 181 { 182 Key: []string{ 183 "vulnerability-id", 184 "CVE-2020-8911", 185 }, 186 Value: map[string]interface{}{}, 187 }, 188 { 189 Key: []string{ 190 "data-source", 191 "swift::GitHub Security Advisory Swift", 192 }, 193 Value: types.DataSource{ 194 ID: vulnerability.GHSA, 195 Name: "GitHub Security Advisory Swift", 196 URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Aswift", 197 }, 198 }, 199 { 200 Key: []string{ 201 "advisory-detail", 202 "CVE-2022-3215", 203 "swift::GitHub Security Advisory Swift", 204 "github.com/apple/swift-nio", 205 }, 206 Value: types.Advisory{ 207 VendorIDs: []string{ 208 "GHSA-7fj7-39wj-c64f", 209 }, 210 PatchedVersions: []string{ 211 "2.42.0", 212 "2.39.1", 213 "2.29.1", 214 }, 215 VulnerableVersions: []string{ 216 ">=2.41.0, <2.42.0", 217 ">=2.39.0, <2.39.1", 218 "<2.29.1", 219 }, 220 }, 221 }, 222 { 223 Key: []string{ 224 "data-source", 225 "cocoapods::GitHub Security Advisory Swift", 226 }, 227 Value: types.DataSource{ 228 ID: vulnerability.GHSA, 229 Name: "GitHub Security Advisory Swift", 230 URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Aswift", 231 }, 232 }, 233 { 234 Key: []string{ 235 "advisory-detail", 236 "CVE-2022-3215", 237 "cocoapods::GitHub Security Advisory Swift", 238 "SwiftNIO", 239 }, 240 Value: types.Advisory{ 241 VendorIDs: []string{ 242 "GHSA-7fj7-39wj-c64f", 243 }, 244 PatchedVersions: []string{ 245 "2.42.0", 246 "2.39.1", 247 "2.29.1", 248 }, 249 VulnerableVersions: []string{ 250 ">=2.41.0, <2.42.0", 251 ">=2.39.0, <2.39.1", 252 "<2.29.1", 253 }, 254 }, 255 }, 256 { 257 Key: []string{ 258 "advisory-detail", 259 "CVE-2022-3215", 260 "cocoapods::GitHub Security Advisory Swift", 261 "_NIODataStructures", 262 }, 263 Value: types.Advisory{ 264 VendorIDs: []string{ 265 "GHSA-7fj7-39wj-c64f", 266 }, 267 PatchedVersions: []string{ 268 "2.42.0", 269 "2.39.1", 270 "2.29.1", 271 }, 272 VulnerableVersions: []string{ 273 ">=2.41.0, <2.42.0", 274 ">=2.39.0, <2.39.1", 275 "<2.29.1", 276 }, 277 }, 278 }, 279 { 280 Key: []string{ 281 "vulnerability-detail", 282 "CVE-2022-3215", 283 "ghsa", 284 }, 285 Value: types.VulnerabilityDetail{ 286 Title: "SwiftNIO vulnerable to Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')", 287 Description: "`NIOHTTP1` and projects using it for generating HTTP responses, including SwiftNIO, can be subject to a HTTP Response Injection attack. This occurs when a HTTP/1.1 server accepts user generated input from an incoming request and reflects it into a HTTP/1.1 response header in some form. A malicious user can add newlines to their input (usually in encoded form) and \"inject\" those newlines into the returned HTTP response.\n\nThis capability allows users to work around security headers and HTTP/1.1 framing headers by injecting entirely false responses or other new headers. The injected false responses may also be treated as the response to subsequent requests, which can lead to XSS, cache poisoning, and a number of other flaws.\n\nThis issue was resolved by adding a default channel handler that polices outbound headers. This channel handler is added by default to channel pipelines, but can be removed by users if they are doing this validation themselves.", 288 References: []string{ 289 "https://github.com/apple/swift-nio/security/advisories/GHSA-7fj7-39wj-c64f", 290 "https://nvd.nist.gov/vuln/detail/CVE-2022-3215", 291 "https://github.com/apple/swift-nio/commit/a16e2f54a25b2af217044e5168997009a505930f", 292 "https://github.com/apple/swift-nio", 293 }, 294 Severity: types.SeverityMedium, 295 CvssVectorV3: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", 296 CvssScoreV3: 5.3, 297 }, 298 }, 299 { 300 Key: []string{ 301 "vulnerability-id", 302 "CVE-2022-3215", 303 }, 304 Value: map[string]interface{}{}, 305 }, 306 }, 307 }, 308 { 309 name: "sad path (dir doesn't exist)", 310 dir: filepath.Join("testdata", "badPath"), 311 wantErr: "no such file or directory", 312 }, 313 { 314 name: "sad path (failed to decode)", 315 dir: filepath.Join("testdata", "sad"), 316 wantErr: "JSON decode error", 317 }, 318 { 319 name: "sad path (cocoapods-specs doesn't exist)", 320 dir: "testdata", 321 wantErr: "no such file or directory", 322 }, 323 } 324 for _, tt := range tests { 325 t.Run(tt.name, func(t *testing.T) { 326 vs := ghsa.NewVulnSrc() 327 vulnsrctest.TestUpdate(t, vs, vulnsrctest.TestUpdateArgs{ 328 Dir: tt.dir, 329 WantValues: tt.wantValues, 330 WantErr: tt.wantErr, 331 }) 332 }) 333 } 334 }