github.com/khulnasoft-lab/tunnel-db@v0.0.0-20231117205118-74e1113bd007/pkg/vulnsrc/ghsa/ghsa_test.go (about)

     1  package ghsa_test
     2  
     3  import (
     4  	"path/filepath"
     5  	"testing"
     6  
     7  	"github.com/khulnasoft-lab/tunnel-db/pkg/types"
     8  	"github.com/khulnasoft-lab/tunnel-db/pkg/vulnsrc/ghsa"
     9  	"github.com/khulnasoft-lab/tunnel-db/pkg/vulnsrc/vulnerability"
    10  	"github.com/khulnasoft-lab/tunnel-db/pkg/vulnsrctest"
    11  )
    12  
    13  func TestVulnSrc_Update(t *testing.T) {
    14  	tests := []struct {
    15  		name       string
    16  		dir        string
    17  		wantValues []vulnsrctest.WantValues
    18  		wantErr    string
    19  	}{
    20  		{
    21  			name: "happy path",
    22  			dir:  filepath.Join("testdata", "happy"),
    23  			wantValues: []vulnsrctest.WantValues{
    24  				{
    25  					Key: []string{
    26  						"data-source",
    27  						"maven::GitHub Security Advisory Maven",
    28  					},
    29  					Value: types.DataSource{
    30  						ID:   vulnerability.GHSA,
    31  						Name: "GitHub Security Advisory Maven",
    32  						URL:  "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven",
    33  					},
    34  				},
    35  				{
    36  					Key: []string{
    37  						"advisory-detail",
    38  						"CVE-2018-1196",
    39  						"maven::GitHub Security Advisory Maven",
    40  						"org.springframework.boot:spring-boot",
    41  					},
    42  					Value: types.Advisory{
    43  						VendorIDs: []string{
    44  							"GHSA-xx65-cc7g-9pfp",
    45  						},
    46  						PatchedVersions:    []string{"1.5.10"},
    47  						VulnerableVersions: []string{">=1.5.0, <1.5.10"},
    48  					},
    49  				},
    50  				{
    51  					Key: []string{
    52  						"vulnerability-detail",
    53  						"CVE-2018-1196",
    54  						"ghsa",
    55  					},
    56  					Value: types.VulnerabilityDetail{
    57  						Title:       "Moderate severity vulnerability that affects org.springframework.boot:spring-boot",
    58  						Description: "Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service. The script included with Spring Boot 1.5.9 and earlier and 2.0.0.M1 through 2.0.0.M7 is susceptible to a symlink attack which allows the \"run_user\" to overwrite and take ownership of any file on the same system. In order to instigate the attack, the application must be installed as a service and the \"run_user\" requires shell access to the server. Spring Boot application that are not installed as a service, or are not using the embedded launch script are not susceptible.",
    59  						References: []string{
    60  							"https://nvd.nist.gov/vuln/detail/CVE-2018-1196",
    61  							"https://github.com/advisories/GHSA-xx65-cc7g-9pfp",
    62  							"https://pivotal.io/security/cve-2018-1196",
    63  						},
    64  						Severity:     types.SeverityMedium,
    65  						CvssVectorV3: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
    66  						CvssScoreV3:  5.9,
    67  					},
    68  				},
    69  				{
    70  					Key: []string{
    71  						"vulnerability-id",
    72  						"CVE-2018-1196",
    73  					},
    74  					Value: map[string]interface{}{},
    75  				},
    76  				{
    77  					Key: []string{
    78  						"data-source",
    79  						"cargo::GitHub Security Advisory Rust",
    80  					},
    81  					Value: types.DataSource{
    82  						ID:   vulnerability.GHSA,
    83  						Name: "GitHub Security Advisory Rust",
    84  						URL:  "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Arust",
    85  					},
    86  				},
    87  				{
    88  					Key: []string{
    89  						"advisory-detail",
    90  						"CVE-2020-25792",
    91  						"cargo::GitHub Security Advisory Rust",
    92  						"sized-chunks",
    93  					},
    94  					Value: types.Advisory{
    95  						VendorIDs: []string{
    96  							"GHSA-mp6f-p9gp-vpj9",
    97  						},
    98  						PatchedVersions:    []string{"0.6.3"},
    99  						VulnerableVersions: []string{"<0.6.3"},
   100  					},
   101  				},
   102  				{
   103  					Key: []string{
   104  						"vulnerability-detail",
   105  						"CVE-2020-25792",
   106  						"ghsa",
   107  					},
   108  					Value: types.VulnerabilityDetail{
   109  						Title:       "Array size is not checked in sized-chunks",
   110  						Description: "An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with pair().",
   111  						References: []string{
   112  							"https://nvd.nist.gov/vuln/detail/CVE-2020-25792",
   113  							"https://github.com/bodil/sized-chunks/issues/11",
   114  							"https://github.com/bodil/sized-chunks",
   115  							"https://rustsec.org/advisories/RUSTSEC-2020-0041.html",
   116  						},
   117  						Severity:     types.SeverityHigh,
   118  						CvssVectorV3: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
   119  						CvssScoreV3:  7.5,
   120  					},
   121  				},
   122  				{
   123  					Key: []string{
   124  						"vulnerability-id",
   125  						"CVE-2020-25792",
   126  					},
   127  					Value: map[string]interface{}{},
   128  				},
   129  				{
   130  					Key: []string{
   131  						"data-source",
   132  						"go::GitHub Security Advisory Go",
   133  					},
   134  					Value: types.DataSource{
   135  						ID:   vulnerability.GHSA,
   136  						Name: "GitHub Security Advisory Go",
   137  						URL:  "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago",
   138  					},
   139  				},
   140  				{
   141  					Key: []string{
   142  						"advisory-detail",
   143  						"CVE-2020-8911",
   144  						"go::GitHub Security Advisory Go",
   145  						"github.com/aws/aws-sdk-go",
   146  					},
   147  					Value: types.Advisory{
   148  						VendorIDs: []string{
   149  							"GHSA-f5pg-7wfw-84q9",
   150  						},
   151  						PatchedVersions:    []string{"1.34.0"},
   152  						VulnerableVersions: []string{"<1.34.0"},
   153  					},
   154  				},
   155  				{
   156  					Key: []string{
   157  						"vulnerability-detail",
   158  						"CVE-2020-8911",
   159  						"ghsa",
   160  					},
   161  					Value: types.VulnerabilityDetail{
   162  						Title:       "CBC padding oracle issue in AWS S3 Crypto SDK for golang",
   163  						Description: "### Summary\n\nThe golang AWS S3 Crypto SDK is impacted by an issue that can result in loss of confidentiality and message forgery. The attack requires write access to the bucket in question, and that the attacker has access to an endpoint that reveals decryption failures (without revealing the plaintext) and that when encrypting the CBC option was chosen as content cipher.\n\n### Risk/Severity\n\nThe vulnerability pose insider risks/privilege escalation risks, circumventing KMS controls for stored data.\n\n### Impact\n\nThis advisory describes the plaintext revealing vulnerabilities in the golang AWS S3 Crypto SDK, with a similar issue in the non \"strict\" versions of C++ and Java S3 Crypto SDKs being present as well.\n\nV1 prior to 1.34.0 of the S3 crypto SDK, allows users to encrypt files with AES-CBC, without computing a MAC on the data. Note that there is an alternative option of using AES-GCM, which is used in the examples of the documentation and not affected by this vulnerability, but by CVE-2020-8912.\n\nThis exposes a padding oracle vulnerability: If the attacker has write access to the S3 bucket and can observe whether or not an endpoint with access to the key can decrypt a file (without observing the file contents that the endpoint learns in the process), they can reconstruct the plaintext with (on average) `128*length(plaintext)` queries to the endpoint, by exploiting CBC's ability to manipulate the bytes of the next block and PKCS5 padding errors.\n\nThis issue is fixed in V2 of the API, by disabling encryption with CBC mode for new files. Old files, if they have been encrypted with CBC mode, remain vulnerable until they are reencrypted with AES-GCM.\n\n### Mitigation\n\nUsing the version 2 of the S3 crypto SDK will not produce vulnerable files anymore. Old files remain vulnerable to this problem if they were originally encrypted with CBC mode.\n\n### Proof of concept\n\nA [Proof of concept](https://github.com/sophieschmieg/exploits/tree/master/aws_s3_crypto_poc) is available in a separate github repository.\n\nThis particular issue is described in [padding_oracle_exploit.go](https://github.com/sophieschmieg/exploits/blob/master/aws_s3_crypto_poc/exploit/padding_oracle_exploit.go):\n\n```golang\nfunc PaddingOracleExploit(bucket string, key string, input *OnlineAttackInput) (string, error) {\n\tdata, header, err := input.S3Mock.GetObjectDirect(bucket, key)\n\tif alg := header.Get(\"X-Amz-Meta-X-Amz-Cek-Alg\"); alg != \"AES/CBC/PKCS5Padding\" {\n\t\treturn \"\", fmt.Errorf(\"Algorithm is %q, not CBC!\", alg)\n\t}\n\tlength, err := strconv.Atoi(header.Get(\"X-Amz-Meta-X-Amz-Unencrypted-Content-Length\"))\n\tpadding := byte(len(data) - length)\n\tplaintext := make([]byte, length)\n\tfor i := length - 1; i >= 0; i-- {\n\t\tnewLength := 16 * (i/16 + 1)\n\t\tdataCopy := make([]byte, newLength)\n\t\theaderCopy := header.Clone()\n\t\tcopy(dataCopy, data)\n\t\t// Set Padding\n\t\tnewPadding := byte(newLength - i)\n\t\tfor j := i + 1; j < newLength; j++ {\n\t\t\tvar oldValue byte\n\t\t\tif j >= length {\n\t\t\t\toldValue = padding\n\t\t\t} else {\n\t\t\t\toldValue = plaintext[j]\n\t\t\t}\n\t\t\tdataCopy, headerCopy, err = xorData(oldValue^newPadding, j, dataCopy, headerCopy)\n\t\t\tif err != nil {\n\t\t\t\treturn \"\", err\n\t\t\t}\n\t\t}\n\t\t// Guess\n\t\tfor c := 0; c < 256; c++ {\n\t\t\tdataCopy, headerCopy, err := xorData(byte(c)^newPadding, i, dataCopy, headerCopy)\n\t\t\tinput.S3Mock.PutObjectDirect(bucket, key+\"guess\", dataCopy, headerCopy)\n\t\t\tif input.Oracle(bucket, key+\"guess\") {\n\t\t\t\tplaintext[i] = byte(c)\n\t\t\t\tbreak\n\t\t\t}\n\t\t\tdataCopy, headerCopy, err = xorData(byte(c)^newPadding, i, dataCopy, headerCopy)\n\t\t}\n\t}\n\treturn string(plaintext), nil\n}\n```",
   164  						References: []string{
   165  							"https://github.com/google/security-research/security/advisories/GHSA-f5pg-7wfw-84q9",
   166  							"https://nvd.nist.gov/vuln/detail/CVE-2020-8911",
   167  							"https://github.com/aws/aws-sdk-go/pull/3403",
   168  							"https://github.com/aws/aws-sdk-go/commit/1e84382fa1c0086362b5a4b68e068d4f8518d40e",
   169  							"https://github.com/aws/aws-sdk-go/commit/ae9b9fd92af132cfd8d879809d8611825ba135f4",
   170  							"https://aws.amazon.com/blogs/developer/updates-to-the-amazon-s3-encryption-client/?s=09",
   171  							"https://bugzilla.redhat.com/show_bug.cgi?id=1869800",
   172  							"https://github.com/aws/aws-sdk-go",
   173  							"https://github.com/sophieschmieg/exploits/tree/master/aws_s3_crypto_poc",
   174  							"https://pkg.go.dev/vuln/GO-2022-0646",
   175  						},
   176  						Severity:     types.SeverityMedium,
   177  						CvssVectorV3: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
   178  						CvssScoreV3:  8.8,
   179  					},
   180  				},
   181  				{
   182  					Key: []string{
   183  						"vulnerability-id",
   184  						"CVE-2020-8911",
   185  					},
   186  					Value: map[string]interface{}{},
   187  				},
   188  				{
   189  					Key: []string{
   190  						"data-source",
   191  						"swift::GitHub Security Advisory Swift",
   192  					},
   193  					Value: types.DataSource{
   194  						ID:   vulnerability.GHSA,
   195  						Name: "GitHub Security Advisory Swift",
   196  						URL:  "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Aswift",
   197  					},
   198  				},
   199  				{
   200  					Key: []string{
   201  						"advisory-detail",
   202  						"CVE-2022-3215",
   203  						"swift::GitHub Security Advisory Swift",
   204  						"github.com/apple/swift-nio",
   205  					},
   206  					Value: types.Advisory{
   207  						VendorIDs: []string{
   208  							"GHSA-7fj7-39wj-c64f",
   209  						},
   210  						PatchedVersions: []string{
   211  							"2.42.0",
   212  							"2.39.1",
   213  							"2.29.1",
   214  						},
   215  						VulnerableVersions: []string{
   216  							">=2.41.0, <2.42.0",
   217  							">=2.39.0, <2.39.1",
   218  							"<2.29.1",
   219  						},
   220  					},
   221  				},
   222  				{
   223  					Key: []string{
   224  						"data-source",
   225  						"cocoapods::GitHub Security Advisory Swift",
   226  					},
   227  					Value: types.DataSource{
   228  						ID:   vulnerability.GHSA,
   229  						Name: "GitHub Security Advisory Swift",
   230  						URL:  "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Aswift",
   231  					},
   232  				},
   233  				{
   234  					Key: []string{
   235  						"advisory-detail",
   236  						"CVE-2022-3215",
   237  						"cocoapods::GitHub Security Advisory Swift",
   238  						"SwiftNIO",
   239  					},
   240  					Value: types.Advisory{
   241  						VendorIDs: []string{
   242  							"GHSA-7fj7-39wj-c64f",
   243  						},
   244  						PatchedVersions: []string{
   245  							"2.42.0",
   246  							"2.39.1",
   247  							"2.29.1",
   248  						},
   249  						VulnerableVersions: []string{
   250  							">=2.41.0, <2.42.0",
   251  							">=2.39.0, <2.39.1",
   252  							"<2.29.1",
   253  						},
   254  					},
   255  				},
   256  				{
   257  					Key: []string{
   258  						"advisory-detail",
   259  						"CVE-2022-3215",
   260  						"cocoapods::GitHub Security Advisory Swift",
   261  						"_NIODataStructures",
   262  					},
   263  					Value: types.Advisory{
   264  						VendorIDs: []string{
   265  							"GHSA-7fj7-39wj-c64f",
   266  						},
   267  						PatchedVersions: []string{
   268  							"2.42.0",
   269  							"2.39.1",
   270  							"2.29.1",
   271  						},
   272  						VulnerableVersions: []string{
   273  							">=2.41.0, <2.42.0",
   274  							">=2.39.0, <2.39.1",
   275  							"<2.29.1",
   276  						},
   277  					},
   278  				},
   279  				{
   280  					Key: []string{
   281  						"vulnerability-detail",
   282  						"CVE-2022-3215",
   283  						"ghsa",
   284  					},
   285  					Value: types.VulnerabilityDetail{
   286  						Title:       "SwiftNIO vulnerable to Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')",
   287  						Description: "`NIOHTTP1` and projects using it for generating HTTP responses, including SwiftNIO, can be subject to a HTTP Response Injection attack. This occurs when a HTTP/1.1 server accepts user generated input from an incoming request and reflects it into a HTTP/1.1 response header in some form. A malicious user can add newlines to their input (usually in encoded form) and \"inject\" those newlines into the returned HTTP response.\n\nThis capability allows users to work around security headers and HTTP/1.1 framing headers by injecting entirely false responses or other new headers. The injected false responses may also be treated as the response to subsequent requests, which can lead to XSS, cache poisoning, and a number of other flaws.\n\nThis issue was resolved by adding a default channel handler that polices outbound headers. This channel handler is added by default to channel pipelines, but can be removed by users if they are doing this validation themselves.",
   288  						References: []string{
   289  							"https://github.com/apple/swift-nio/security/advisories/GHSA-7fj7-39wj-c64f",
   290  							"https://nvd.nist.gov/vuln/detail/CVE-2022-3215",
   291  							"https://github.com/apple/swift-nio/commit/a16e2f54a25b2af217044e5168997009a505930f",
   292  							"https://github.com/apple/swift-nio",
   293  						},
   294  						Severity:     types.SeverityMedium,
   295  						CvssVectorV3: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
   296  						CvssScoreV3:  5.3,
   297  					},
   298  				},
   299  				{
   300  					Key: []string{
   301  						"vulnerability-id",
   302  						"CVE-2022-3215",
   303  					},
   304  					Value: map[string]interface{}{},
   305  				},
   306  			},
   307  		},
   308  		{
   309  			name:    "sad path (dir doesn't exist)",
   310  			dir:     filepath.Join("testdata", "badPath"),
   311  			wantErr: "no such file or directory",
   312  		},
   313  		{
   314  			name:    "sad path (failed to decode)",
   315  			dir:     filepath.Join("testdata", "sad"),
   316  			wantErr: "JSON decode error",
   317  		},
   318  		{
   319  			name:    "sad path (cocoapods-specs doesn't exist)",
   320  			dir:     "testdata",
   321  			wantErr: "no such file or directory",
   322  		},
   323  	}
   324  	for _, tt := range tests {
   325  		t.Run(tt.name, func(t *testing.T) {
   326  			vs := ghsa.NewVulnSrc()
   327  			vulnsrctest.TestUpdate(t, vs, vulnsrctest.TestUpdateArgs{
   328  				Dir:        tt.dir,
   329  				WantValues: tt.wantValues,
   330  				WantErr:    tt.wantErr,
   331  			})
   332  		})
   333  	}
   334  }