Skip to content

Commit

Permalink
Fix CSV injection vulnerability (#355)
Browse files Browse the repository at this point in the history 
See GHSA-fqh6-v4qp-65fv, thanks to @iodn for reporting.

(Also fixes broken build scripts for development, and the test pipeline. K8s changed repo details :/)
  • Loading branch information
@thinkst-marco
thinkst-marco authored Mar 6, 2024
1 parent ffa180a commit c595a1f
Show file tree
Hide file tree
Showing 5 changed files with 21 additions and 20 deletions.
19 changes: 7 additions & 12 deletions .devcontainer/library-scripts/custom-installs.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,22 +16,17 @@ chmod +x terraform-docs
mv terraform-docs /usr/local/terraform-docs

# Install mysql (default repos are broken for buster)
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys B7B3B788A8D3785C
wget https://dev.mysql.com/get/mysql-apt-config_0.8.22-1_all.deb
DEBIAN_FRONTEND=noninteractive dpkg -i mysql-apt-config_0.8.22-1_all.deb
apt update
DEBIAN_FRONTEND=noninteractive apt-get install -y mysql-client

apt install -y wireguard-tools

# curl -sSL https://install.python-poetry.org | POETRY_HOME=/home/vscode/.local python -
# /home/vscode/.local/bin/poetry config virtualenvs.in-project true

# wget https://golang.org/dl/go1.18.2.linux-amd64.tar.gz
# tar -C /usr/local -xzf go1.18.2.linux-amd64.tar.gz
# /usr/local/go/bin/go install github.com/aquasecurity/tfsec/cmd/tfsec@latest

sudo curl -fsSLo /usr/share/keyrings/kubernetes-archive-keyring.gpg https://dl.k8s.io/apt/doc/apt-key.gpg
sudo install -o root -g root -m 644 /usr/share/keyrings/kubernetes-archive-keyring.gpg /etc/apt/trusted.gpg.d/
sudo echo "deb [signed-by=/etc/apt/trusted.gpg.d/kubernetes-archive-keyring.gpg] https://apt.kubernetes.io kubernetes-xenial main" | sudo tee /etc/apt/sources.list.d/kubernetes.list
sudo apt-get update -y
sudo apt-get install -y kubectl
mkdir -p /etc/apt/keyrings
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 234654DA9A296436
curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.28/deb/Release.key | gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.28/deb/ /' | tee /etc/apt/sources.list.d/kubernetes.list
apt-get update -y
apt-get install -y kubectl=1.28.1-1.1
3 changes: 0 additions & 3 deletions .github/workflows/test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,10 +79,7 @@ jobs:
poetry config virtualenvs.in-project true
sudo apt-get update -y
sudo apt-get install -y apt-transport-https ca-certificates curl
sudo curl -fsSLo /usr/share/keyrings/kubernetes-archive-keyring.gpg https://dl.k8s.io/apt/doc/apt-key.gpg
echo "deb [signed-by=/usr/share/keyrings/kubernetes-archive-keyring.gpg] https://apt.kubernetes.io/ kubernetes-xenial main" | sudo tee /etc/apt/sources.list.d/kubernetes.list
sudo apt-get update -y
sudo apt-get install -y kubectl
sudo apt-get install -y osslsigncode
sudo apt install redis-tools
- name: Set up cache
Expand Down
4 changes: 2 additions & 2 deletions aws-css-token-infra/CSSClonedSiteCFFunc/index.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,8 +50,8 @@ function handler(event) {
if (referer == '')
console.log("Empty/missing Referer header for: " + expected_referrer);

if (expected_referrer == '' || referer == '' || referer_origin.endsWith(expected_referrer) || referer_origin.endsWith(event.context.distributionDomainName)) {
// Happy case where the referer matches
if (expected_referrer == '' || referer == '' || referer_origin.endsWith(expected_referrer) || referer_origin.endsWith(event.context.distributionDomainName)) {
// Happy case where the referer matches
return matching_ref_response;
}
if (expected_referrer.endsWith('microsoftonline.com') && referer_origin.endsWith('login.microsoft.com')) {
Expand Down
13 changes: 11 additions & 2 deletions canarytokens/canarydrop.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -457,8 +457,12 @@ def alerting(self) -> None:
self.user.do_accounting(canarydrop=self)

def get_csv_incident_list(self) -> str:
def escape_csv_field(data) -> str:
data = f"'{data}"
return data

csvOutput = io.StringIO()
writer = csv.writer(csvOutput)
writer = csv.writer(csvOutput, quoting=csv.QUOTE_ALL)

if len(self.triggered_details.hits) > 0: # pragma: no cover
hit_class_dict = dict(self.triggered_details.hits[0])
Expand All @@ -476,7 +480,12 @@ def get_csv_incident_list(self) -> str:
hit_dict = dict(hit)
data = [hit_id]
for key in headers:
data.append(hit_dict.get(key, "N/A"))
csv_field = hit_dict.get(key, "N/A")

# The row includeds non-str objects, but they are all passed through __str__() by CSV writer,
# so we sanitise those and add strings only to the row.
csv_field = escape_csv_field(csv_field.__str__())
data.append(csv_field)
writer.writerow(data)
else:
writer.writerow("the token has not been triggered")
Expand Down
2 changes: 1 addition & 1 deletion canarytokens/channel_dns.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -112,7 +112,7 @@ def _do_ns_response(self, name=None):
),
type=dns.NS,
auth=True,
ttl=300
ttl=300,
)
additional = dns.RRHeader(
name=".".join(["ns1", name.decode()]),
Expand Down

0 comments on commit c595a1f

Please sign in to comment.