Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix code scanning alert #9: Server-side request forgery #3

Closed
wants to merge 2 commits into from
Closed

Fix code scanning alert #9: Server-side request forgery #3

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c627e8e
Fix code scanning alert #9: Server-side request forgery
art-tykh Sep 19, 2024
a456c36
Apply code scanning fix for server-side request forgery
art-tykh Sep 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
88 changes: 53 additions & 35 deletions fastlane/helper/plugin_scores_helper.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -235,48 +235,66 @@
end
end

# Validate the GitHub URL against a whitelist
def valid_github_url?(url)
allowed_urls = [
"https://github.com/fastlane/fastlane",
# Add more allowed URLs here
]
allowed_urls.any? { |allowed_url| url.start_with?(allowed_url) }
end

# Everything from the GitHub API (e.g. open issues and stars)
ALLOWED_GITHUB_REPOS = [
"https://github.com/fastlane/fastlane",
"https://github.com/fastlane/other-repo"
]

def append_github_data
# e.g. https://api.github.com/repos/fastlane/fastlane
url = self.homepage.gsub("github.com/", "api.github.com/repos/")
url = url[0..-2] if url.end_with?("/") # what is this, 2001? We got to remove the trailing `/` otherwise GitHub will fail
puts("Fetching #{url}")
conn = Faraday.new(url: url) do |builder|
# The order below IS important
# See bug here https://github.com/lostisland/faraday_middleware/issues/105
builder.use(FaradayMiddleware::FollowRedirects)
builder.adapter(Faraday.default_adapter)
end
conn.basic_auth(ENV["GITHUB_USER_NAME"], ENV["GITHUB_API_TOKEN"])
response = conn.get('')
repo_details = JSON.parse(response.body)

url += "/stats/contributors"
puts("Fetching #{url}")
conn = Faraday.new(url: url) do |builder|
# The order below IS important
# See bug here https://github.com/lostisland/faraday_middleware/issues/105
builder.use(FaradayMiddleware::FollowRedirects)
builder.adapter(Faraday.default_adapter)
end
if valid_github_url?(self.homepage) && ALLOWED_GITHUB_REPOS.include?(self.homepage)
url = self.homepage.gsub("github.com/", "api.github.com/repos/")
url = url[0..-2] if url.end_with?("/") # what is this, 2001? We got to remove the trailing `/` otherwise GitHub will fail
puts("Fetching #{url}")
conn = Faraday.new(url: url) do |builder|

Check failure

Code scanning / CodeQL

Server-side request forgery Critical

The URL of this request depends on a
user-provided value
Loading
.

Copilot Autofix AI 3 months ago

To fix the SSRF vulnerability, we need to ensure that the URL used in the Faraday.new request is strictly validated against a list of allowed URLs. This can be achieved by enhancing the valid_github_url? method to perform a more thorough validation and ensuring that the URL is fully matched against the ALLOWED_GITHUB_REPOS list.

  1. Enhance the valid_github_url? method to perform a full match against the allowed URLs.
  2. Ensure that the URL used in the Faraday.new request is strictly validated.
Suggested changeset 1
fastlane/helper/plugin_scores_helper.rb

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/fastlane/helper/plugin_scores_helper.rb b/fastlane/helper/plugin_scores_helper.rb
--- a/fastlane/helper/plugin_scores_helper.rb
+++ b/fastlane/helper/plugin_scores_helper.rb
@@ -243,3 +243,3 @@
           ]
-          allowed_urls.any? { |allowed_url| url.start_with?(allowed_url) }
+          allowed_urls.include?(url)
         end
@@ -254,3 +254,3 @@
           # e.g. https://api.github.com/repos/fastlane/fastlane
-          if valid_github_url?(self.homepage) && ALLOWED_GITHUB_REPOS.include?(self.homepage)
+          if valid_github_url?(self.homepage)
             url = self.homepage.gsub("github.com/", "api.github.com/repos/")
EOF
@@ -243,3 +243,3 @@
]
allowed_urls.any? { |allowed_url| url.start_with?(allowed_url) }
allowed_urls.include?(url)
end
@@ -254,3 +254,3 @@
# e.g. https://api.github.com/repos/fastlane/fastlane
if valid_github_url?(self.homepage) && ALLOWED_GITHUB_REPOS.include?(self.homepage)
if valid_github_url?(self.homepage)
url = self.homepage.gsub("github.com/", "api.github.com/repos/")
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
# The order below IS important
# See bug here https://github.com/lostisland/faraday_middleware/issues/105
builder.use(FaradayMiddleware::FollowRedirects)
builder.adapter(Faraday.default_adapter)
end
conn.basic_auth(ENV["GITHUB_USER_NAME"], ENV["GITHUB_API_TOKEN"])
response = conn.get('')
repo_details = JSON.parse(response.body)

url += "/stats/contributors"
puts("Fetching #{url}")
conn = Faraday.new(url: url) do |builder|

Check failure

Code scanning / CodeQL

Server-side request forgery Critical

The URL of this request depends on a
user-provided value
Loading
.
# The order below IS important
# See bug here https://github.com/lostisland/faraday_middleware/issues/105
builder.use(FaradayMiddleware::FollowRedirects)
builder.adapter(Faraday.default_adapter)
end

conn.basic_auth(ENV["GITHUB_USER_NAME"], ENV["GITHUB_API_TOKEN"])
response = conn.get('')
contributor_details = JSON.parse(response.body)
conn.basic_auth(ENV["GITHUB_USER_NAME"], ENV["GITHUB_API_TOKEN"])
response = conn.get('')
contributor_details = JSON.parse(response.body)

self.data[:github_stars] = repo_details["stargazers_count"].to_i
self.data[:github_subscribers] = repo_details["subscribers_count"].to_i
self.data[:github_issues] = repo_details["open_issues_count"].to_i
self.data[:github_forks] = repo_details["forks_count"].to_i
self.data[:github_contributors] = contributor_details.count
self.data[:github_stars] = repo_details["stargazers_count"].to_i
self.data[:github_subscribers] = repo_details["subscribers_count"].to_i
self.data[:github_issues] = repo_details["open_issues_count"].to_i
self.data[:github_forks] = repo_details["forks_count"].to_i
self.data[:github_contributors] = contributor_details.count

cache_data = self.cache[self.name]
cache_data = self.cache[self.name]

cache_data[:github_stars] = self.data[:github_stars]
cache_data[:github_subscribers] = self.data[:github_subscribers]
cache_data[:github_issues] = self.data[:github_issues]
cache_data[:github_forks] = self.data[:github_forks]
cache_data[:github_contributors] = self.data[:github_contributors]
cache_data[:github_stars] = self.data[:github_stars]
cache_data[:github_subscribers] = self.data[:github_subscribers]
cache_data[:github_issues] = self.data[:github_issues]
cache_data[:github_forks] = self.data[:github_forks]
cache_data[:github_contributors] = self.data[:github_contributors]
else
raise "Invalid or unauthorized GitHub URL: #{self.homepage}"
end
rescue => ex
puts("error fetching #{self}")
puts(self.homepage)
Expand Down