Bump dependencies#3479
Conversation
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #3479 +/- ##
==========================================
- Coverage 79.25% 79.23% -0.02%
==========================================
Files 689 689
Lines 57293 57293
Branches 728 728
==========================================
- Hits 45406 45396 -10
- Misses 11809 11819 +10
Partials 78 78
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
![aikido-pr-checks[bot]](https://avatars.githubusercontent.com/in/898896?s=60&v=4){kind=small}
| arches.zip(new_paths).each do |arch, path| | ||
| url = "https://github.com/versity/versitygw/releases/download/#{version}/versitygw_#{version}_Linux_#{arch}.tar.gz" | ||
| puts " Downloading #{url}" | ||
| unless system("curl -fSL #{url} -o #{path}") |
There was a problem hiding this comment.
Possible command injection via exec()-type functions - critical severity
Ruby has many ways to do system calls, including syscall, system, exec, but also %x() and the use of backticks. Backticks (``) in Ruby are very dangerous and counter-intuitive. These are not single quotes ('). Ruby automatically attempts to execute the contents of the backticks as a shell command and the output will be returned.
Show fix
Remediation: If possible, avoid using these functions altogether. If not, use a list of allowed inputs that can feed into these functions.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info
| # True if both Linux release tarballs for `version` already exist in openc3-buckets. | ||
| def versitygw_binaries_present?(version) | ||
| %w[arm64 x86_64].all? do |arch| | ||
| File.exist?(File.join(ROOT_DIR, 'openc3-buckets', "versitygw_#{version}_Linux_#{arch}.tar.gz")) |
There was a problem hiding this comment.
Path traversal attack possible - high severity
A malicious actor could control the location of this file, which may allow them to retrieve, write or delete files outside of the intended folder.
Show fix
Remediation: To address this, ensure that user-controlled variables in file paths are sanitized at least to not contain '..' or forward slashes.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info
| def download_versitygw_binaries(version) | ||
| buckets_dir = File.join(ROOT_DIR, 'openc3-buckets') | ||
| arches = %w[arm64 x86_64] | ||
| new_paths = arches.map { |arch| File.join(buckets_dir, "versitygw_#{version}_Linux_#{arch}.tar.gz") } |
There was a problem hiding this comment.
Path traversal attack possible - medium severity
A malicious actor could control the location of this file, which may allow them to retrieve, write or delete files outside of the intended folder.
Show fix
Remediation: To address this, ensure that user-controlled variables in file paths are sanitized at least to not contain '..' or forward slashes.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info
|
1 participant
No description provided.