fix(security): resolve Snyk Code findings — Tar Slip, Path Traversal, Open Redirect, XSS
Aegis CI / lint-and-test (push) Has been cancelled
Snyk Security Scan / Python vulnerabilities (backend) (push) Has been cancelled
Snyk Security Scan / npm vulnerabilities (frontend) (push) Has been cancelled
Snyk Security Scan / Docker image vulnerabilities (backend) (push) Has been cancelled
Aegis CI / lint-and-test (push) Has been cancelled
Snyk Security Scan / Python vulnerabilities (backend) (push) Has been cancelled
Snyk Security Scan / npm vulnerabilities (frontend) (push) Has been cancelled
Snyk Security Scan / Docker image vulnerabilities (backend) (push) Has been cancelled
Tar Slip (CWE-22) — 3 import services: threat_actor, lolbas, caldera: add path validation before extractall() to prevent malicious zip members with ../ escaping the target directory. (sigma, elastic, atomic already had this protection) Path Traversal (CWE-23) — professional_reports.py: Add _assert_safe_report_path() check on all 5 report endpoints to verify the generated filepath stays within REPORT_OUTPUT_DIR. Open Redirect (CWE-601) — sso.py: Validate IdP redirect URL scheme (must be http/https) before issuing RedirectResponse, blocking javascript: and data: redirects. DOM XSS (CWE-79) — 4 frontend pages: Create src/utils/url.ts with safeUrl() that rejects non-http/https protocols; apply to actor.mitre_url, ref.url, intel.url. Sanitize framework name to alphanumeric-only before DOM insertion. Restrict evidence MIME types to an explicit safe allowlist (png/jpg/gif/webp). Hardcoded credentials (CWE-798): verify_gaps.py, create_wiki.py: replace literal passwords with environment variable reads (AEGIS_ADMIN_PASSWORD, GITEA_PASSWORD).
This commit is contained in:
kitos
@@ -102,9 +102,14 @@ def _download_zip(url: str = CALDERA_ZIP_URL) -> bytes:
|
||||
# Define function _extract_zip
|
||||
def _extract_zip(zip_bytes: bytes, dest: str) -> Path:
|
||||
"""Extract *zip_bytes* into *dest* and return abilities dir."""
|
||||
# Open context manager
|
||||
dest_path = Path(dest).resolve()
|
||||
with zipfile.ZipFile(io.BytesIO(zip_bytes)) as zf:
|
||||
# Call zf.extractall()
|
||||
for member in zf.infolist():
|
||||
target = (dest_path / member.filename).resolve()
|
||||
if not target.is_relative_to(dest_path):
|
||||
raise ValueError(
|
||||
f"Zip Slip detected — '{member.filename}' resolves outside target directory"
|
||||
)
|
||||
zf.extractall(dest)
|
||||
# Assign abilities_dir = Path(dest) / _ZIP_ROOT_PREFIX / "data" / "abilities"
|
||||
abilities_dir = Path(dest) / _ZIP_ROOT_PREFIX / "data" / "abilities"
|
||||
|
||||
Reference in New Issue
Block a user