fix(security): resolve Snyk Code findings — Tar Slip, Path Traversal, Open Redirect, XSS
Aegis CI / lint-and-test (push) Has been cancelled
Snyk Security Scan / Python vulnerabilities (backend) (push) Has been cancelled
Snyk Security Scan / npm vulnerabilities (frontend) (push) Has been cancelled
Snyk Security Scan / Docker image vulnerabilities (backend) (push) Has been cancelled
Aegis CI / lint-and-test (push) Has been cancelled
Snyk Security Scan / Python vulnerabilities (backend) (push) Has been cancelled
Snyk Security Scan / npm vulnerabilities (frontend) (push) Has been cancelled
Snyk Security Scan / Docker image vulnerabilities (backend) (push) Has been cancelled
Tar Slip (CWE-22) — 3 import services: threat_actor, lolbas, caldera: add path validation before extractall() to prevent malicious zip members with ../ escaping the target directory. (sigma, elastic, atomic already had this protection) Path Traversal (CWE-23) — professional_reports.py: Add _assert_safe_report_path() check on all 5 report endpoints to verify the generated filepath stays within REPORT_OUTPUT_DIR. Open Redirect (CWE-601) — sso.py: Validate IdP redirect URL scheme (must be http/https) before issuing RedirectResponse, blocking javascript: and data: redirects. DOM XSS (CWE-79) — 4 frontend pages: Create src/utils/url.ts with safeUrl() that rejects non-http/https protocols; apply to actor.mitre_url, ref.url, intel.url. Sanitize framework name to alphanumeric-only before DOM insertion. Restrict evidence MIME types to an explicit safe allowlist (png/jpg/gif/webp). Hardcoded credentials (CWE-798): verify_gaps.py, create_wiki.py: replace literal passwords with environment variable reads (AEGIS_ADMIN_PASSWORD, GITEA_PASSWORD).
This commit is contained in:
kitos
@@ -2,6 +2,7 @@
|
||||
"""Create all Aegis wiki pages via Gitea API."""
|
||||
|
||||
import base64
|
||||
import os
|
||||
import sys
|
||||
import time
|
||||
|
||||
@@ -14,11 +15,11 @@ from requests.auth import HTTPBasicAuth
|
||||
# POST /api/v1/repos/{owner}/{repo}/wiki/new → create
|
||||
# PATCH /api/v1/repos/{owner}/{repo}/wiki/page/{pageName} → update
|
||||
# GET /api/v1/repos/{owner}/{repo}/wiki/pages → list
|
||||
GITEA_URL = "http://192.168.1.107:3000"
|
||||
OWNER = "kitos"
|
||||
REPO = "Aegis"
|
||||
USERNAME = "kitos"
|
||||
PASSWORD = "T'2JY%HLX\"Bp^6e"
|
||||
GITEA_URL = os.environ.get("GITEA_URL", "http://192.168.1.107:3000")
|
||||
OWNER = os.environ.get("GITEA_OWNER", "kitos")
|
||||
REPO = os.environ.get("GITEA_REPO", "Aegis")
|
||||
USERNAME = os.environ.get("GITEA_USERNAME", "kitos")
|
||||
PASSWORD = os.environ.get("GITEA_PASSWORD", "")
|
||||
|
||||
|
||||
def create_or_update_page(title: str, content: str) -> bool:
|
||||
|
||||
@@ -4,9 +4,11 @@ Verify Phase 13 gap fixes:
|
||||
2. evaluate_all_rules creates in-app notifications for admins
|
||||
3. webhook dispatch_webhook_targeted exists and is callable
|
||||
"""
|
||||
import os
|
||||
import requests, sys
|
||||
|
||||
BASE = "http://localhost:8000/api/v1"
|
||||
BASE = os.environ.get("AEGIS_BASE_URL", "http://localhost:8000/api/v1")
|
||||
ADMIN_PASSWORD = os.environ.get("AEGIS_ADMIN_PASSWORD", "admin123")
|
||||
PASS = "\033[92m✓\033[0m"
|
||||
FAIL = "\033[91m✗\033[0m"
|
||||
passed = 0
|
||||
@@ -51,7 +53,7 @@ def main():
|
||||
# ── Gap 2: in-app notifications dispatched ────────────────────────────────
|
||||
print("── Gap 2: In-app notifications on alert fire ──")
|
||||
tok = requests.post(f"{BASE}/auth/login",
|
||||
data={"username": "administrator", "password": "admin123"})
|
||||
data={"username": "administrator", "password": ADMIN_PASSWORD})
|
||||
if tok.status_code != 200:
|
||||
print(f" Login failed: {tok.text}"); sys.exit(1)
|
||||
h = {"Authorization": f"Bearer {tok.json().get('access_token')}"}
|
||||
|
||||
Reference in New Issue
Block a user