From ca9ff11fd4f67b77ff88a071413a16310e9c14b6 Mon Sep 17 00:00:00 2001 From: Sylvain Date: Wed, 24 Feb 2021 11:03:36 +0100 Subject: [PATCH 1/8] [security] fix possible sql injection --- CHANGELOG.md | 3 +++ config/initializers/postgresql_database_tasks.rb | 14 ++++++++++++-- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4f0aa65d2..534f782db 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ # Changelog Fab-manager +## Next release +- Fix a security issue: possible SQL injection when dropping the database + ## v4.7.1 2021 February 24 - Fix a security issue: updated axios to 0.21.1 to fix [CVE-2020-28168](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28168) diff --git a/config/initializers/postgresql_database_tasks.rb b/config/initializers/postgresql_database_tasks.rb index 8883701bb..4616148e7 100644 --- a/config/initializers/postgresql_database_tasks.rb +++ b/config/initializers/postgresql_database_tasks.rb @@ -1,11 +1,21 @@ +# frozen_string_literal: true + module ActiveRecord module Tasks + # The following magic allows to drop a PG database even if a connection exists + # @see https://stackoverflow.com/a/38710021 class PostgreSQLDatabaseTasks + include ActiveRecord::Sanitization::ClassMethods + def drop establish_master_connection - connection.select_all "select pg_terminate_backend(pg_stat_activity.pid) from pg_stat_activity where datname='#{configuration['database']}' AND state='idle';" + q = sanitize_sql_array [ + "select pg_terminate_backend(pg_stat_activity.pid) from pg_stat_activity where datname= ? AND state='idle';", + configuration['database'] + ] + connection.select_all q connection.drop_database configuration['database'] end end end -end \ No newline at end of file +end From 120c9144bb1c0b3200df03452379ea00d67bc6a5 Mon Sep 17 00:00:00 2001 From: Sylvain Date: Wed, 24 Feb 2021 11:11:18 +0100 Subject: [PATCH 2/8] [security] restrict allowed keys when creating/updating credits --- CHANGELOG.md | 1 + app/controllers/api/credits_controller.rb | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 534f782db..40ee8ecb1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ ## Next release - Fix a security issue: possible SQL injection when dropping the database +- Fix a security issue: restrict allowed keys when creating/updating credits ## v4.7.1 2021 February 24 - Fix a security issue: updated axios to 0.21.1 to fix [CVE-2020-28168](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28168) diff --git a/app/controllers/api/credits_controller.rb b/app/controllers/api/credits_controller.rb index cbc762c9a..0c19cb148 100644 --- a/app/controllers/api/credits_controller.rb +++ b/app/controllers/api/credits_controller.rb @@ -47,6 +47,6 @@ class API::CreditsController < API::ApiController end def credit_params - params.require(:credit).permit! + params.require(:credit).permit(:creditable_id, :creditable_type, :plan_id, :hours) end end From 8cfd2d16943087e6dd34631612de46cce5adb1a9 Mon Sep 17 00:00:00 2001 From: Sylvain Date: Wed, 24 Feb 2021 17:00:33 +0100 Subject: [PATCH 3/8] WIP: migrate yq commands to V4 --- setup/setup.sh | 16 ++++++++-------- setup/upgrade.sh | 2 +- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/setup/setup.sh b/setup/setup.sh index 594f3e21c..756f511dc 100755 --- a/setup/setup.sh +++ b/setup/setup.sh @@ -147,7 +147,7 @@ prepare_files() } yq() { - docker run --rm -i -v "${FABMANAGER_PATH}:/workdir" mikefarah/yq yq "$@" + docker run --rm -i -v "${FABMANAGER_PATH}:/workdir" mikefarah/yq:4 "$@" } prepare_nginx() @@ -160,16 +160,16 @@ prepare_nginx() else # if nginx is not installed, remove its associated block from docker-compose.yml echo "Removing nginx..." - yq d -i docker-compose.yml services.nginx + yq -i eval 'del(.services.nginx)' docker-compose.yml read -rp "Do you want to map the Fab-manager's service to an external network? (Y/n) " confirm Date: Mon, 1 Mar 2021 10:13:48 +0100 Subject: [PATCH 4/8] migrate yq to v4 --- setup/upgrade.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/setup/upgrade.sh b/setup/upgrade.sh index 82d9342d6..5f4277c61 100644 --- a/setup/upgrade.sh +++ b/setup/upgrade.sh @@ -28,7 +28,7 @@ parseparams() } yq() { - docker run --rm -i -v "${PWD}:/workdir" mikefarah/yq:3 "$@" + docker run --rm -i -v "${PWD}:/workdir" mikefarah/yq:4 "$@" } jq() { @@ -53,7 +53,7 @@ config() exit 1 fi - SERVICE="$(yq r docker-compose.yml --printMode p 'services.*(.==sleede/fab-manager*)' | awk 'BEGIN { FS = "." } ; {print $2}')" + SERVICE="$(yq eval '.services.*.image | select(. == "sleede/fab-manager*") | path | .[-2]' docker-compose.yml)" YES_ALL=${Y:-false} # COMMANDS, SCRIPTS and ENVIRONMENTS are set by parseparams } @@ -104,8 +104,8 @@ add_environments() compile_assets() { - IMAGE=$(yq r docker-compose.yml 'services.*(.==sleede/fab-manager*)') - mapfile -t COMPOSE_ENVS < <(yq r docker-compose.yml "services.$SERVICE.environment") + IMAGE=$(yq eval '.services.*.image | select(. == "sleede/fab-manager*")' docker-compose.yml) + mapfile -t COMPOSE_ENVS < <(yq eval ".services.$SERVICE.environment" docker-compose.yml) ENV_ARGS=$(for i in "${COMPOSE_ENVS[@]}"; do sed 's/: /=/g;s/^/-e /g' <<< "$i"; done) PG_ID=$(docker-compose ps -q postgres) if [[ "$PG_ID" = "" ]]; then @@ -131,7 +131,7 @@ upgrade() exit 1 fi BRANCH='master' - if yq r docker-compose.yml 'services.*(.==sleede/fab-manager*)' | grep -q ':dev'; then BRANCH='dev'; fi + if yq eval '.services.*.image | select(. == "sleede/fab-manager*")' docker-compose.yml | grep -q ':dev'; then BRANCH='dev'; fi for SCRIPT in "${SCRIPTS[@]}"; do if [[ "$YES_ALL" = "true" ]]; then \curl -sSL "https://raw.githubusercontent.com/sleede/fab-manager/$BRANCH/scripts/$SCRIPT.sh" | bash -s -- -y From 4026bf013041309cc91e38af12852a109d376116 Mon Sep 17 00:00:00 2001 From: Sylvain Date: Mon, 1 Mar 2021 11:34:02 +0100 Subject: [PATCH 5/8] migrate yq to v4 --- scripts/mount-payment-schedules.sh | 12 +++--------- scripts/mount-webpack.sh | 20 +++----------------- scripts/redis-upgrade.sh | 4 ++-- 3 files changed, 8 insertions(+), 28 deletions(-) diff --git a/scripts/mount-payment-schedules.sh b/scripts/mount-payment-schedules.sh index 5a9e15dda..7ad7a92e2 100644 --- a/scripts/mount-payment-schedules.sh +++ b/scripts/mount-payment-schedules.sh @@ -1,7 +1,7 @@ #!/usr/bin/env bash yq() { - docker run --rm -i -v "${PWD}:/workdir" mikefarah/yq yq "$@" + docker run --rm -i -v "${PWD}:/workdir" mikefarah/yq:4 "$@" } config() @@ -13,20 +13,14 @@ config() echo "current user is not allowed to use docker, exiting..." exit 1 fi - if ! command -v awk || ! [[ $(awk -W version) =~ ^GNU ]] - then - echo "Please install GNU Awk before running this script." - echo "gawk was not found, exiting..." - exit 1 - fi - SERVICE="$(yq r docker-compose.yml --printMode p 'services.*(.==sleede/fab-manager*)' | awk 'BEGIN { FS = "." } ; {print $2}')" + SERVICE="$(yq eval '.services.*.image | select(. == "sleede/fab-manager*") | path | .[-2]' docker-compose.yml)" } add_mount() { # shellcheck disable=SC2016 # we don't want to expand ${PWD} - yq w -i docker-compose.yml "services.$SERVICE.volumes[+]" '${PWD}/payment_schedules:/usr/src/app/payment_schedules' + yq -i eval ".services.$SERVICE.volumes += [\"\${PWD}/payment_schedules:/usr/src/app/payment_schedules\"]" docker-compose.yml } proceed() diff --git a/scripts/mount-webpack.sh b/scripts/mount-webpack.sh index 00b6d50d2..bbd30ae2c 100644 --- a/scripts/mount-webpack.sh +++ b/scripts/mount-webpack.sh @@ -1,7 +1,7 @@ #!/usr/bin/env bash yq() { - docker run --rm -i -v "${PWD}:/workdir" mikefarah/yq yq "$@" + docker run --rm -i -v "${PWD}:/workdir" mikefarah/yq:4 "$@" } config() @@ -13,27 +13,13 @@ config() echo "current user is not allowed to use docker, exiting..." exit 1 fi - if ! command -v awk || ! [[ $(awk -W version) =~ ^GNU ]] - then - echo "Please install GNU Awk before running this script." - echo "gawk was not found, exiting..." - exit 1 - fi SERVICE="$(yq r docker-compose.yml --printMode p 'services.*(.==sleede/fab-manager*)' | awk 'BEGIN { FS = "." } ; {print $2}')" } change_mount() { - local volumes=$(yq r docker-compose.yml --length "services.$SERVICE.volumes") - local maxVol=$(($volumes - 1)) - for i in $(seq 0 $maxVol); do - yq r docker-compose.yml "services.$SERVICE.volumes.[$i]" | grep assets - if [[ $? = 0 ]]; then - yq w -i docker-compose.yml "services.$SERVICE.volumes.[$i]" "\${PWD}/public/packs:/usr/src/app/public/packs" - echo "Volume #$i was replaced for $SERVICE: /assets changed to /packs" - exit 0 - fi - done + yq -i eval ".services.$SERVICE.volumes.[] | select(. == \"*assets\") |= \"\${PWD}/public/packs:/usr/src/app/public/packs\"" docker-compose.yml + echo "Service volume was replaced for $SERVICE: /assets changed to /packs" } proceed() diff --git a/scripts/redis-upgrade.sh b/scripts/redis-upgrade.sh index d7bf02021..c55d3a45a 100755 --- a/scripts/redis-upgrade.sh +++ b/scripts/redis-upgrade.sh @@ -60,7 +60,7 @@ test_docker_compose() } yq() { - docker run --rm -i -v "${FM_PATH}:/workdir" mikefarah/yq yq "$@" + docker run --rm -i -v "${FM_PATH}:/workdir" mikefarah/yq:4 "$@" } @@ -71,7 +71,7 @@ docker_down() proceed_upgrade() { - yq w -i docker-compose.yml services.redis.image redis:6-alpine + yq -i eval '.services.redis.image = "redis:6-alpine"' docker-compose.yml } From b10e13c998b0719912215b921dad27c9ed03ee80 Mon Sep 17 00:00:00 2001 From: Sylvain Date: Mon, 1 Mar 2021 11:40:29 +0100 Subject: [PATCH 6/8] removed dependency to awk in upgrade script --- setup/upgrade.sh | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/setup/upgrade.sh b/setup/upgrade.sh index 5f4277c61..4075e4969 100644 --- a/setup/upgrade.sh +++ b/setup/upgrade.sh @@ -37,14 +37,6 @@ jq() { config() { - echo -ne "Checking dependency... " - if ! command -v awk || ! [[ $(awk -W version) =~ ^GNU ]] - then - echo "Please install GNU Awk before running this script." - echo "gawk was not found, exiting..." - exit 1 - fi - echo -ne "Checking user... " if [[ "$(whoami)" != "root" ]] && ! groups | grep docker then @@ -77,7 +69,7 @@ version_check() { VERSION=$(docker-compose exec -T "$SERVICE" cat .fabmanager-version) if [[ $? = 1 ]]; then - VERSION=$(docker-compose exec -T "$SERVICE" cat package.json | grep version | awk 'BEGIN { FS = "\"" } ; {print $4}') + VERSION=$(docker-compose exec -T "$SERVICE" cat package.json | jq -r '.version') fi if verlt "$VERSION" 2.8.3; then From 3604d2af3f5121d8a4845b262bbead7ac99f5c43 Mon Sep 17 00:00:00 2001 From: Sylvain Date: Mon, 1 Mar 2021 12:18:20 +0100 Subject: [PATCH 7/8] updated changelog --- CHANGELOG.md | 3 +++ scripts/mount-webpack.sh | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 40ee8ecb1..77fcea709 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,8 +1,11 @@ # Changelog Fab-manager ## Next release +- Updated yq to v4 +- Fix a bug: unable to upgrade using the easy upgrade command - Fix a security issue: possible SQL injection when dropping the database - Fix a security issue: restrict allowed keys when creating/updating credits +- [TODO DEPLOY] `bundle exec rails fablab:openlab:bulk_export` if you have enabled OpenLab (projects sharing) ## v4.7.1 2021 February 24 - Fix a security issue: updated axios to 0.21.1 to fix [CVE-2020-28168](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28168) diff --git a/scripts/mount-webpack.sh b/scripts/mount-webpack.sh index bbd30ae2c..5dc9a2b7e 100644 --- a/scripts/mount-webpack.sh +++ b/scripts/mount-webpack.sh @@ -13,7 +13,7 @@ config() echo "current user is not allowed to use docker, exiting..." exit 1 fi - SERVICE="$(yq r docker-compose.yml --printMode p 'services.*(.==sleede/fab-manager*)' | awk 'BEGIN { FS = "." } ; {print $2}')" + SERVICE="$(yq eval '.services.*.image | select(. == "sleede/fab-manager*") | path | .[-2]' docker-compose.yml)" } change_mount() From c0a99b67bd56bde63e0f6a685c7c3f5ddb6a3092 Mon Sep 17 00:00:00 2001 From: Sylvain Date: Mon, 1 Mar 2021 12:21:41 +0100 Subject: [PATCH 8/8] Version 4.7.2 --- CHANGELOG.md | 2 +- package.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 77fcea709..2ebe372e3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ # Changelog Fab-manager -## Next release +## v4.7.2 2021 March 1st - Updated yq to v4 - Fix a bug: unable to upgrade using the easy upgrade command - Fix a security issue: possible SQL injection when dropping the database diff --git a/package.json b/package.json index 5482f59fd..0da893056 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "fab-manager", - "version": "4.7.1", + "version": "4.7.2", "description": "Fab-manager is the FabLab management solution. It provides a comprehensive, web-based, open-source tool to simplify your administrative tasks and your marker's projects.", "keywords": [ "fablab",