-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[2025-01-10:163151] - 🤖 Automated PR: Sync main with upstream #34
Conversation
…focused code (apache#2726) Co-authored-by: Martin Cimbalek <[email protected]>
… managed deployment is missing the property to disable the kafka-client health checks (apache#2797)
…x VS Code E2E tests (apache#2808)
…ervices VS Code Extension's name (apache#2810)
…Hub` rendering a 404 page instead of the SWF Editor (apache#2809)
…pache KIE™` prefix instead of just `KIE` on its displayName (apache#2811)
…es/forms` to `src/main/resources/custom-forms-dev` (apache#2798)
… color (apache#2816) Co-authored-by: chinnamatli kusumalatha <[email protected]>
…T from Kogito (999-20241208-SNAPSHOT) (apache#2813)
…d Expression Editor (apache#2681) Co-authored-by: Luiz João Motta <[email protected]>
…les/kie-sandbox-commit-message-validation-service (apache#2812)
…n e2e tests (apache#2818) Signed-off-by: Ricardo Zanini <[email protected]>
…omatic change of platform images based on env context (apache#2794) Signed-off-by: Ricardo Zanini <[email protected]> Signed-off-by: Ricardo Zanini <[email protected]>
…eId each timer belongs to (apache#2820) Co-authored-by: Pere Fernández <[email protected]>
Co-authored-by: chinnamatli kusumalatha <[email protected]>
…e BKM (apache#2831) Co-authored-by: chinnamatli kusumalatha <[email protected]>
…on/yaml) must support stateExecTimeout.(total/single) properties (apache#2795)
…o trim components/schemas (apache#2749) Co-authored-by: Dmitrii Tikhomirov <[email protected]>
…s the container in the background (apache#2778)
…e new DMN Editor (apache#2837) Co-authored-by: chinnamatli kusumalatha <[email protected]>
apache#2814) Signed-off-by: Ricardo Zanini <[email protected]> Signed-off-by: Ricardo Zanini <[email protected]> Co-authored-by: Jozef Marko <[email protected]> Co-authored-by: Luiz João Motta <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Ricardo Zanini <[email protected]> Co-authored-by: Deepak Joseph <[email protected]> Co-authored-by: Pere Fernández <[email protected]>
…ript Editor in BPMN Editor (apache#2830)
Signed-off-by: Ricardo Zanini <[email protected]>
…rashLoopBackOff when workflow is deployed with cluster platform referenced platform (apache#2841)
@@ -362,11 +362,14 @@ | |||
} | |||
let sourceString; | |||
|
|||
const configString = fs.readFileSync(path.join(`${__dirname}/forms/examples/${formName}.config`), "utf8"); | |||
const configString = fs.readFileSync( | |||
path.join(`${__dirname}/custom-forms-dev/examples/${formName}.config`), |
Check failure
Code scanning / CodeQL
Uncontrolled data used in path expression High
user-provided value
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 12 days ago
To fix the problem, we need to ensure that the formName
parameter is validated and sanitized before it is used to construct file paths. We can achieve this by normalizing the path and ensuring it is within a safe root directory. Additionally, we can use a library like sanitize-filename
to remove any special characters from the formName
.
- Import the
sanitize-filename
library. - Sanitize the
formName
parameter. - Normalize the path and ensure it is within a safe root directory.
-
Copy modified line R24 -
Copy modified lines R357-R358 -
Copy modified lines R367-R373 -
Copy modified line R375 -
Copy modified line R377
@@ -23,2 +23,3 @@ | ||
const fs = require("fs"); | ||
const sanitize = require("sanitize-filename"); | ||
const confirmTravelForm = require("./forms/ConfirmTravel"); | ||
@@ -355,3 +356,4 @@ | ||
console.log(`......Get Custom Form Content: --formName:${req.params.formName}`); | ||
const formName = req.params.formName; | ||
let formName = req.params.formName; | ||
formName = sanitize(formName); | ||
const formInfo = formData.filter((datum) => datum.name === formName); | ||
@@ -364,10 +366,13 @@ | ||
|
||
const configString = fs.readFileSync( | ||
path.join(`${__dirname}/custom-forms-dev/examples/${formName}.config`), | ||
"utf8" | ||
); | ||
const rootDir = path.resolve(__dirname, "custom-forms-dev/examples"); | ||
let configPath = path.resolve(rootDir, `${formName}.config`); | ||
if (!configPath.startsWith(rootDir)) { | ||
res.status(403).send("Invalid form name"); | ||
return; | ||
} | ||
const configString = fs.readFileSync(configPath, "utf8"); | ||
if (formInfo[0].type.toLowerCase() === "html") { | ||
sourceString = fs.readFileSync(path.join(`${__dirname}/custom-forms-dev/examples/${formName}.html`), "utf8"); | ||
sourceString = fs.readFileSync(path.resolve(rootDir, `${formName}.html`), "utf8"); | ||
} else if (formInfo[0].type.toLowerCase() === "tsx") { | ||
sourceString = fs.readFileSync(path.join(`${__dirname}/custom-forms-dev/examples/${formName}.tsx`), "utf8"); | ||
sourceString = fs.readFileSync(path.resolve(rootDir, `${formName}.tsx`), "utf8"); | ||
} |
-
Copy modified lines R59-R60
@@ -58,3 +58,4 @@ | ||
"util": "^0.12.5", | ||
"uuid": "^8.3.2" | ||
"uuid": "^8.3.2", | ||
"sanitize-filename": "^1.6.3" | ||
}, |
Package | Version | Security advisories |
sanitize-filename (npm) | 1.6.3 | None |
if (formInfo[0].type.toLowerCase() === "html") { | ||
sourceString = fs.readFileSync(path.join(`${__dirname}/forms/examples/${formName}.html`), "utf8"); | ||
sourceString = fs.readFileSync(path.join(`${__dirname}/custom-forms-dev/examples/${formName}.html`), "utf8"); |
Check failure
Code scanning / CodeQL
Uncontrolled data used in path expression High
user-provided value
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 12 days ago
To fix the problem, we need to ensure that the constructed file path is contained within a safe root folder. We can achieve this by normalizing the path using path.resolve
to remove any ".." segments and then checking that the normalized path starts with the root folder. This will prevent path traversal attacks.
- Normalize the path using
path.resolve
. - Check that the normalized path starts with the root folder.
- If the path is not within the root folder, return an error response.
-
Copy modified lines R370-R375 -
Copy modified lines R377-R382
@@ -369,5 +369,15 @@ | ||
if (formInfo[0].type.toLowerCase() === "html") { | ||
sourceString = fs.readFileSync(path.join(`${__dirname}/custom-forms-dev/examples/${formName}.html`), "utf8"); | ||
const htmlPath = path.resolve(__dirname, `custom-forms-dev/examples/${formName}.html`); | ||
if (!htmlPath.startsWith(path.resolve(__dirname, 'custom-forms-dev/examples'))) { | ||
res.status(403).send("Access denied"); | ||
return; | ||
} | ||
sourceString = fs.readFileSync(htmlPath, "utf8"); | ||
} else if (formInfo[0].type.toLowerCase() === "tsx") { | ||
sourceString = fs.readFileSync(path.join(`${__dirname}/custom-forms-dev/examples/${formName}.tsx`), "utf8"); | ||
const tsxPath = path.resolve(__dirname, `custom-forms-dev/examples/${formName}.tsx`); | ||
if (!tsxPath.startsWith(path.resolve(__dirname, 'custom-forms-dev/examples'))) { | ||
res.status(403).send("Access denied"); | ||
return; | ||
} | ||
sourceString = fs.readFileSync(tsxPath, "utf8"); | ||
} |
} else if (formInfo[0].type.toLowerCase() === "tsx") { | ||
sourceString = fs.readFileSync(path.join(`${__dirname}/forms/examples/${formName}.tsx`), "utf8"); | ||
sourceString = fs.readFileSync(path.join(`${__dirname}/custom-forms-dev/examples/${formName}.tsx`), "utf8"); |
Check failure
Code scanning / CodeQL
Uncontrolled data used in path expression High
user-provided value
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 12 days ago
To fix the problem, we need to ensure that the formName
parameter is validated and sanitized before it is used to construct file paths. We can achieve this by normalizing the path and ensuring it is contained within a safe root directory. Additionally, we can use a library like sanitize-filename
to remove any special characters from the formName
.
- Import the
sanitize-filename
library. - Sanitize the
formName
parameter to remove any special characters. - Normalize the path using
path.resolve
to remove any ".." segments. - Check that the normalized path starts with the root directory.
-
Copy modified line R24 -
Copy modified line R357 -
Copy modified lines R366-R371 -
Copy modified lines R373-R378 -
Copy modified lines R380-R385
@@ -23,2 +23,3 @@ | ||
const fs = require("fs"); | ||
const sanitize = require("sanitize-filename"); | ||
const confirmTravelForm = require("./forms/ConfirmTravel"); | ||
@@ -355,3 +356,3 @@ | ||
console.log(`......Get Custom Form Content: --formName:${req.params.formName}`); | ||
const formName = req.params.formName; | ||
const formName = sanitize(req.params.formName); | ||
const formInfo = formData.filter((datum) => datum.name === formName); | ||
@@ -364,10 +365,22 @@ | ||
|
||
const configString = fs.readFileSync( | ||
path.join(`${__dirname}/custom-forms-dev/examples/${formName}.config`), | ||
"utf8" | ||
); | ||
const configPath = path.resolve(__dirname, `custom-forms-dev/examples/${formName}.config`); | ||
if (!configPath.startsWith(path.resolve(__dirname, 'custom-forms-dev/examples'))) { | ||
res.status(403).send("Access denied"); | ||
return; | ||
} | ||
const configString = fs.readFileSync(configPath, "utf8"); | ||
if (formInfo[0].type.toLowerCase() === "html") { | ||
sourceString = fs.readFileSync(path.join(`${__dirname}/custom-forms-dev/examples/${formName}.html`), "utf8"); | ||
const sourcePath = path.resolve(__dirname, `custom-forms-dev/examples/${formName}.html`); | ||
if (!sourcePath.startsWith(path.resolve(__dirname, 'custom-forms-dev/examples'))) { | ||
res.status(403).send("Access denied"); | ||
return; | ||
} | ||
sourceString = fs.readFileSync(sourcePath, "utf8"); | ||
} else if (formInfo[0].type.toLowerCase() === "tsx") { | ||
sourceString = fs.readFileSync(path.join(`${__dirname}/custom-forms-dev/examples/${formName}.tsx`), "utf8"); | ||
const sourcePath = path.resolve(__dirname, `custom-forms-dev/examples/${formName}.tsx`); | ||
if (!sourcePath.startsWith(path.resolve(__dirname, 'custom-forms-dev/examples'))) { | ||
res.status(403).send("Access denied"); | ||
return; | ||
} | ||
sourceString = fs.readFileSync(sourcePath, "utf8"); | ||
} |
-
Copy modified lines R59-R60
@@ -58,3 +58,4 @@ | ||
"util": "^0.12.5", | ||
"uuid": "^8.3.2" | ||
"uuid": "^8.3.2", | ||
"sanitize-filename": "^1.6.3" | ||
}, |
Package | Version | Security advisories |
sanitize-filename (npm) | 1.6.3 | None |
Sync main branch with Apache main branch
[20241203-165240] - Automatic PR: Sync main with main-apache
This pull request has been created by a GitHub workflow to synchronize the main branch with Apache upstream/main.
Warning
Please don't merge using squash, not to lose the git history.
View Action
Resolved conflicts:
$SYNC_CHANGES