Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[2025-01-10:163151] - 🤖 Automated PR: Sync main with upstream #34

Closed
wants to merge 32 commits into from

Conversation

fantonangeli
Copy link
Owner

This pull request has been created by a GitHub workflow to synchronize the main branch with Apache upstream/main.

Warning

Please don't merge using squash, not to lose the git history.

View Action

Resolved conflicts:
$SYNC_CHANGES

tiagobento and others added 30 commits December 11, 2024 09:57
… managed deployment is missing the property to disable the kafka-client health checks (apache#2797)
…Hub` rendering a 404 page instead of the SWF Editor (apache#2809)
…pache KIE™` prefix instead of just `KIE` on its displayName (apache#2811)
…es/forms` to `src/main/resources/custom-forms-dev` (apache#2798)
…les/kie-sandbox-commit-message-validation-service (apache#2812)
…omatic change of platform images based on env context (apache#2794)

Signed-off-by: Ricardo Zanini <[email protected]>
Signed-off-by: Ricardo Zanini <[email protected]>
…on/yaml) must support stateExecTimeout.(total/single) properties (apache#2795)
…o trim components/schemas (apache#2749)

Co-authored-by: Dmitrii Tikhomirov <[email protected]>
apache#2814)

Signed-off-by: Ricardo Zanini <[email protected]>
Signed-off-by: Ricardo Zanini <[email protected]>
Co-authored-by: Jozef Marko <[email protected]>
Co-authored-by: Luiz João Motta <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Ricardo Zanini <[email protected]>
Co-authored-by: Deepak Joseph <[email protected]>
Co-authored-by: Pere Fernández <[email protected]>
jianrongzhang89 and others added 2 commits January 10, 2025 10:20
…rashLoopBackOff when workflow is deployed with cluster platform referenced platform (apache#2841)
@@ -362,11 +362,14 @@
}
let sourceString;

const configString = fs.readFileSync(path.join(`${__dirname}/forms/examples/${formName}.config`), "utf8");
const configString = fs.readFileSync(
path.join(`${__dirname}/custom-forms-dev/examples/${formName}.config`),

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression High

This path depends on a
user-provided value
.

Copilot Autofix AI 12 days ago

To fix the problem, we need to ensure that the formName parameter is validated and sanitized before it is used to construct file paths. We can achieve this by normalizing the path and ensuring it is within a safe root directory. Additionally, we can use a library like sanitize-filename to remove any special characters from the formName.

  1. Import the sanitize-filename library.
  2. Sanitize the formName parameter.
  3. Normalize the path and ensure it is within a safe root directory.
Suggested changeset 2
packages/runtime-tools-process-dev-ui-webapp/server/MockData/controllers.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/runtime-tools-process-dev-ui-webapp/server/MockData/controllers.js b/packages/runtime-tools-process-dev-ui-webapp/server/MockData/controllers.js
--- a/packages/runtime-tools-process-dev-ui-webapp/server/MockData/controllers.js
+++ b/packages/runtime-tools-process-dev-ui-webapp/server/MockData/controllers.js
@@ -23,2 +23,3 @@
 const fs = require("fs");
+const sanitize = require("sanitize-filename");
 const confirmTravelForm = require("./forms/ConfirmTravel");
@@ -355,3 +356,4 @@
     console.log(`......Get Custom Form Content: --formName:${req.params.formName}`);
-    const formName = req.params.formName;
+    let formName = req.params.formName;
+    formName = sanitize(formName);
     const formInfo = formData.filter((datum) => datum.name === formName);
@@ -364,10 +366,13 @@
 
-    const configString = fs.readFileSync(
-      path.join(`${__dirname}/custom-forms-dev/examples/${formName}.config`),
-      "utf8"
-    );
+    const rootDir = path.resolve(__dirname, "custom-forms-dev/examples");
+    let configPath = path.resolve(rootDir, `${formName}.config`);
+    if (!configPath.startsWith(rootDir)) {
+      res.status(403).send("Invalid form name");
+      return;
+    }
+    const configString = fs.readFileSync(configPath, "utf8");
     if (formInfo[0].type.toLowerCase() === "html") {
-      sourceString = fs.readFileSync(path.join(`${__dirname}/custom-forms-dev/examples/${formName}.html`), "utf8");
+      sourceString = fs.readFileSync(path.resolve(rootDir, `${formName}.html`), "utf8");
     } else if (formInfo[0].type.toLowerCase() === "tsx") {
-      sourceString = fs.readFileSync(path.join(`${__dirname}/custom-forms-dev/examples/${formName}.tsx`), "utf8");
+      sourceString = fs.readFileSync(path.resolve(rootDir, `${formName}.tsx`), "utf8");
     }
EOF
@@ -23,2 +23,3 @@
const fs = require("fs");
const sanitize = require("sanitize-filename");
const confirmTravelForm = require("./forms/ConfirmTravel");
@@ -355,3 +356,4 @@
console.log(`......Get Custom Form Content: --formName:${req.params.formName}`);
const formName = req.params.formName;
let formName = req.params.formName;
formName = sanitize(formName);
const formInfo = formData.filter((datum) => datum.name === formName);
@@ -364,10 +366,13 @@

const configString = fs.readFileSync(
path.join(`${__dirname}/custom-forms-dev/examples/${formName}.config`),
"utf8"
);
const rootDir = path.resolve(__dirname, "custom-forms-dev/examples");
let configPath = path.resolve(rootDir, `${formName}.config`);
if (!configPath.startsWith(rootDir)) {
res.status(403).send("Invalid form name");
return;
}
const configString = fs.readFileSync(configPath, "utf8");
if (formInfo[0].type.toLowerCase() === "html") {
sourceString = fs.readFileSync(path.join(`${__dirname}/custom-forms-dev/examples/${formName}.html`), "utf8");
sourceString = fs.readFileSync(path.resolve(rootDir, `${formName}.html`), "utf8");
} else if (formInfo[0].type.toLowerCase() === "tsx") {
sourceString = fs.readFileSync(path.join(`${__dirname}/custom-forms-dev/examples/${formName}.tsx`), "utf8");
sourceString = fs.readFileSync(path.resolve(rootDir, `${formName}.tsx`), "utf8");
}
packages/runtime-tools-process-dev-ui-webapp/package.json
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/runtime-tools-process-dev-ui-webapp/package.json b/packages/runtime-tools-process-dev-ui-webapp/package.json
--- a/packages/runtime-tools-process-dev-ui-webapp/package.json
+++ b/packages/runtime-tools-process-dev-ui-webapp/package.json
@@ -58,3 +58,4 @@
     "util": "^0.12.5",
-    "uuid": "^8.3.2"
+    "uuid": "^8.3.2",
+    "sanitize-filename": "^1.6.3"
   },
EOF
@@ -58,3 +58,4 @@
"util": "^0.12.5",
"uuid": "^8.3.2"
"uuid": "^8.3.2",
"sanitize-filename": "^1.6.3"
},
This fix introduces these dependencies
Package Version Security advisories
sanitize-filename (npm) 1.6.3 None
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
if (formInfo[0].type.toLowerCase() === "html") {
sourceString = fs.readFileSync(path.join(`${__dirname}/forms/examples/${formName}.html`), "utf8");
sourceString = fs.readFileSync(path.join(`${__dirname}/custom-forms-dev/examples/${formName}.html`), "utf8");

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression High

This path depends on a
user-provided value
.

Copilot Autofix AI 12 days ago

To fix the problem, we need to ensure that the constructed file path is contained within a safe root folder. We can achieve this by normalizing the path using path.resolve to remove any ".." segments and then checking that the normalized path starts with the root folder. This will prevent path traversal attacks.

  1. Normalize the path using path.resolve.
  2. Check that the normalized path starts with the root folder.
  3. If the path is not within the root folder, return an error response.
Suggested changeset 1
packages/runtime-tools-process-dev-ui-webapp/server/MockData/controllers.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/runtime-tools-process-dev-ui-webapp/server/MockData/controllers.js b/packages/runtime-tools-process-dev-ui-webapp/server/MockData/controllers.js
--- a/packages/runtime-tools-process-dev-ui-webapp/server/MockData/controllers.js
+++ b/packages/runtime-tools-process-dev-ui-webapp/server/MockData/controllers.js
@@ -369,5 +369,15 @@
     if (formInfo[0].type.toLowerCase() === "html") {
-      sourceString = fs.readFileSync(path.join(`${__dirname}/custom-forms-dev/examples/${formName}.html`), "utf8");
+      const htmlPath = path.resolve(__dirname, `custom-forms-dev/examples/${formName}.html`);
+      if (!htmlPath.startsWith(path.resolve(__dirname, 'custom-forms-dev/examples'))) {
+        res.status(403).send("Access denied");
+        return;
+      }
+      sourceString = fs.readFileSync(htmlPath, "utf8");
     } else if (formInfo[0].type.toLowerCase() === "tsx") {
-      sourceString = fs.readFileSync(path.join(`${__dirname}/custom-forms-dev/examples/${formName}.tsx`), "utf8");
+      const tsxPath = path.resolve(__dirname, `custom-forms-dev/examples/${formName}.tsx`);
+      if (!tsxPath.startsWith(path.resolve(__dirname, 'custom-forms-dev/examples'))) {
+        res.status(403).send("Access denied");
+        return;
+      }
+      sourceString = fs.readFileSync(tsxPath, "utf8");
     }
EOF
@@ -369,5 +369,15 @@
if (formInfo[0].type.toLowerCase() === "html") {
sourceString = fs.readFileSync(path.join(`${__dirname}/custom-forms-dev/examples/${formName}.html`), "utf8");
const htmlPath = path.resolve(__dirname, `custom-forms-dev/examples/${formName}.html`);
if (!htmlPath.startsWith(path.resolve(__dirname, 'custom-forms-dev/examples'))) {
res.status(403).send("Access denied");
return;
}
sourceString = fs.readFileSync(htmlPath, "utf8");
} else if (formInfo[0].type.toLowerCase() === "tsx") {
sourceString = fs.readFileSync(path.join(`${__dirname}/custom-forms-dev/examples/${formName}.tsx`), "utf8");
const tsxPath = path.resolve(__dirname, `custom-forms-dev/examples/${formName}.tsx`);
if (!tsxPath.startsWith(path.resolve(__dirname, 'custom-forms-dev/examples'))) {
res.status(403).send("Access denied");
return;
}
sourceString = fs.readFileSync(tsxPath, "utf8");
}
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
} else if (formInfo[0].type.toLowerCase() === "tsx") {
sourceString = fs.readFileSync(path.join(`${__dirname}/forms/examples/${formName}.tsx`), "utf8");
sourceString = fs.readFileSync(path.join(`${__dirname}/custom-forms-dev/examples/${formName}.tsx`), "utf8");

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression High

This path depends on a
user-provided value
.

Copilot Autofix AI 12 days ago

To fix the problem, we need to ensure that the formName parameter is validated and sanitized before it is used to construct file paths. We can achieve this by normalizing the path and ensuring it is contained within a safe root directory. Additionally, we can use a library like sanitize-filename to remove any special characters from the formName.

  1. Import the sanitize-filename library.
  2. Sanitize the formName parameter to remove any special characters.
  3. Normalize the path using path.resolve to remove any ".." segments.
  4. Check that the normalized path starts with the root directory.
Suggested changeset 2
packages/runtime-tools-process-dev-ui-webapp/server/MockData/controllers.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/runtime-tools-process-dev-ui-webapp/server/MockData/controllers.js b/packages/runtime-tools-process-dev-ui-webapp/server/MockData/controllers.js
--- a/packages/runtime-tools-process-dev-ui-webapp/server/MockData/controllers.js
+++ b/packages/runtime-tools-process-dev-ui-webapp/server/MockData/controllers.js
@@ -23,2 +23,3 @@
 const fs = require("fs");
+const sanitize = require("sanitize-filename");
 const confirmTravelForm = require("./forms/ConfirmTravel");
@@ -355,3 +356,3 @@
     console.log(`......Get Custom Form Content: --formName:${req.params.formName}`);
-    const formName = req.params.formName;
+    const formName = sanitize(req.params.formName);
     const formInfo = formData.filter((datum) => datum.name === formName);
@@ -364,10 +365,22 @@
 
-    const configString = fs.readFileSync(
-      path.join(`${__dirname}/custom-forms-dev/examples/${formName}.config`),
-      "utf8"
-    );
+    const configPath = path.resolve(__dirname, `custom-forms-dev/examples/${formName}.config`);
+    if (!configPath.startsWith(path.resolve(__dirname, 'custom-forms-dev/examples'))) {
+      res.status(403).send("Access denied");
+      return;
+    }
+    const configString = fs.readFileSync(configPath, "utf8");
     if (formInfo[0].type.toLowerCase() === "html") {
-      sourceString = fs.readFileSync(path.join(`${__dirname}/custom-forms-dev/examples/${formName}.html`), "utf8");
+      const sourcePath = path.resolve(__dirname, `custom-forms-dev/examples/${formName}.html`);
+      if (!sourcePath.startsWith(path.resolve(__dirname, 'custom-forms-dev/examples'))) {
+        res.status(403).send("Access denied");
+        return;
+      }
+      sourceString = fs.readFileSync(sourcePath, "utf8");
     } else if (formInfo[0].type.toLowerCase() === "tsx") {
-      sourceString = fs.readFileSync(path.join(`${__dirname}/custom-forms-dev/examples/${formName}.tsx`), "utf8");
+      const sourcePath = path.resolve(__dirname, `custom-forms-dev/examples/${formName}.tsx`);
+      if (!sourcePath.startsWith(path.resolve(__dirname, 'custom-forms-dev/examples'))) {
+        res.status(403).send("Access denied");
+        return;
+      }
+      sourceString = fs.readFileSync(sourcePath, "utf8");
     }
EOF
@@ -23,2 +23,3 @@
const fs = require("fs");
const sanitize = require("sanitize-filename");
const confirmTravelForm = require("./forms/ConfirmTravel");
@@ -355,3 +356,3 @@
console.log(`......Get Custom Form Content: --formName:${req.params.formName}`);
const formName = req.params.formName;
const formName = sanitize(req.params.formName);
const formInfo = formData.filter((datum) => datum.name === formName);
@@ -364,10 +365,22 @@

const configString = fs.readFileSync(
path.join(`${__dirname}/custom-forms-dev/examples/${formName}.config`),
"utf8"
);
const configPath = path.resolve(__dirname, `custom-forms-dev/examples/${formName}.config`);
if (!configPath.startsWith(path.resolve(__dirname, 'custom-forms-dev/examples'))) {
res.status(403).send("Access denied");
return;
}
const configString = fs.readFileSync(configPath, "utf8");
if (formInfo[0].type.toLowerCase() === "html") {
sourceString = fs.readFileSync(path.join(`${__dirname}/custom-forms-dev/examples/${formName}.html`), "utf8");
const sourcePath = path.resolve(__dirname, `custom-forms-dev/examples/${formName}.html`);
if (!sourcePath.startsWith(path.resolve(__dirname, 'custom-forms-dev/examples'))) {
res.status(403).send("Access denied");
return;
}
sourceString = fs.readFileSync(sourcePath, "utf8");
} else if (formInfo[0].type.toLowerCase() === "tsx") {
sourceString = fs.readFileSync(path.join(`${__dirname}/custom-forms-dev/examples/${formName}.tsx`), "utf8");
const sourcePath = path.resolve(__dirname, `custom-forms-dev/examples/${formName}.tsx`);
if (!sourcePath.startsWith(path.resolve(__dirname, 'custom-forms-dev/examples'))) {
res.status(403).send("Access denied");
return;
}
sourceString = fs.readFileSync(sourcePath, "utf8");
}
packages/runtime-tools-process-dev-ui-webapp/package.json
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/runtime-tools-process-dev-ui-webapp/package.json b/packages/runtime-tools-process-dev-ui-webapp/package.json
--- a/packages/runtime-tools-process-dev-ui-webapp/package.json
+++ b/packages/runtime-tools-process-dev-ui-webapp/package.json
@@ -58,3 +58,4 @@
     "util": "^0.12.5",
-    "uuid": "^8.3.2"
+    "uuid": "^8.3.2",
+    "sanitize-filename": "^1.6.3"
   },
EOF
@@ -58,3 +58,4 @@
"util": "^0.12.5",
"uuid": "^8.3.2"
"uuid": "^8.3.2",
"sanitize-filename": "^1.6.3"
},
This fix introduces these dependencies
Package Version Security advisories
sanitize-filename (npm) 1.6.3 None
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
@fantonangeli fantonangeli deleted the main-sync-20250110-153447 branch January 10, 2025 16:44
fantonangeli pushed a commit that referenced this pull request Jan 20, 2025
Sync main branch with Apache main branch
fantonangeli pushed a commit that referenced this pull request Jan 22, 2025
[20241203-165240] - Automatic PR: Sync main with main-apache
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.