Resolve Dependabot Alerts #1891
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ryanrath
force-pushed
the
update-silex
branch
2 times, most recently
from
f907912
to
12d8c71
Compare
ryanrath
requested review from
jpwhite4,
aaronweeden,
connersaeli,
aestoltm and
eiffel777
ryanrath
added
Category:General
- There are a number of outstanding Dependabot alerts on our symfony/* dependencies from our current version of Silex. This update resolves all of them. - There are three outstanding SimpleSAMLPHP CVEs that we are unable to address via simply upgrading to a fixed version. Therefor to remediate these threats I've included patches that will be applied in the pre-build step of RPM generation ( `open_xdmod/modules/xdmod/build.json` ). Below is a list of the CVE's, the corresponding fix in SimpleSAMLPHP's github repo, the patch file to resolve the CVE and any notes. - CVE-2020-5301: Information disclosure of source code in SimpleSAMLphp. - GitHub: simplesamlphp/simplesamlphp@47968d2 - `open_xdmod/modules/xdmod/assets/simplesamlphp-CVE-2020-5031.diff` - Notes: The file that is patched in the original commit does not exist in our version of the library so I identified the equivalent file in our library, `www/errorreport.php`, and updated that instead. - CVE-2020-5225: Log injection in SimpleSAMLphp - Github: simplesamlphp/simplesamlphp@4623851 - `open_xdmod/modules/xdmod/assets/simplesamlphp-CVE-2020-5225.diff` - `open_xdmod/modules/xdmod/assets/setup.sh` - removing lines that are either no longer accurate ( echo ) or commented out ( composer install ) - `open_xdmod/modules/xdmod/build.json` - Since the build process happens twice during a CI build, once during the initial build and again during the qa tests for the build test, and we are patching files in vendor/simplesamlphp/simplesamlphp we need to make sure that we start fresh for each build. - `tests/ci/qa-test-setup.sh` - Added some code to capture the `COMPOSER` env variable before changing it so that we can reset it to the original value after the qa setup process is done.
ryanrath
added a commit
to ryanrath/xdmod
that referenced
this pull request
Aug 6, 2024
This patch sets up the patch pipeline in `build.json` and updates a few files that will cause issues during the CI / QA tests / build process. These changes originated in ubccr#1891 ( which will be merged in 11.5 ).
3 tasks
ryanrath
added a commit
to ryanrath/xdmod
that referenced
this pull request
Aug 7, 2024
This patch sets up the patch pipeline in `build.json` and updates a few files that will cause issues during the CI / QA tests / build process. These changes originated in ubccr#1891 ( which will be merged in 11.5 ).
ryanrath
added a commit
that referenced
this pull request
Aug 8, 2024
* Providing patch for CVE-2019-10913 This patch sets up the patch pipeline in `build.json` and updates a few files that will cause issues during the CI / QA tests / build process. These changes originated in #1891 ( which will be merged in 11.5 ).
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Note: The upgrade won't pass because the patch files have lines that have trailing whitespace in them. But if the whitespace is removed the patches no longer work soooo... yeah, that's a thing.
Description
.circleci/config.yml:mongodbto specifically install version1.19.3, which is the current version, as we've been bitten more than once by not explicitly specifying which version we want. A point of discussion for this could be do we want to install the latest dependencies? If so, where do we want to install these dependencies? i.e. in the CI build? In the production build? etc.BaseControllerProvider.php: the namespace for theControllerProviderInterface;interface changed in the latest version of Silex ( fromSilex\ControllerProviderInterfacetoSilex\Api\ControllerProviderInterface).XdmodApplicationFactory.php:UrlGeneratorServiceProviderhas been changed toRoutingServiceProvider.app->sharefunction, you just use an anonymous function.Request $requestargument has been added to the anonymous function called by the$app->errorhelperfunction.
composer.json:v2.3.0, this resolves the following dependabot alerts:vendor/symfony/http-kernel/HttpCache/Store.php. Specifically lines49-51, and228-230.v4.4.49is >=3.4.35.vendor/symfony/http-foundation/File/MimeType/FileBinaryMimeTypeGuesser.phpvendor/symfony/http-foundation/Request.phpvendor/symfony/http-kernel/UriSigner.phpvendor/symfony/http-foundation/Request.phpmongodb/mongodbto the latest versionv1.19.0open_xdmod/modules/xdmod/assets/setup.sh:cdwas causing the composer dependencies ofqato be installed in the xdmod directory. This probably wasn't a problem or caught before because we were not previously patching files.cd $xdmod_dirto apushd | popdso that we reset the cwd after the script runs.open_xdmod/modules/xdmod/build.jsontests/ci/scripts/qa-test-setup.sh:$COMPOSERenv variable so that we can restore it after we're done installing the qa dependencies.SimpleSAMLphp Patches
www/errorreport.php):open_xdmod/modules/xdmod/assets/simplesamlphp-CVE-2020-5225.patchopen_xdmod/modules/xdmod/assets/simplesamlphp-CVE-2020-5301.patchisValidURLalready exists inUtils/Http.phpin the version that we're using, that's why only the change topostredirect.phphas been included in the patch file.Motivation and Context
We have a number of Dependabot Alerts that should probably be resolved. The following changes should do that for the
symfony/*andsimplesamlphp/simplesamlphpdependencies.Tests performed
All automated tests pass.
Checklist: