-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Develop an automatic test to detect new security flaws in the code #1615
Comments
Issue updateHaving into account the investigation done in the issue: wazuh/wazuh#7971, I will try to develop this automatic test using Useful Bandit parameters:
Testing the framework:
will show framework vulnerabilities with confidence MEDIUM and HIGH. These are the issues we are looking for, as we will avoid issues shown by Bandit with lower confidence level. We must ignore vulnerabilities detected in tests as they are not related to the code itself. The output of this command could be redirected to a temporal file and may be parsed. The problem is the output would be difficult to decode. Output example for
output.txt
I am investigating Bandit report formatters that could be useful for the output that will generate our test: https://bandit.readthedocs.io/en/latest/formatters/index.html The format could be: csv, custom, html, json, screen, text, xml, yaml. In our case, the most interesting ones may be |
Issue updateUseful Bandit parameters:
Reports like the folllowing can be created, they will be useful for a future integration in our automation environment: We will use In the test that is going to be created in this issue, no The command that will be used in our test will be the following:
That command will generate a JSON report whith the possible vulnerabilities detected by Bandit. The test will pass if the detected vulnerabilities are 0. As investigated in the issue wazuh/wazuh#7998, there are some vulnerabilities that could be ignored, as they are not real vulnerabilities. Vulnerabilities will never be 0 because of this false positives. In order to ignore them, this test will compare all the vulnerabilities detected with a list of known vulnerabilities (false positives and vulnerabilities to fix). If there are new vulnerabilities, the test will fail and we will have to study whether the possible flaws are dangerous or not. In case they are false positives, we will add them to the known_flaws list (that will be a simple txt file). When fixing a known vulnerability or flaw, we will remove its entry in the respective known_flaws list. |
API - Possible vulnerabilitiesTotal of possible flaws in
|
Framework - Possible vulnerabilitiesTotal of possible flaws in Subprocess calls (11 flaws)
All of the flaws are due to the use of In order to investigate the possible vulnerabilities, the following issue was opened: wazuh/wazuh#10144 XML calls (2 flaws)Issue text: Using tostring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace tostring with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called. Issue text: Using ElementTree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace ElementTree with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called. As bandit indicates, in this case it is always convenient to use Issue opened and flaws reported. wazuh/wazuh#10113 Chmod setting a permissive mask (2 flaws)Issue text: Chmod setting a permissive mask 0o770 on file (group_path). Issue text: Chmod setting a permissive mask 0o750 on file (agent_backup_dir). A MEDIUM warning is generated if a file is set to group executable and a HIGH warning is reported if a file is set world writable. In this case, both possible flaws are reported with severity MEDIUM so the file is set to group executable. This should not be considered a flaw as it is a Wazuh functional requirement. Issue opened and flaws reported. wazuh/wazuh#10145 Use of insecure MD2, MD4, MD5, or SHA1 hash function (3 flaws)
Create issue to investigate if it is possible to use SHA256 or a different secure cryptograpthic algorithm. Issue opened and flaws reported. wazuh/wazuh#10114 Possible binding to all interfaces (2 flaws)This flaw told us that we are exposing something from all network interfaces.
Bandit is reporting this:
as a possible binding from all interfaces. This may not be a real flaw as this is part of the design of the cluster. Issue opened: wazuh/wazuh#10146 Probable insecure usage of temp file/directory (2 flaws)This is a hardcoded temporary directory. We could investigate if we could generate a temporary one in a safer way (the tmpfile library can create it by its own): https://docs.openstack.org/bandit/1.4.0/plugins/hardcoded_tmp_directory.html Issue opened and flaws reported. wazuh/wazuh#10115 Possible SQL injection vector through string-based query construction (5 flaws)
Issue opened to investigate this flaw: wazuh/wazuh#10147 Pseudo-random generators (1 flaw)Issue text: Standard pseudo-random generators are not suitable for security/cryptographic purposes This random number is used to set the name of the compressed data for the integrity synchronization process in cluster. The temporary file is created using the node name, so we can guaranteee that the files will never be overwritten. Despite this, an issue has been created to investigate it: wazuh/wazuh#10154 |
Wazuh modules - Possible vulnerabilitiesTotal of possible flaws in wodles/: 13 Standard pseudo-random generators (1 flaw)The flaw: Standard pseudo-random generators are not suitable for security/cryptographic purposes. Has already been studied in wazuh/wazuh#7998 and an issue was opened to investigate and fix it. The issue opened is wazuh/wazuh#8347. Use of insecure MD2, MD4, MD5, or SHA1 hash function (3 flaws)
This is not a problem since the data handled are not critical and are only used internally by the wodle, so there is no decoding possibility. Despite this, we could open an issue to investigate and use secure hash functions, similar to the same possible flaws found in framework. Issue opened: wazuh/wazuh#10116 Subprocess calls (7 flaws)The issue wazuh/wazuh#8347 was opened to investigate and avoid these subprocess calls.
Diferent to the subprocess calls found in framework, now we can see that we make subprocess calls with command line arguments. Example:
arg_file is created from argv and the function extract_profiles_from_file uses subprocess. Use of eval: insecure function (2 flaws)Issue text: Use of possibly insecure function - consider using safer ast.literal_eval. This was also reported in wazuh/wazuh#8347 as we should consider using a safer function instead of eval. Try, Except, Pass detected (1 flaw)Issue text: Try, Except, Pass detected. Issue opened to investigate this possible vulnerability: wazuh/wazuh#10155 |
Issue update - SummaryTo sum up, I have created 12 new issues reporting the possible vulnerabilities found in the These issues have been grouped in an epic one: wazuh/wazuh#10125 |
Hi team,
In this PR we aim to automate the process of analyzing code for vulnerabilities in order to avoid uploading vulnerable code. This test should be run whenever Python related code is modified, such as the code in the API, Framework and Wodles folders.
ToDo
Best regards,
Adrián Peña
The text was updated successfully, but these errors were encountered: