From 2bb98e3b3769d4bf66c22b65d154a49b91776cff Mon Sep 17 00:00:00 2001 From: Konrad-Pomian Date: Mon, 16 Dec 2024 11:23:13 +0100 Subject: [PATCH 1/2] Issue #4205 - Update docker version in amd64_anax to 26.1.4 Signed-off-by: Konrad-Pomian --- anax-in-container/Dockerfile.ubi.amd64 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/anax-in-container/Dockerfile.ubi.amd64 b/anax-in-container/Dockerfile.ubi.amd64 index 89ba724fe..e1143947d 100644 --- a/anax-in-container/Dockerfile.ubi.amd64 +++ b/anax-in-container/Dockerfile.ubi.amd64 @@ -4,7 +4,7 @@ LABEL vendor="IBM" LABEL summary="The agent in a general purpose container." LABEL description="A container which holds the edge node agent, to be used in environments where there is no operating system package that can install the agent natively." -ARG DOCKER_VER=24.0.9 +ARG DOCKER_VER=26.1.4 # The anax binary (secrets manager code) shells out to groupadd, groupdel (from shadow-utils), pkill (from procps-ng) # The anax.service calls jq (from jq) and killall (from psmisc) From 4e2951ccbe631b697d4f6eed36b999e6f7f5c7af Mon Sep 17 00:00:00 2001 From: Oleksandr Mordyk Date: Mon, 16 Dec 2024 04:55:42 -0800 Subject: [PATCH 2/2] Issue #4208 - Fix vulnerability CWE-113 Signed-off-by: Oleksandr Mordyk --- agreementbot/api.go | 16 +++++++++++++++- api/api.go | 16 +++++++++++++++- 2 files changed, 30 insertions(+), 2 deletions(-) diff --git a/agreementbot/api.go b/agreementbot/api.go index ba2dc8453..2e16418c7 100644 --- a/agreementbot/api.go +++ b/agreementbot/api.go @@ -16,6 +16,7 @@ import ( "github.com/open-horizon/anax/worker" "io/ioutil" "net/http" + "regexp" "sort" "sync" "time" @@ -318,11 +319,24 @@ func (a *API) listen(apiListen string) { return } + isValidInput := func(input string) bool { + // Check for CR or LF characters in input + re := regexp.MustCompile(`[\r\n]`) + return !re.MatchString(input) + } + nocache := func(h http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.Header().Add("Cache-Control", "no-cache, no-store, must-revalidate") w.Header().Add("Pragma", "no-cache, no-store") - w.Header().Add("Access-Control-Allow-Origin", r.Header.Get("Origin")) + + input := r.Header.Get("Origin") + if !isValidInput(input) { + http.Error(w, "Input contains invalid newline characters (CR/LF)", http.StatusBadRequest) + return + } + + w.Header().Add("Access-Control-Allow-Origin", input) w.Header().Add("Access-Control-Allow-Headers", "X-Requested-With, content-type, Authorization") w.Header().Add("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, PATCH, OPTIONS") h.ServeHTTP(w, r) diff --git a/api/api.go b/api/api.go index 978e8c291..6649add85 100644 --- a/api/api.go +++ b/api/api.go @@ -13,6 +13,7 @@ import ( "github.com/open-horizon/anax/policy" "github.com/open-horizon/anax/worker" "net/http" + "regexp" "sync" ) @@ -133,11 +134,24 @@ func (a *API) router(includeStaticRedirects bool) *mux.Router { func (a *API) listen(cfg *config.HorizonConfig) { glog.Info(apiLogString(fmt.Sprintf("Starting Anax API server"))) + isValidInput := func(input string) bool { + // Check for CR or LF characters in input + re := regexp.MustCompile(`[\r\n]`) + return !re.MatchString(input) + } + nocache := func(h http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.Header().Add("Cache-Control", "no-cache, no-store, must-revalidate") w.Header().Add("Pragma", "no-cache, no-store") - w.Header().Add("Access-Control-Allow-Origin", r.Header.Get("Origin")) + + input := r.Header.Get("Origin") + if !isValidInput(input) { + http.Error(w, "Input contains invalid newline characters (CR/LF)", http.StatusBadRequest) + return + } + + w.Header().Add("Access-Control-Allow-Origin", input) w.Header().Add("Access-Control-Allow-Headers", "X-Requested-With, content-type, Authorization") w.Header().Add("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, PATCH, OPTIONS") h.ServeHTTP(w, r)