Github remote repository LicenseURL guessing through GithubAPI #131
Conversation
️✅ There are no secrets present in this pull request anymore.If these secrets were true positive and are still valid, we highly recommend you to revoke them. 🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request. |
![sonatype-lift[bot]](https://avatars.githubusercontent.com/in/9843?s=60&v=4){kind=small}
| } | ||
|
|
||
| String command = "curl -H \"Accept: application/vnd.github+json\" -H \"Authorization: token "+ token + "\" -i " + link; | ||
| ProcessBuilder processBuilder = new ProcessBuilder(command.split(" ")); |
There was a problem hiding this comment.
COMMAND_INJECTION: This usage of java/lang/ProcessBuilder.([Ljava/lang/String;)V can be vulnerable to Command Injection
ℹ️ Learn about @sonatype-lift commands
You can reply with the following commands. For example, reply with @sonatype-lift ignoreall to leave out all findings.
| Command | Usage |
|---|---|
@sonatype-lift ignore |
Leave out the above finding from this PR |
@sonatype-lift ignoreall |
Leave out all the existing findings from this PR |
@sonatype-lift exclude <file|issue|path|tool> |
Exclude specified file|issue|path|tool from Lift findings by updating your config.toml file |
Note: When talking to LiftBot, you need to refresh the page to see its response.
Click here to add LiftBot to another repo.
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
There was a problem hiding this comment.
@pgarus97 : Lift is marking this as a security issue (possible command injection). Independently of this security issue: Why do we spawn a separate operating system process just to do a simple HTTP GET here? To be independent of the underlying operating system (curl command) we should use Java/Spring functionality to do the web call. This can be done e.g. using RestTemplate (which is or will soon be deprecated) or (preferably) the newer WebClient.
Dependency needed for RestTemplate:
org.springframework.boot
spring-boot-starter-web
and for WebClient:
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-webflux</artifactId>
pgarus97
force-pushed
the
OrtReaderLicenseUrlAPI
branch
from
0b8add8
to
084d09d
Compare
This pull request extends the functionality of the ORT Reader by allowing to fill the LicenseURL column in the generated inventory.
It introduces following functions:
-> This helps the ORT Reader to properly function as the input file in most cases only contains github remote repository links.