Merge pull request #24 from italia/security/fix-code-sec-vulnerabilities

Security/fix code sec vulnerabilities

CHANGELOG.md

@@ -4,6 +4,15 @@ Tutte le modifiche importanti a questo progetto saranno documentate in questo fi
 Il formato è basato su [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 e questo progetto aderisce a [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.2.1] - 2022-01-16
+### Fixed
+- CWE-23: Relative Path Traversal
+- CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')
+- CWE-611: Improper Restriction of XML External Entity Reference ('XXE')
+- SC2086: Double quote to prevent globbing and word splitting
+- SC2129: Consider using { cmd1; cmd2; } >> file instead of individual redirects
+
+
 ## [2.2.0] - 2022-01-16
 ### Changed
 - Aggiornamento versione di Ubunto da 20.04 a 22.04

Dockerfile

@@ -43,8 +43,10 @@ RUN apt update \
     && apt install -y apache2 \
     && apt install -y ca-certificates \
     && apt install -y php libapache2-mod-php \
-    && apt install -y python2 \
+    && apt install -y python3 \
     && apt install -y cron \
+    && apt install -y pip \
+    && pip install lxml \
     && rm -rf /var/lib/apt/lists/*
 
 COPY scripts/parse-gov-certs.py /usr/local/bin/

LICENSE.md

@@ -2,7 +2,7 @@ MIT License
 
 Apache 2.4 per SmartCard TS-CNS (Tessera Sanitaria - Carta Nazionale Servizi)
 
-Copyright (c) 2022 Antonio Musarra's Blog - https://www.dontesta.it
+Copyright (c) 2024 Antonio Musarra's Blog - https://www.dontesta.it
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.markdown

@@ -165,8 +165,10 @@ RUN apt update \
     && apt install -y apache2 \
     && apt install -y ca-certificates \
     && apt install -y php libapache2-mod-php \
-    && apt install -y python \
+    && apt install -y python3 \
     && apt install -y cron \
+    && apt install -y pip \
+    && pip install lxml \
     && rm -rf /var/lib/apt/lists/*
 ```
 
@@ -659,7 +661,7 @@ pubblicato recentemente su [Antonio Musarra's Blog](https://www.dontesta.it).
 ## Project License
 The MIT License (MIT)
 
-Copyright © 2022 Antonio Musarra's Blog - [https://www.dontesta.it](https://www.dontesta.it "Antonio Musarra's Blog"), 
+Copyright © 2024 Antonio Musarra's Blog - [https://www.dontesta.it](https://www.dontesta.it "Antonio Musarra's Blog"), 
 [[email protected]](mailto:[email protected] "Antonio Musarra Email")
 
 Permission is hereby granted, free of charge, to any person obtaining a copy

scripts/auto-update-gov-certificates

@@ -10,13 +10,16 @@ rm -rf "${GOV_TRUST_CERTS_OUTPUT_PATH}"
 
 echo "$(date "+%FT%T") Downloading Gov Certificates..." >> "${LOG_FILE}"
 /usr/local/bin/parse-gov-certs.py \
-    --output-folder ${GOV_TRUST_CERTS_OUTPUT_PATH} \
-    --service-type-identifier ${GOV_TRUST_CERTS_SERVICE_TYPE_IDENTIFIER}
+    --output-folder "${GOV_TRUST_CERTS_OUTPUT_PATH}" \
+    --service-type-identifier "${GOV_TRUST_CERTS_SERVICE_TYPE_IDENTIFIER}"
 
-echo "$(date "+%FT%T") Downloading Gov Certificates...[END]" >> "${LOG_FILE}"
+{
+    echo "$(date "+%FT%T") Downloading Gov Certificates...[END]"
+
+    echo "$(date "+%FT%T") Save Gov Certificates into ${GOV_TRUST_CERTS_OUTPUT_PATH}"
+    echo "$(date "+%FT%T") Copy Gov Certificates into /etc/ssl/certs/"
+} >> "${LOG_FILE}"
 
-echo "$(date "+%FT%T") Save Gov Certificates into ${GOV_TRUST_CERTS_OUTPUT_PATH}" >> "${LOG_FILE}"
-echo "$(date "+%FT%T") Copy Gov Certificates into /etc/ssl/certs/" >> "${LOG_FILE}"
 cp "${GOV_TRUST_CERTS_OUTPUT_PATH}"/*.pem /etc/ssl/certs/
 
 echo "$(date "+%FT%T") Re-Hashing /etc/ssl/certs/..." >> "${LOG_FILE}"

scripts/parse-gov-certs.py

@@ -1,4 +1,4 @@
-#!/usr/bin/env python2
+#!/usr/bin/env python3
 # -*- coding: utf-8 -*-
 # Copyright (C) Marco Trevisan
 #
@@ -33,10 +33,11 @@
 # Current XML file:
 #  - https://eidas.agid.gov.it/TL/TSL-IT.xml
 
+from pathlib import Path
+from lxml import etree
 import argparse
 import re
 import sys
-import xml.etree.ElementTree as ET
 import textwrap
 import os
 
@@ -59,11 +60,29 @@ def write_certificate(f, x509_cert):
     f.write(line+'\n')
   f.write('-----END CERTIFICATE-----\n')
 
-def get_service_info(service):
-  name = service.find("*/"+ns+"Name").text
-  x509_cert = service.find("*//"+ns+"X509Certificate").text
+def get_service_info(service, namespace):
+  name = service.find("*/"+namespace+"Name").text
+  x509_cert = service.find("*//"+namespace+"X509Certificate").text
   return {'name': name, 'x509_cert': x509_cert}
 
+def safe_open(file_path, base_path, mode='r'):
+    # Get absolute path of the base directory
+    base_path = os.path.abspath(base_path)
+
+    # Join the base directory and the user-provided file path
+    full_path = os.path.join(base_path, file_path)
+
+    # Get the absolute path of the resulting path
+    full_path = os.path.abspath(full_path)
+
+    # Check if the resulting path is still within the base directory
+    if not full_path.startswith(base_path):
+        raise ValueError("File path is outside allowed area")
+
+    # If everything is okay, open the file
+    # file deepcode ignore PT: only point to use this function
+    return open(full_path, mode)
+
 parser = argparse.ArgumentParser()
 action = parser.add_mutually_exclusive_group(required=True)
 action.add_argument("--output-folder", help="Where to save the certs files")
@@ -89,29 +108,45 @@ def get_service_info(service):
 
 
 if args.cert_file:
-  tree = ET.parse(args.cert_file)
+  tree = etree.parse(args.cert_file)
   root = tree.getroot()
 else:
-  root = ET.fromstring(get_certs_xml().read())
+  root = etree.fromstring(get_certs_xml().read())
 
 try:
-  [ns] = re.findall("({[^}]*}).*", root.tag)
+  [default_namespace] = re.findall("({[^}]*}).*", root.tag)
 except:
-  ns = ""
+  default_namespace = ""
+
+print("Namespace: `%s`", default_namespace)
 
-print("Namespace: `%s`", ns)
+# Dizionario dei namespace
+ns = {
+    "tsl": default_namespace.strip("{}")
+}
 
 if args.service_type_identifier:
-    services = root.findall(ns+"TrustServiceProviderList//"+ns+"TSPService/"+ns+"ServiceInformation["+ns+"ServiceTypeIdentifier='"+args.service_type_identifier+"']")
+    # Definiamo il dizionario delle variabili XPath
+    variables = {"service_type_identifier": args.service_type_identifier}
+
+    # Define the XPath query with a placeholder for the parameter
+    query = "//tsl:ServiceInformation[tsl:ServiceTypeIdentifier=$service_type_identifier]"
+
+    # Use the query with the parameter
+    services = root.xpath(query, namespaces=ns, **variables)
 else:
-    services = root.findall(ns+"TrustServiceProviderList//"+ns+"TSPService/"+ns+"ServiceInformation")
+    # Define the XPath query with a placeholder for the parameter
+    query = "//tsl:TrustServiceProviderList//tsl:TSPService/tsl:ServiceInformation"
+
+    # Use the query with the parameter
+    services = root.xpath(query, namespaces=ns)
 
 if args.output_folder:
   for service in services:
-    try:
-      info = get_service_info(service)
+    try:      
+      info = get_service_info(service, default_namespace)
       name = re.sub('[A-z]{1,2}=', '_', re.sub('[/\,\' "]', '_', info['name'])).replace('__', '_').strip('_- ')
-      filename = args.output_folder+os.path.sep+name
+      filename = name
 
       idx = 1
       tmpname = filename
@@ -120,7 +155,7 @@ def get_service_info(service):
         idx += 1
       filename = tmpname+EXTENSION
 
-      f = open(filename, 'w')
+      f = safe_open(filename, args.output_folder, 'w')
       write_certificate(f, info['x509_cert'])
       f.close()
       print("Added certificate: %s" % filename)
@@ -130,7 +165,7 @@ def get_service_info(service):
       pass
 
 else:
-  f = open(args.output_file, 'w')
+  f = safe_open(args.output_file, '/', 'w')
 
   for service in services:
     try: