From 1a06153655be4fe97f99fa5d07277b248c2c90e2 Mon Sep 17 00:00:00 2001 From: Salamandar <6552989+Salamandar@users.noreply.github.com> Date: Sat, 24 Feb 2024 12:09:38 +0100 Subject: [PATCH 1/7] Fix nginx test grep will return 0 when it finds matches. In our case, when it finds matches, we need to print the warning. --- package_linter.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package_linter.py b/package_linter.py index 9e3d439..504581e 100755 --- a/package_linter.py +++ b/package_linter.py @@ -1447,7 +1447,7 @@ class Configurations(TestSuite): cmd = 'grep -q -IhEro "location ~ __PATH__" %s' % (app.path + "/conf/" + filename) - if os.system(cmd) != 0: + if os.system(cmd) == 0: yield Info( "When using regexp in the nginx location field (location ~ __PATH__), start the path with ^ (location ~ ^__PATH__)." ) From d9d08762ff554d5c67a35b868e89e1ad96b79c48 Mon Sep 17 00:00:00 2001 From: Tagada <36127788+Tagadda@users.noreply.github.com> Date: Tue, 5 Mar 2024 21:00:23 +0100 Subject: [PATCH 2/7] Revert " Downgrade misc_nginx_check_regex_in_location from Warning to Info" --- package_linter.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package_linter.py b/package_linter.py index 504581e..c7a3244 100755 --- a/package_linter.py +++ b/package_linter.py @@ -1448,7 +1448,7 @@ class Configurations(TestSuite): cmd = 'grep -q -IhEro "location ~ __PATH__" %s' % (app.path + "/conf/" + filename) if os.system(cmd) == 0: - yield Info( + yield Warning( "When using regexp in the nginx location field (location ~ __PATH__), start the path with ^ (location ~ ^__PATH__)." ) From 8191361d502d368398b18a42103035fbb3989bb0 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Thu, 7 Mar 2024 03:04:53 +0100 Subject: [PATCH 3/7] ci: add autoblacks actions --- .github/autoblack.yml | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 .github/autoblack.yml diff --git a/.github/autoblack.yml b/.github/autoblack.yml new file mode 100644 index 0000000..761222b --- /dev/null +++ b/.github/autoblack.yml @@ -0,0 +1,35 @@ +name: Check / auto apply Black +on: + push: + branches: + - master +jobs: + black: + name: Check / auto apply black + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Check files using the black formatter + uses: psf/black@stable + id: black + with: + options: "." + continue-on-error: true + - shell: pwsh + id: check_files_changed + run: | + # Diff HEAD with the previous commit + $diff = git diff + $HasDiff = $diff.Length -gt 0 + Write-Host "::set-output name=files_changed::$HasDiff" + - name: Create Pull Request + if: steps.check_files_changed.outputs.files_changed == 'true' + uses: peter-evans/create-pull-request@v6 + with: + token: ${{ secrets.GITHUB_TOKEN }} + title: "Format Python code with Black" + commit-message: ":art: Format Python code with Black" + body: | + This pull request uses the [psf/black](https://github.com/psf/black) formatter. + base: ${{ github.head_ref }} # Creates pull request onto pull request or commit branch + branch: actions/black From cbf5adfd251148900a7fc344907fadac3f00a4d2 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Fri, 1 Mar 2024 08:33:03 +0100 Subject: [PATCH 4/7] add PULL_REQUEST_TEMPLATE.md --- .github/PULL_REQUEST_TEMPLATE.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 .github/PULL_REQUEST_TEMPLATE.md diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 0000000..f90230b --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,12 @@ +## Problem + +- *Description of why you made this PR, what is its purpose* + +## Solution + +- *And how do you relevantly fix that problem* + +## PR checklist + +- [ ] PR finished and ready to be reviewed + \ No newline at end of file From 788b9aa7696ed6e2467d4b9269275021de5eac73 Mon Sep 17 00:00:00 2001 From: Sylvain Date: Sun, 10 Mar 2024 17:04:42 +0100 Subject: [PATCH 5/7] Fix #138 --- package_linter.py | 45 +++++++++++++++++++++++---------------------- 1 file changed, 23 insertions(+), 22 deletions(-) diff --git a/package_linter.py b/package_linter.py index c7a3244..ee9a7d1 100755 --- a/package_linter.py +++ b/package_linter.py @@ -1565,30 +1565,31 @@ class Configurations(TestSuite): @test() def bind_public_ip(self): app = self.app - for filename in ( - os.listdir(app.path + "/conf") if os.path.exists(app.path + "/conf") else [] + for path, subdirs, files in ( + os.walk(app.path + "/conf") if os.path.exists(app.path + "/conf") else [] ): - try: - content = open(app.path + "/conf/" + filename).read() - except Exception as e: - yield Warning("Can't open/read %s: %s" % (filename, e)) - return + for filename in files: + try: + content = open(os.path.join(path, filename)).read() + except Exception as e: + yield Warning("Can't open/read %s: %s" % (os.path.join(path, filename), e)) + return - for number, line in enumerate(content.split("\n"), 1): - comment = ("#", "//", ";") - if ( - ( "0.0.0.0" in line or "::" in line ) - and not line.strip().startswith(comment) - ): - for ip in re.split("[ \t,='\"(){}\[\]]", line): - if ip == "::" or ip.startswith("0.0.0.0"): - yield Info( - f"{filename}:{number}: Binding to '0.0.0.0' or '::' can result " - "in a security issue as the reverse proxy and the SSO can be " - "bypassed by knowing a public IP (typically an IPv6) and the " - "app port. lease be sure that this behavior is intentional. " - "Maybe use '127.0.0.1' or '::1' instead." - ) + for number, line in enumerate(content.split("\n"), 1): + comment = ("#", "//", ";") + if ( + ( "0.0.0.0" in line or "::" in line ) + and not line.strip().startswith(comment) + ): + for ip in re.split("[ \t,='\"(){}\[\]]", line): + if ip == "::" or ip.startswith("0.0.0.0"): + yield Info( + f"{os.path.join(path, filename)}:{number}: Binding to '0.0.0.0' or '::' can result " + "in a security issue as the reverse proxy and the SSO can be " + "bypassed by knowing a public IP (typically an IPv6) and the " + "app port. lease be sure that this behavior is intentional. " + "Maybe use '127.0.0.1' or '::1' instead." + ) ############################################# # __ __ _ __ _ # From 2e4e5cf37e16b11380811f945c7d8f62c72748a5 Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Mon, 11 Mar 2024 03:40:09 +0100 Subject: [PATCH 6/7] Fix showed path in 'bind_public_ip' message --- package_linter.py | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/package_linter.py b/package_linter.py index ee9a7d1..758ffb4 100755 --- a/package_linter.py +++ b/package_linter.py @@ -1584,10 +1584,11 @@ class Configurations(TestSuite): for ip in re.split("[ \t,='\"(){}\[\]]", line): if ip == "::" or ip.startswith("0.0.0.0"): yield Info( - f"{os.path.join(path, filename)}:{number}: Binding to '0.0.0.0' or '::' can result " - "in a security issue as the reverse proxy and the SSO can be " - "bypassed by knowing a public IP (typically an IPv6) and the " - "app port. lease be sure that this behavior is intentional. " + f"{os.path.relpath(path, app.path)}:{number}: " + "Binding to '0.0.0.0' or '::' can result in a security issue " + "as the reverse proxy and the SSO can be bypassed by knowing " + "a public IP (typically an IPv6) and the app port. " + "Please be sure that this behavior is intentional. " "Maybe use '127.0.0.1' or '::1' instead." ) From 20a7c8ea2a21e16ce313eb8270b7e5ac7385146c Mon Sep 17 00:00:00 2001 From: OniriCorpe Date: Mon, 11 Mar 2024 03:44:02 +0100 Subject: [PATCH 7/7] ouspi, forgot the filename --- package_linter.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package_linter.py b/package_linter.py index 758ffb4..9beaf75 100755 --- a/package_linter.py +++ b/package_linter.py @@ -1584,7 +1584,7 @@ class Configurations(TestSuite): for ip in re.split("[ \t,='\"(){}\[\]]", line): if ip == "::" or ip.startswith("0.0.0.0"): yield Info( - f"{os.path.relpath(path, app.path)}:{number}: " + f"{os.path.relpath(path, app.path)}/{filename}:{number}: " "Binding to '0.0.0.0' or '::' can result in a security issue " "as the reverse proxy and the SSO can be bypassed by knowing " "a public IP (typically an IPv6) and the app port. "