Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Errors with "/bin/" in summary of the Jira Issue get caught by WAF, failing HTTP request to Snyk API when creating new vulnerabilities #211

Closed
tonur opened this issue Apr 24, 2024 · 2 comments · Fixed by #214
Closed

Errors with "/bin/" in summary of the Jira Issue get caught by WAF, failing HTTP request to Snyk API when creating new vulnerabilities #211

tonur opened this issue Apr 24, 2024 · 2 comments · Fixed by #214

Comments

@tonur
Copy link
Contributor

tonur commented Apr 24, 2024
edited
Loading

When this tool encounters a project with a vulnerability that has a title of "/bin/" in the title in Snyk, it will fail creating the issue with a nondescript error code, as shown below:

*** ERROR *** Please check the format config file unexpected end of JSON input
open : no such file or directory
*** ERROR *** Could not read file at location: . Please ensure the file exists and is formatted correctly.
ERROR: open: no such file or directory

image

This is misleading, since it is not a JSON error, but rather a HTTP Error code 403 response, since I can reproduce this error in the Snyk Web UI by finding the project in question, obtained from the above log (the last "Step 1/4 - Retrieving project <PROJECT_UUID>" message) and pressing the "Create a Jira Issue" for the vulnerability for this. This will just print out "Failed to create the Jira issue" and log a network request error with the 403 response code as shown below:

POST https://app.snyk.io/org/<MY_ORGANIZATION>/project/<PROJECT_UUID>/issue/SNYK-GOLANG-GITHUBCOMGOGITGOGITV5-6150754/jira/new
image
image

With the response content of:

Access Denied
You don't have permission to access "http://app.snyk.io/org/<MY_ORGANIZATION>/project/<PROJECT_UUID>/issue/SNYK-GOLANG-GITHUBCOMGOGITGOGITV5-6150754/jira/new" on this server.

Reference #18.e6e22517.1713957523.146c0bb9

https://errors.edgesuite.net/18.e6e22517.1713957523.146c0bb9

Suggestion:

1:
Handle HTTP errors relating to the Web Application Firewall, which fails with HTTP Error code 403, likely to prevent Path Traversal attacks.

Perhaps continue with the rest of the tasks after this failure and perhaps print out the failed task in the end?

2:
Otherwise, a solution could be to change the summary of the To Be Created Jira Issue, to sanitize and remove illegal character combinations. For example, what worked for this specific issue was to replace the "/bin/" part of the issue summary to something like "bin", like so:
Original: <APP_ORG_NAME>/deployment.apps/<APP_NAME>:/usr/local/bin/<APP_NAME> - Path Traversal in github.com/go-git/go-git/v5
Sanitized: <APP_ORG_NAME>/deployment.apps/<APP_NAME>:/usr/local_bin_<APP_NAME> - Path Traversal in github.com/go-git/go-git/v5

I tested this sanitazion, and successfully created a Jira Issue with the following cURL:
curl 'https://app.snyk.io/org/<MY_ORGANIZATION>/project/<PROJECT_UUID>/issue/SNYK-GOLANG-GITHUBCOMGOGITGOGITV5-6150754/jira/new' -X POST --data-raw '{"projectId":"x","issueTypeId":"x","assignee":null,"summary":"<APP_ORG_NAME>/deployment.apps/<APP_NAME>:/usr/local_bin_<APP_NAME> - Path Traversal in github.com/go-git/go-git/v5", ...}'

A weird thing, the summary cannot contain "/bin/" but the description can contain "/bin/" just fine? Strange behavior.
@tonur tonur changed the title Errors after issues with "/bin/" in title of Jira get caught by WAF, failing HTTP request to Snyk API when creating new vulnerabilities Errors with "/bin/" in summary of the Jira Issue get caught by WAF, failing HTTP request to Snyk API when creating new vulnerabilities Apr 24, 2024
@tonur
Copy link
Contributor Author

tonur commented Apr 24, 2024
edited
Loading

The error seem to come from https://github.com/snyk-tech-services/jira-tickets-for-new-vulns/blob/develop/utils.go#L371 where it seems to expect that error files are created?
But in my case, I got an error but no error file. This seems strange.
Edit: It turns out the reason I got the error of:

ERROR Please check the format config file unexpected end of JSON input
no such file or directory
Could not read file at location: .
Please ensure the file exists and is formatted correctly.
ERROR no such file or director

was because I ran the binary in a Docker Image, and I think it was missing some permissions to write the ErrorsFile. This is a separate problem, and I will create another issue for this with a suggestion to print out a failure message if the ErrorsFile cannot be read/found in the "writeErrorFile" function here: https://github.com/snyk-tech-services/jira-tickets-for-new-vulns/blob/develop/utils.go#L371
The errors are not handled, and this makes sense, since it usually does not make sense to print errors when trying to read error messages.

@tonur tonur mentioned this issue Apr 25, 2024
Closed
@tonur
Copy link
Contributor Author

tonur commented Apr 25, 2024

I actually don't know if this Path Traversal attacks prevention is happening on Snyk's or JIRA's end. Since it is the subject in the JSON body that it fails on, I guess it is JIRA?
I will create a Pull Request to sanitize the subject no matter what, since this is an issue regardless.

@tonur tonur mentioned this issue Apr 25, 2024
Merged
3 tasks
aarlaud pushed a commit that referenced this issue Jun 26, 2024
@tonur
minor: #211/snyk WAF error handling and sanitizing (#214)
cc5eeb9 
* minor: sanitizing summary to prevent WAF failure

* minor: add custom errors for 403 http error when encountering WAF failure
aarlaud added a commit that referenced this issue Jun 27, 2024
@aarlaud @olegshprengelsnyk
@ashajpaul @tonur @Kuldeep-kd
release changes (#217)
43e6039 
* fix bugs wich unnecessarily filters out snyk code issues (#206)

minor: stop excluding code issues from being considered fixable

Fix excluding Snyk Code issues when using ifUpgradeAvailableOnly=true or ifAutoFixableOnly=true

All Snyk Code issues are fixable by rewriting code

* Fixing dueDate to duedate (#216)

* minor: #211/snyk WAF error handling and sanitizing (#214)

* minor: sanitizing summary to prevent WAF failure

* minor: add custom errors for 403 http error when encountering WAF failure

* Update utils.go (#210)

Implement changes: Correct assigneeId data type issue, from Int to String

* minor: #212/print errors in writeErrorFile when not found (#213)

minor: print error messages for errorsfiles not found

* major: release fixes+improvements with assigneeId breaking change (#219)

---------

Co-authored-by: olegshprengelsnyk <[email protected]>
Co-authored-by: Arya Shajpaul <[email protected]>
Co-authored-by: Christoffer <[email protected]>
Co-authored-by: Kuldeep Thakre <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

minor: #211/snyk WAF error handling and sanitizing
1 participant
@tonur