Cherry pick security tickets (#2519)

Author: pPrecel

go.mod

@@ -8,7 +8,6 @@ require (
 	github.com/buildpacks/pack v0.36.4
 	github.com/docker/cli v27.5.1+incompatible
 	github.com/docker/docker v27.5.1+incompatible
-	github.com/gboddin/go-www-authenticate-parser v0.0.0-20230926203616-ec0b649bb077
 	github.com/go-test/deep v1.1.1
 	github.com/google/go-containerregistry v0.20.3
 	github.com/itchyny/gojq v0.12.17

go.sum

@@ -160,8 +160,6 @@ github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nos
 github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
 github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
 github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
-github.com/gboddin/go-www-authenticate-parser v0.0.0-20230926203616-ec0b649bb077 h1:JvEO7eltd2aCHF+ABLquTUziO7hzC6G7H3tgENYkDBc=
-github.com/gboddin/go-www-authenticate-parser v0.0.0-20230926203616-ec0b649bb077/go.mod h1:RlYuEjNYq/NkhOCSkZGPKxP3dgZOBH94UwsQraDng8s=
 github.com/gdamore/encoding v1.0.0/go.mod h1:alR0ol34c49FCSBLjhosxzcPHQbf2trDkoo5dl+VrEg=
 github.com/gdamore/encoding v1.0.1 h1:YzKZckdBL6jVt2Gc+5p82qhrGiqMdG/eNs6Wy0u3Uhw=
 github.com/gdamore/encoding v1.0.1/go.mod h1:0Z0cMFinngz9kS1QfMjCP8TY7em3bZYeeklsSDPivEo=

internal/btp/cis/auth.go

@@ -0,0 +1,133 @@
+// Copied from:
+// https://github.com/gboddin/go-www-authenticate-parser/commit/ec0b649bb07701564d8bf002d0262a7bc4c13fe8
+
+package cis
+
+import (
+	"bytes"
+	"encoding/json"
+)
+
+type wwwAuthenticateSettings struct {
+	state        func() error
+	digestBuffer *bytes.Buffer
+	buffer       string
+	currentParam string
+	quoteOpened  bool
+	AuthType     string
+	Params       map[string]string
+}
+
+func ParseAuthSettings(digestBuffer string) wwwAuthenticateSettings {
+	digest := wwwAuthenticateSettings{
+		digestBuffer: bytes.NewBufferString(digestBuffer),
+		buffer:       "",
+		AuthType:     "",
+		Params:       make(map[string]string),
+	}
+	digest.state = digest.ParseType
+	for {
+		if err := digest.state(); err != nil {
+			break
+		}
+	}
+	return digest
+}
+
+func (d *wwwAuthenticateSettings) ParseType() error {
+	currentByte, err := d.digestBuffer.ReadByte()
+	if err != nil {
+		return err
+	}
+	if currentByte != ' ' && currentByte != '\n' {
+		d.buffer += string(currentByte)
+		return nil
+	}
+	d.AuthType = d.buffer
+	d.buffer = ""
+	d.state = d.ParseParamKey
+	return nil
+}
+
+func (d *wwwAuthenticateSettings) ParseParamKey() error {
+	currentByte, err := d.digestBuffer.ReadByte()
+	if err != nil {
+		return err
+	}
+	switch currentByte {
+	case '=':
+		d.currentParam = d.buffer
+		d.buffer = ""
+		d.state = d.ParseParamValue
+		return nil
+	case ' ':
+		if len(d.buffer) > 0 {
+			d.Params[d.buffer] = "true"
+			d.currentParam = ""
+			d.buffer = ""
+			d.state = d.ParseParamKey
+		}
+		return nil
+	case ',':
+		if len(d.buffer) > 0 {
+			d.Params[d.buffer] = "true"
+		}
+		d.currentParam = ""
+		d.buffer = ""
+		d.state = d.ParseParamKey
+		return nil
+	}
+	d.buffer += string(currentByte)
+	return nil
+}
+
+func (d *wwwAuthenticateSettings) ParseParamValue() error {
+	currentByte, err := d.digestBuffer.ReadByte()
+	if err != nil {
+		return err
+	}
+	switch currentByte {
+	case '\\':
+		nextByte, err := d.digestBuffer.ReadByte()
+		if err != nil {
+			return err
+		}
+		var unquoted string
+		err = json.Unmarshal([]byte("\""+string(currentByte)+string(nextByte)+"\""), &unquoted)
+		if err != nil {
+			return err
+		}
+		d.buffer += unquoted
+		return nil
+	case '"':
+		if d.quoteOpened {
+			d.quoteOpened = false
+			d.Params[d.currentParam] = d.buffer
+			d.currentParam = ""
+			d.buffer = ""
+			// Read until the next ','
+			_, err = d.digestBuffer.ReadString(',')
+			if err != nil {
+				return err
+			}
+			d.state = d.ParseParamKey
+			return nil
+		}
+		if !d.quoteOpened {
+			d.quoteOpened = true
+			return nil
+		}
+	case ',':
+		if !d.quoteOpened {
+			d.quoteOpened = false
+			d.Params[d.currentParam] = d.buffer
+			d.currentParam = ""
+			d.buffer = ""
+			d.state = d.ParseParamKey
+			return nil
+		}
+	}
+
+	d.buffer += string(currentByte)
+	return nil
+}

internal/btp/cis/client.go

@@ -7,7 +7,6 @@ import (
 	"io"
 	"net/http"
 
-	wwwAuthParser "github.com/gboddin/go-www-authenticate-parser"
 	"github.com/kyma-project/cli.v3/internal/btp/auth"
 )
 
@@ -127,6 +126,6 @@ func (c *httpClient) buildErrorFromHeaders(response *http.Response) error {
 		return fmt.Errorf("failed to parse http error for status: %s", response.Status)
 	}
 
-	wwwAuthHeader := wwwAuthParser.Parse(wwwAuthHeaderString)
+	wwwAuthHeader := ParseAuthSettings(wwwAuthHeaderString)
 	return fmt.Errorf("%s: %s", wwwAuthHeader.Params["error"], wwwAuthHeader.Params["error_description"])
 }

internal/cmd/alpha/function/init.go

@@ -1,6 +1,7 @@
 package function
 
 import (
+	"bufio"
 	"fmt"
 	"io"
 	"os"
@@ -56,7 +57,7 @@ func NewInitCmd(kymaConfig *cmdcommon.KymaConfig, cmdConfig interface{}) (*cobra
 			clierror.Check(cfg.validate())
 		},
 		Run: func(cmd *cobra.Command, _ []string) {
-			clierror.Check(runInit(cfg, cmd.OutOrStdout()))
+			clierror.Check(runInit(cfg, cmd.InOrStdin(), cmd.OutOrStdout()))
 		},
 	}
 
@@ -87,6 +88,16 @@ func parseExtensionConfig(cmdConfig interface{}) (*extensionConfig, error) {
 		return nil, errors.New("unexpected extension error, empty config data")
 	}
 
+	for runtimeName, runtimeCfg := range extCfg.Runtimes {
+		if !filepath.IsLocal(runtimeCfg.DepsFilename) {
+			return nil, errors.New(fmt.Sprintf("deps filename %s for runtime %s is not a single file name", runtimeCfg.DepsFilename, runtimeName))
+		}
+
+		if !filepath.IsLocal(runtimeCfg.HandlerFilename) {
+			return nil, errors.New(fmt.Sprintf("handler filename %s for runtime %s is not a single file name", runtimeCfg.HandlerFilename, runtimeName))
+		}
+	}
+
 	return &extCfg, nil
 }
 
@@ -101,9 +112,17 @@ func (c *initConfig) validate() clierror.Error {
 	return nil
 }
 
-func runInit(cfg *initConfig, out io.Writer) clierror.Error {
+func runInit(cfg *initConfig, in io.Reader, out io.Writer) clierror.Error {
 	runtimeCfg := cfg.extensionConfig.Runtimes[cfg.runtime]
 
+	if !filepath.IsLocal(cfg.dir) {
+		// output dir is not a local path, ask user for confirmation
+		clierr := getUserAcceptance(in, out, cfg.dir)
+		if clierr != nil {
+			return clierr
+		}
+	}
+
 	handlerPath := path.Join(cfg.dir, runtimeCfg.HandlerFilename)
 	err := os.WriteFile(handlerPath, []byte(runtimeCfg.HandlerData), os.ModePerm)
 	if err != nil {
@@ -139,3 +158,26 @@ func sortedRuntimesString(m map[string]runtimeConfig) string {
 	sort.Strings(sort.StringSlice(keys))
 	return strings.Join(keys, ", ")
 }
+
+func getUserAcceptance(in io.Reader, out io.Writer, path string) clierror.Error {
+	fmt.Fprintf(out, "The output path ( %s ) seems to be outside of the current working directory.\n", path)
+	fmt.Fprint(out, "Do you want to proceed? (y/n): ")
+
+	input, err := bufio.NewReader(in).ReadString('\n') // wait for user to press enter
+	fmt.Fprintln(out)
+
+	if err != nil {
+		return clierror.Wrap(err, clierror.New("failed to read user input"))
+	}
+
+	lowerInput := strings.ToLower(input)
+	if lowerInput == "y\n" || lowerInput == "yes\n" {
+		// user accepted, continue
+		return nil
+	}
+
+	return clierror.New(
+		"function init aborted",
+		"you must provide a local path for the output directory or accept the default one by typing 'y' and pressing enter",
+	)
+}

internal/cmd/alpha/registry/config/config.go

@@ -54,7 +54,7 @@ func runConfig(cfg *cfgConfig) clierror.Error {
 	}
 
 	if cfg.externalurl && cfg.output != "" {
-		writeErr := os.WriteFile(cfg.output, []byte(registryConfig.SecretData.PushRegAddr), os.ModePerm)
+		writeErr := os.WriteFile(cfg.output, []byte(registryConfig.SecretData.PushRegAddr), 0600)
 		if writeErr != nil {
 			return clierror.New("failed to write docker config to file")
 		}
@@ -64,7 +64,7 @@ func runConfig(cfg *cfgConfig) clierror.Error {
 	if cfg.output == "" {
 		fmt.Print(registryConfig.SecretData.DockerConfigJSON)
 	} else {
-		writeErr := os.WriteFile(cfg.output, []byte(registryConfig.SecretData.DockerConfigJSON), os.ModePerm)
+		writeErr := os.WriteFile(cfg.output, []byte(registryConfig.SecretData.DockerConfigJSON), 0600)
 		if writeErr != nil {
 			return clierror.New("failed to write docker config to file")
 		}