vmcj · vmcj · Nov 15, 2021 · Nov 16, 2021 · Nov 4, 2021 · Nov 16, 2021
diff --git a/.github/workflows/crunch42-analysis.yml b/.github/workflows/crunch42-analysis.yml
@@ -0,0 +1,42 @@
+name: "42Crunch REST API Static Security Testing"
+
+# follow standard Code Scanning triggers
+on:
+  push:
+    branches: [ main ]
+  pull_request_target:
+    # The branches below must be a subset of the branches above
+    branches: [ main ]
+  schedule:
+    - cron: '19 4 * * 3'
+
+jobs:
+  rest-api-static-security-testing:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Install DOMjudge
+        run: .github/workflowscripts/baseinstall.sh
+
+      - name: Dump the OpenAPI
+        run: .github/workflowscripts/getapi.sh
+
+      - name: Find all other JSON files and delete those
+        run: |
+          rm -rf ./installdir/domserver/lib/vendor ./lib/vendor
+          rm -f ./doc/manual/sphinx-team.json ./doc/manual/sphinx-team.json
+          find ./ -name "*.json"
+
+      - name: 42Crunch REST API Static Security Testing
+        uses: 42Crunch/api-security-audit-action@v1
+        with:
+          # Follow these steps to configure API_SECRET https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm
+          api-token: ${{ secrets.API_SECRET }}
+          min-score: 9
+          # Upload results to Github code scanning
+          upload-to-code-scanning: true
+          # Github token for uploading the results
+          github-token: ${{ github.token }}
+          ignore-failures: false
+
diff --git a/.github/workflows/mayhem-api.yml b/.github/workflows/mayhem-api.yml
@@ -1,6 +1,10 @@
 name: "Mayhem API analysis"
 
 on:
+  push:
+    branches: [ main ]
+  pull_request_target:
+    branches: [ main ]
   schedule:
     - cron: '5 21 * * *'
 

diff --git a/lib/lib.error.c b/lib/lib.error.c
@@ -23,6 +23,8 @@
 #include <unistd.h>
 #include <time.h>
 #include <sys/time.h>
+#include <stdio.h>
+#include <ctype.h>
 
 /* Define va_copy macro if not available (ANSI C99 only).
  * memcpy() is fallback suggested by the autoconf manual, but doesn't
@@ -63,8 +65,9 @@ char *printf_escape(const char *str)
 
 	for(str_pos=0; str_pos<strlen(str); str_pos++) {
 		c = str[str_pos];
-		escaped[esc_pos++] = c;
-		if ( c=='%' ) escaped[esc_pos++] = c;
+        if(isalnum(c)){
+		    escaped[esc_pos++] = c;
+        }
 	}
 	escaped[esc_pos] = 0;
 

diff --git a/webapp/config/packages/nelmio_api_doc.yaml b/webapp/config/packages/nelmio_api_doc.yaml
@@ -9,7 +9,7 @@ nelmio_api_doc:
         components:
             securitySchemes:
                 basicAuth:
-                    type: http
+                    type: https
                     scheme: basic
             parameters:
                 cid:
@@ -19,6 +19,8 @@ nelmio_api_doc:
                     required: true
                     schema:
                         type: string
+                        pattern: "^[A-Za-z0-9]{1,255}$"
+                        maxLength: 255
                     examples:
                         int0:
                             value: "2"
@@ -36,6 +38,8 @@ nelmio_api_doc:
                     required: true
                     schema:
                         type: integer
+                        minimum: 1
+                        maximum: 9999
                     examples:
                         balloon:
                             value: 1
@@ -46,7 +50,10 @@ nelmio_api_doc:
                     description: The ID of the entity to get
                     required: true
                     schema:
+                        $ref: "#/components/schemas/Id"
                         type: string
+                        pattern: "^[A-Za-z0-9]{1,255}$"
+                        maxLength: 255
                     examples:
                         generic:
                             value: "1"
@@ -68,8 +75,7 @@ nelmio_api_doc:
                     schema:
                         type: array
                         items:
-                            type: string
-                            description: A single ID
+                            $ref: "#/components/schemas/Id"
                 strict:
                     name: strict
                     in: query
@@ -97,6 +103,10 @@ nelmio_api_doc:
                             schema:
                                 type: string
             schemas:
+                Id:
+                    type: string
+                    pattern: "^[A-Za-z0-9]{1,255}$"
+                    maxLength: 255
                 ImageList:
                     type: array
                     items:

diff --git a/webapp/src/Controller/API/AbstractRestController.php b/webapp/src/Controller/API/AbstractRestController.php
@@ -25,6 +25,7 @@
 
 /**
  * Class AbstractRestController
+ * @OA\Response(response="400", ref="#/components/responses/InvalidResponse")
  * @package App\Controller\API
  */
 abstract class AbstractRestController extends AbstractFOSRestController

diff --git a/webapp/src/Controller/API/ContestController.php b/webapp/src/Controller/API/ContestController.php
@@ -332,10 +332,6 @@ public function setBannerAction(Request $request, string $id, ValidatorInterface
      *     description="Contest start time changed successfully",
      * )
      * @OA\Response(
-     *     response="400",
-     *     description="Invalid input data"
-     * )
-     * @OA\Response(
      *     response="403",
      *     description="Changing start time not allowed"
      * )

diff --git a/webapp/src/Controller/API/GeneralInfoController.php b/webapp/src/Controller/API/GeneralInfoController.php
@@ -29,6 +29,7 @@
 
 /**
  * @OA\Tag(name="General")
+ * @OA\Response(response="400", ref="#/components/responses/InvalidResponse")
  */
 class GeneralInfoController extends AbstractFOSRestController
 {

diff --git a/webapp/src/Controller/API/JudgehostController.php b/webapp/src/Controller/API/JudgehostController.php
@@ -1323,6 +1323,44 @@ private function getTestcaseFiles(string $id): array
     /**
      * Fetch work tasks.
      * @Rest\Post("/fetch-work")
+     * @OA\RequestBody(
+     *   description="The hostname of the judgedaemon requesting.",
+     *   @OA\JsonContent(
+     *      required={"hostname"},
+     *      @OA\Property(
+     *          property="hostname",
+     *          type="string",
+     *          format="string",
+     *          description="Hostname of judgedaemon"
+     *      ),
+     *      @OA\Property(
+     *          property="max-batchsize",
+     *          type="integer",
+     *          format="integer",
+     *          description="Maximum size judge requests to handle"
+     *      ),
+     *      @OA\Schema(
+     *          @OA\Property(
+     *              property="hostname",
+     *              type="string",
+     *              format="string",
+     *              description="Hostname of judgedaemon"
+     *          ),
+     *          @OA\Property(
+     *              property="max-batchsize",
+     *              type="integer",
+     *              format="integer",
+     *              description="Maximum size judge requests to handle"
+     *          ),
+     *     ),
+     *     @OA\Examples(example="example-data", value={"hostname": "example-judgehost1"}, summary="Fetch work with example judgedaemon."),
+     *   )
+     * )
+     * @OA\Response(
+     *     response="200",
+     *     description="List of judgeTasks.",
+     *     @OA\Schema(ref="#/definitions/JudgeTaskList")
+     * )
      * @Security("is_granted('ROLE_JUDGEHOST')")
      */
     public function getJudgeTasksAction(Request $request): array

diff --git a/webapp/src/FosRestBundle/.FlattenExceptionHandler.php.swp b/webapp/src/FosRestBundle/.FlattenExceptionHandler.php.swp
-Original file line number
+Diff line change
@@ Expand Up / @@ -29,6 +29,7 @@ @@
     /**
      * @OA\Tag(name="General")
+     * @OA\Response(response="400", ref="#/components/responses/InvalidResponse")
      */
     class GeneralInfoController extends AbstractFOSRestController
     {
@@ Expand Down @@