Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tool includes reportlab dependency which is flagged by Safety #1459

Closed
stealthrabbi opened this issue Dec 13, 2021 · 15 comments · Fixed by #1626
Closed

tool includes reportlab dependency which is flagged by Safety #1459

stealthrabbi opened this issue Dec 13, 2021 · 15 comments · Fixed by #1626
Labels
security public security-related issues.
Milestone
3.1

Comments

@stealthrabbi
Copy link

https://snyk.io/vuln/pip:reportlab

I'm currently using safety. I tried adding cve-bin-tool as a dev dependency. When I then ran safety again on my environment, it reports that reportLab is a vulnerability.

https://pypi.org/project/safety/

+==============================================================================+
|                                                                              |
|                               /$$$$$$            /$$                         |
|                              /$$__  $$          | $$                         |
|           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
|          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
|         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
|          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
|          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
|         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
|                                                          /$$  | $$           |
|                                                         |  $$$$$$/           |
|  by pyup.io                                              \______/            |
|                                                                              |
+==============================================================================+
| REPORT                                                                       |
| checked 134 packages, using free DB (updated once a month)                   |
+============================+===========+==========================+==========+
| package                    | installed | affected                 | ID       |
+============================+===========+==========================+==========+
| reportlab                  | 3.6.3     | >=0                      | 39642    |
+==============================================================================+
| All versions of package reportlab are vulnerable to Server-side Request      |
| Forgery (SSRF) via img tags. In order to reduce risk, use trustedSchemes &   |
| trustedHosts (see in Reportlab's documentation) Steps to reproduce by Karan  |
| Bamal: 1. Download and install the latest package of reportlab 2. Go to      |
| demos -> odyssey -> dodyssey 3. In the text file odyssey.txt that needs to   |
| be converted to pdf inject <img src="http://127.0.0.1:5000" valign="top"/>   |
| 4. Create a nc listener nc -lp 5000 5. Run python3 dodyssey.py 6. You will   |
| get a hit on your nc showing we have successfully proceded to send a server  |
| side request 7. dodyssey.py will show error since there is no img file on    |
| the url, but we are able to do SSRF                                          |
+==============================================================================+
@terriko
Copy link
Contributor

terriko commented Dec 14, 2021

Yes, there was an issue with reportlab. You should make sure you have upgraded to the latest version of reportlab, which has a partial fix. We implemented the recommended mitigations including validation of the data sent to reportlab and should not be affected, but it you feel that's not true please do feel free to recommend additional security measures.

@terriko terriko closed this as completed Dec 14, 2021
@terriko
Copy link
Contributor

terriko commented Dec 14, 2021

Whoops, didn't mean to close that right away in case you want to add additional comments, but I'll probably close it in a week or so if you don't.

@terriko terriko reopened this Dec 14, 2021
@terriko terriko added the security public security-related issues. label Dec 14, 2021
@stealthrabbi
Copy link
Author

stealthrabbi commented Dec 15, 2021
edited
Loading

Well, I have the latest from reportlab as it would have been installed as a dependency of this tool. I just find it in general very suspicious that a tool for finding CVEs itself is using a dependency that has an open CVE with no resolution. I was not previously using reportLab and didn't have it installed.

Furthermore, how is it that cve-bin-tool is not flagging reportLab itself, as it is included in the CVE databases.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28463

@terriko
Copy link
Contributor

terriko commented Dec 16, 2021

When I do a check it's reporting correctly:

$ cve-bin-tool -i test.csv
[16:43:09] INFO     cve_bin_tool.CVEDB - Using cached CVE data (<24h old). Use -u now to update             cvedb.py:343
                    immediately.
           INFO     cve_bin_tool.CVEDB - There are 175428 CVE entries in the database                       cvedb.py:373
[16:43:10] INFO     cve_bin_tool.CVEScanner - 1 CVE(s) in reportlab.reportlab v3.6.3                  cve_scanner.py:232
           INFO     cve_bin_tool -                                                                            cli.py:510
           INFO     cve_bin_tool - Overall CVE summary:                                                       cli.py:511
           INFO     cve_bin_tool - There are 1 products with known CVEs detected                              cli.py:513
           INFO     cve_bin_tool - Known CVEs in ('reportlab', '3.6.3'):                                      cli.py:527
╔══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════╗
║                                             CVE BINARY TOOL version: 3.0                                             ║
╚══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════╝

 • Report Generated: 2021-12-15  16:43:10
 • Time of last update of CVE Data: 2021-12-15  16:36:29
╭─────────────╮
│ CVE SUMMARY │
╰─────────────╯
┏━━━━━━━━━━┳━━━━━━━┓
┃ Severity ┃ Count ┃
┡━━━━━━━━━━╇━━━━━━━┩
│ CRITICAL │ 0     │
│ HIGH     │ 0     │
│ MEDIUM   │ 1     │
│ LOW      │ 0     │
└──────────┴───────┘
╭───────────────────╮
│  Unexplored CVEs  │
╰───────────────────╯
┏━━━━━━━━━━━┳━━━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━┓
┃ Vendor    ┃ Product   ┃ Version ┃ CVE Number     ┃ Severity ┃ Score (CVSS Version) ┃
┡━━━━━━━━━━━╇━━━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━┩
│ reportlab │ reportlab │ 3.6.3   │ CVE-2020-28463 │ MEDIUM   │ 6.5 (v3)             │
└───────────┴───────────┴─────────┴────────────────┴──────────┴──────────────────────┘

I don't know how familiar you are with this particular CVE, but it's basically "it is possible to create a pdf that loads external resources" and the response has been "yes, that's a feature, you can disable it in this way" -- there's no fix beyond validation of the input you send to reportlab. I'm honestly a bit surprised it hasn't been actively disputed by the reportlab team.

If you don't want to use reportlab or pdf reports, you can uninstall it and still use cve-bin-tool. Some of the tests will fail and obviously pdf export won't work, but it should otherwise function without it.

I believe I have an open bug about improving the test and runtime experience if reportlab isn't installed; I'll see if I can find that and prioritize it for the 3.1 release, and if people are uncomfortable with this CVE we could make reportlab an optional dependency going forwards.

@terriko terriko added this to the 3.1 milestone Dec 16, 2021
@terriko terriko mentioned this issue Dec 16, 2021
Closed
anthonyharrison added a commit to anthonyharrison/cve-bin-tool that referenced this issue Dec 28, 2021
@anthonyharrison
bug: Update pdf configuration parameters (intel#1459)
a5d679b
terriko pushed a commit that referenced this issue Dec 28, 2021
@anthonyharrison
fix: Update pdf configuration parameters (#1459) (#1484)
e36bc96 
* related: #1459
@terriko
Copy link
Contributor

terriko commented Mar 23, 2022

Update: I believe we've verified that everything can run without report lab (although the pdf tests do of course fail). I think we'd still like to have the default version of cve-bin-tool not install reportlab, and have it installed only if the user specifically says they need pdf support or installs it manually themselves.

@terriko
Copy link
Contributor

terriko commented Mar 23, 2022

This PEP may be relevant:
https://peps.python.org/pep-0685/

And this:
https://packaging.python.org/en/latest/specifications/core-metadata/#provides-extra-multiple-use

@anthonyharrison
Copy link
Contributor

anthonyharrison commented Mar 23, 2022
edited
Loading

I think I added code to detect if reportlab was installed and if it wasn't then prevent pdf from being a valid output option. To make this the default install (i.e. reportlab is not installed) does this just need a change to the requirements.txt?

@XDRAGON2002
Copy link
Contributor

I think I added code to detect if reportlab was installed and if it wasn't then prevent pdf from being a valid output option. To make this the default install (i.e. reportlab is not installed) does this just need a change to the requirements.txt?

I also had a similar query as well, are we looking at simply removing reportlab from our requirements list making the user install it on their own for use? Or having it as an extra package [pdf]? As both would remove the default install of reportlab, difference being how the user actually gets the reportlab dependency if need be.

@terriko
Copy link
Contributor

terriko commented Mar 30, 2022

I sort of envision both:

  1. If the user installs the default version of cve-bin-tool, reportlab would not be installed. cve-bin-tool can print some messages saying you need reportlab if you want to enable pdfs after the fact.

  2. I'd like to provide a cve-bin-tool[pdf] option so people can install it and get reportlab included without having to do an explicit install themselves.

Either way, the cve-bin-tool code used should be the same, it's just whether reportlab is installed by pip or not. I don't know how to do this, but it seems possible?

@anthonyharrison
Copy link
Contributor

anthonyharrison commented Mar 30, 2022 via email

@terriko
Copy link
Contributor

terriko commented Mar 30, 2022

Yeah, that'll work. I'll open a PR with that in a few minutes, but then I'm going to do a bit of research and see if I can make it so that pip install cve-bin-tool[pdf] is basically syntactic sugar to have pip also install optional-requirements.txt.

@XDRAGON2002
Copy link
Contributor

Yeah, that'll work. I'll open a PR with that in a few minutes, but then I'm going to do a bit of research and see if I can make it so that pip install cve-bin-tool[pdf] is basically syntactic sugar to have pip also install optional-requirements.txt.

Having [pdf] should be pretty straight forward, you just need to define a different set of dependencies in setup.py and it should work as expected.

@terriko terriko mentioned this issue Mar 30, 2022
Merged
@terriko
Copy link
Contributor

terriko commented Mar 30, 2022
edited
Loading

Okay, PR with some explanatory text and the requirements changes open. If anyone's got time to review my wording, a quick "this sounds ok" or a "maybe we could say..." review would be very much appreciated. #1626

Still digging on making cve-bin-tool[pdf] working

@terriko
Copy link
Contributor

terriko commented Mar 30, 2022

hah, amusingly the actual example in the docs is pdf support using reportlab:
https://setuptools.pypa.io/en/latest/userguide/dependency_management.html?highlight=extras_require#optional-dependencies

@terriko
Copy link
Contributor

terriko commented Mar 30, 2022
edited
Loading

Okay, #1626 is ready for full review.

The diff in output_engine/__init__.py looks terrible because of the way git is parsing it, but what I've done is made it so that if the reportlab module doesn't load, it turns the output_pdf() function into a stub that prints a warning message about reportlab not being installed (this never actually gets called in practice, but I needed to put something there to make __init__.py load correctly). Because I had to change the indentation of the (rather large) output_pdf() function, it makes it look like I changed every line of that code, but I literally just selected the whole function and hit tab to push it up a level, I promise!

Note that I also reved the version number in here; that was to facilitate some testing against testpypi for package building.

terriko added a commit that referenced this issue Mar 31, 2022
@terriko
fix: Remove reportlab from default install (#1626)
af159c8 
* fixes #1459

* fix: Remove reportlab from default install

* docs: Provide info on how to install cve-bin-tool[PDF]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security public security-related issues.
Projects
None yet
Milestone
3.1
Development

Successfully merging a pull request may close this issue.

fix: Remove reportlab from default install terriko/cve-bin-tool
4 participants
@stealthrabbi @terriko @anthonyharrison @XDRAGON2002