Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix WS-2018-0594 potential non-random UUIDs security issue #78

Merged
merged 2 commits into from
Apr 9, 2021
Merged

Fix WS-2018-0594 potential non-random UUIDs security issue #78

merged 2 commits into from
Apr 9, 2021

Conversation

xumia
Copy link
Contributor

@xumia xumia commented Mar 29, 2021
edited
Loading

A vulnerability was found in github.com/satori/go.uuid through version v1.2.0. The UUID random generator uses Read() function which has fewer bytes than asked and might cause potential non-random UUIDs.

See advisory for vulnerability details
From CERT: satori/go.uuid@75cca53

More detail alert info can be found on https://msazure.visualstudio.com/One/_componentGovernance/Networking-acs-buildimage/alert/4546641?typeId=5886163

Fix multiple-value uuid.NewV4() in single-value context issue.

@qiluo-msft
Copy link

lgtm. @sumukhatv could you help review?

@sumukhatv
Copy link
Collaborator

@xumia Did test/apitest.py pass with this change?

@xumia
Copy link
Contributor Author

xumia commented Apr 1, 2021

Test results:
test_vnet_name_mapping_logic (main.ra_client_positive_tests) ... ok

Ran 32 tests in 35.470s

OK

test_vrouter_not_created_all_verbs (main.ra_client_negative_tests) ... ok

Ran 23 tests in 24.653s

OK

@xumia
Copy link
Contributor Author

xumia commented Apr 1, 2021

@sumukhatv , thanks for your comment, there is an API change, fixed.

@xumia
Copy link
Contributor Author

xumia commented Apr 1, 2021

@sumukhatv , the test is based on the change: #81

@sumukhatv
Copy link
Collaborator

@sumukhatv , the test is based on the change: #81

Does it mean that we need to merge #81 for the tests to pass for this PR?

@xumia
Copy link
Contributor Author

xumia commented Apr 3, 2021
edited
Loading

@sumukhatv , this PR does not have any dependencies on the PR #81, the PR is a general fix. The test steps in the readme do not work, it should be another issue.

@sumukhatv
Copy link
Collaborator

@prsunny for visibility

@sumukhatv
Copy link
Collaborator

All the tests are passing. Good to merge:

~/sonic-restapi/test$ python apitest.py
test_config_status_reset_get (main.ra_client_positive_tests) ... ok
test_config_status_reset_post (main.ra_client_positive_tests) ... ok
test_delete_config_tunnel_decap_tunnel_type (main.ra_client_positive_tests) ... ok
test_delete_encap (main.ra_client_positive_tests) ... ok
test_delete_vrouter (main.ra_client_positive_tests) ... ok
test_duplicate_vni (main.ra_client_positive_tests) ... ok
test_get_all_vlans (main.ra_client_positive_tests) ... ok
test_get_encap (main.ra_client_positive_tests) ... ok
test_get_members_per_vlan (main.ra_client_positive_tests) ... ok
test_get_neighbors_per_vlan (main.ra_client_positive_tests) ... ok
test_get_vlans_per_vnetid_1digitvlans (main.ra_client_positive_tests) ... ok
test_get_vlans_per_vnetid_4digitvlans (main.ra_client_positive_tests) ... ok
test_get_vrouter (main.ra_client_positive_tests) ... ok
test_guid_persistence (main.ra_client_positive_tests) ... ok
test_local_subnet_route_addition (main.ra_client_positive_tests) ... ok
test_patch_routes_drop_bm_routes_local (main.ra_client_positive_tests) ... ok
test_patch_routes_drop_bm_routes_tunnel (main.ra_client_positive_tests) ... ok
test_patch_update_routes_with_optional_args (main.ra_client_positive_tests) ... ok
test_post_config_tunnel_decap_tunnel_type (main.ra_client_positive_tests) ... ok
test_post_encap (main.ra_client_positive_tests) ... ok
test_post_ping (main.ra_client_positive_tests) ... ok
test_post_vrouter (main.ra_client_positive_tests) ... ok
test_routes_all_verbs (main.ra_client_positive_tests) ... ok
test_vlan_all_args_all_verbs (main.ra_client_positive_tests) ... ok
test_vlan_member_notagging_all_verbs (main.ra_client_positive_tests) ... ok
test_vlan_member_tagged_untagged_interop (main.ra_client_positive_tests) ... ok
test_vlan_member_tagging_all_verbs (main.ra_client_positive_tests) ... ok
test_vlan_neighbor_all_verbs (main.ra_client_positive_tests) ... ok
test_vlan_with_ippref_all_verbs (main.ra_client_positive_tests) ... ok
test_vlan_with_vnetid_all_verbs (main.ra_client_positive_tests) ... ok
test_vlan_wo_ippref_vnetid_all_verbs (main.ra_client_positive_tests) ... ok
test_vnet_name_mapping_logic (main.ra_client_positive_tests) ... ok

Ran 32 tests in 35.560s

OK
test_delete_config_tunnel_decap_tunnel_type_not_vxlan (main.ra_client_negative_tests) ... ok
test_delete_vlan_member_not_created (main.ra_client_negative_tests) ... ok
test_delete_vlan_neighbor_not_created (main.ra_client_negative_tests) ... ok
test_delete_vlan_with_dependencies (main.ra_client_negative_tests) ... ok
test_delete_vrouter_with_dependencies (main.ra_client_negative_tests) ... ok
test_get_config_tunnel_decap_tunnel_not_created (main.ra_client_negative_tests) ... ok
test_get_vlan_member_not_created (main.ra_client_negative_tests) ... ok
test_get_vlan_neighbor_not_created (main.ra_client_negative_tests) ... ok
test_get_vlans_per_vnetid_invalid_vlan (main.ra_client_negative_tests) ... ok
test_get_vlans_per_vnetid_invalid_vnet (main.ra_client_negative_tests) ... ok
test_patch_delete_routes_not_created (main.ra_client_negative_tests) ... ok
test_post_ping_invalid (main.ra_client_negative_tests) ... ok
test_post_vlan_mem_which_exists_tagged (main.ra_client_negative_tests) ... ok
test_post_vlan_mem_which_exists_untagged (main.ra_client_negative_tests) ... ok
test_post_vlan_neighbor_which_exists (main.ra_client_negative_tests) ... ok
test_post_vlan_which_exists (main.ra_client_negative_tests) ... ok
test_post_vrouter_malformed_arg (main.ra_client_negative_tests) ... ok
test_post_vrouter_which_exists (main.ra_client_negative_tests) ... ok
test_post_vrouter_without_vtep (main.ra_client_negative_tests) ... ok
test_vlan_neighbor_not_valid_ip (main.ra_client_negative_tests) ... ok
test_vlan_not_created_all_verbs (main.ra_client_negative_tests) ... ok
test_vlan_out_of_range (main.ra_client_negative_tests) ... ok
test_vrouter_not_created_all_verbs (main.ra_client_negative_tests) ... ok

Ran 23 tests in 24.663s

OK

@qiluo-msft qiluo-msft merged commit 8d4fd4a into sonic-net:master Apr 9, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sumukhatv sumukhatv sumukhatv approved these changes

@qiluo-msft qiluo-msft Awaiting requested review from qiluo-msft

Assignees
No one assigned
Labels
Request for 201911 Branch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@xumia @qiluo-msft @sumukhatv