From 3ead1da0169177cb1258aab8c1fdacb3baebe13d Mon Sep 17 00:00:00 2001 From: Ryan Rathsam Date: Tue, 6 Aug 2024 13:43:55 -0400 Subject: [PATCH] Providing patch for CVE-2019-10913 This patch sets up the patch pipeline in `build.json` and updates a few files that will cause issues during the CI / QA tests / build process. These changes originated in https://github.com/ubccr/xdmod/pull/1891 ( which will be merged in 11.5 ). --- open_xdmod/modules/xdmod/assets/setup.sh | 6 +-- ...mfony_http-foundation_CVE-2019-10913.patch | 44 +++++++++++++++++++ open_xdmod/modules/xdmod/build.json | 3 ++ tests/ci/scripts/qa-test-setup.sh | 6 +++ 4 files changed, 55 insertions(+), 4 deletions(-) create mode 100644 open_xdmod/modules/xdmod/assets/symfony_http-foundation_CVE-2019-10913.patch diff --git a/open_xdmod/modules/xdmod/assets/setup.sh b/open_xdmod/modules/xdmod/assets/setup.sh index ab2d2de6d1..dd7c28816a 100755 --- a/open_xdmod/modules/xdmod/assets/setup.sh +++ b/open_xdmod/modules/xdmod/assets/setup.sh @@ -7,10 +7,8 @@ assets_dir="$( module_dir="$assets_dir/.." xdmod_dir="$module_dir/../../.." -echo Installing composer managed dependencies -cd $xdmod_dir -composer install --no-dev - +pushd "$xdmod_dir" || exit echo Installing npm managed dependencies npm install --production --prefix etl/js npm install --production --prefix background_scripts/chrome-helper +popd || exit diff --git a/open_xdmod/modules/xdmod/assets/symfony_http-foundation_CVE-2019-10913.patch b/open_xdmod/modules/xdmod/assets/symfony_http-foundation_CVE-2019-10913.patch new file mode 100644 index 0000000000..1fd928e923 --- /dev/null +++ b/open_xdmod/modules/xdmod/assets/symfony_http-foundation_CVE-2019-10913.patch @@ -0,0 +1,44 @@ +1275,1284c1275,1276 +< if (null === $this->method) { +< $this->method = strtoupper($this->server->get('REQUEST_METHOD', 'GET')); +< +< if ('POST' === $this->method) { +< if ($method = $this->headers->get('X-HTTP-METHOD-OVERRIDE')) { +< $this->method = strtoupper($method); +< } elseif (self::$httpMethodParameterOverride) { +< $this->method = strtoupper($this->request->get('_method', $this->query->get('_method', 'POST'))); +< } +< } +--- +> if (null !== $this->method) { +> return $this->method; +1287c1279,1305 +< return $this->method; +--- +> $this->method = strtoupper($this->server->get('REQUEST_METHOD', 'GET')); +> +> if ('POST' !== $this->method) { +> return $this->method; +> } +> +> $method = $this->headers->get('X-HTTP-METHOD-OVERRIDE'); +> +> if (!$method && self::$httpMethodParameterOverride) { +> $method = $this->request->get('_method', $this->query->get('_method', 'POST')); +> } +> +> if (!\is_string($method)) { +> return $this->method; +> } +> +> $method = strtoupper($method); +> +> if (\in_array($method, ['GET', 'HEAD', 'POST', 'PUT', 'DELETE', 'CONNECT', 'OPTIONS', 'PATCH', 'PURGE', 'TRACE'], true)) { +> return $this->method = $method; +> } +> +> if (!preg_match('/^[A-Z]++$/D', $method)) { +> throw new \UnexpectedValueException(sprintf('Invalid method override "%s".', $method)); +> } +> +> return $this->method = $method; diff --git a/open_xdmod/modules/xdmod/build.json b/open_xdmod/modules/xdmod/build.json index a767d1c7c1..3ad5ee5db1 100644 --- a/open_xdmod/modules/xdmod/build.json +++ b/open_xdmod/modules/xdmod/build.json @@ -103,7 +103,10 @@ }, "commands": { "pre_build": [ + "rm -rf vendor/", + "composer install", "sed -i 's/SimpleSAML_Error_Assertion::installHandler();//g' vendor/simplesamlphp/simplesamlphp/www/_include.php", + "patch vendor/symfony/http-foundation/Request.php < open_xdmod/modules/xdmod/assets/symfony_http-foundation_CVE-2019-10913.patch.patch", "user_manual_builder/setup.sh", "user_manual_builder/build_user_manual.sh --builddir user_manual_builder/ --destdir html/user_manual/" ] diff --git a/tests/ci/scripts/qa-test-setup.sh b/tests/ci/scripts/qa-test-setup.sh index c9538ea86f..7615eaa9ab 100755 --- a/tests/ci/scripts/qa-test-setup.sh +++ b/tests/ci/scripts/qa-test-setup.sh @@ -18,12 +18,18 @@ if [[ "$XDMOD_TEST_MODE" == "upgrade" ]]; then # Switch to the repo root pushd $XDMOD_SOURCE_DIR >/dev/null || exit 1 + # Capture the current value of $COMPOSER so that we can reset it after the install script runs. + OLD_COMPOSER="$COMPOSER" + # Specify composer.json for xdmod-qa so xdmod dev-dependencies aren't removed. export COMPOSER="$HOME/.qa/composer.json" # Setup the xdmod-qa environment / requirements. $HOME/.qa/scripts/install.sh + # Reset the value of COMPOSER so we don't mess with any other script that runs downstream. + export COMPOSER="$OLD_COMPOSER" + # Run the xdmod-qa tests. $HOME/.qa/scripts/build.sh