Imagine a world where a security researcher becomes aware of a security vulnerability, impacting thousands of Open Source Software (OSS) projects, and is enabled to both identify and fix them all at once. Now imagine a world where a vulnerability is introduced into your production code and a few moments later you receive an automated pull request to fix it. Hundreds of thousands of human hours are invested every year in finding common security vulnerabilities with relatively simple fixes. These vulnerabilities aren't sexy, cool, or new, we've known about them for years, but they're everywhere!
The scale of GitHub and tools like CodeQL (GitHub's code query language) enable one to scan for vulnerabilities across hundreds of thousands of OSS projects, but the challenge is how to scale the triaging, reporting, and fixing. Simply automating the creation of thousands of bug reports by itself isn't useful, and would be even more of a burden on volunteer maintainers of OSS projects. Ideally, the maintainers would be provided with not only information about the vulnerability, but also a fix in the form of an easily actionable pull request.
When facing a problem of this scale, what is the most efficient way to leverage researcher knowledge to fix the most vulnerabilities across OSS? This talk will cover a highly scalable solution - automated bulk pull request generation. We'll discuss the practical applications of this technique on real world OSS projects. We'll also cover technologies like CodeQL and OpenRewrite (a style-preserving refactoring tool created at Netflix and now developed by Moderne). Let's not just talk about vulnerabilities, let's actually fix them at scale.
This work is sponsored by the new Dan Kaminsky Fellowship; a fellowship created to celebrate Dan's memory and legacy by funding open-source work that makes the world a better (and more secure) place.
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
[cb22] Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All by Jonathan Leitschuh
1. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Scaling the Security Researcher
to
Eliminate OSS Vulnerabilities
Once and for All
- Jonathan Leitschuh -
2. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Scaling the Security Researcher
to
Eliminate OSS Vulnerabilities
Once and for All
- Jonathan Leitschuh -
- Patrick Way -
3. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
- Jonathan Leitschuh -
Software Engineer & Security Researcher
Dan Kaminsky Fellowship @ HUMAN Security
GitHub Star & GitHub Security Ambassador
Twitter: @JLLeitschuh
GitHub: JLLeitschuh
🐳
Hello!
4. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
- Patrick Way -
Senior Software Engineer
OpenRewrite Team @ Moderne
Twitter: @WayPatrick
GitHub: pway99
Hello!
5. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Disclaimer
6. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Supported by
The
Dan Kaminsky Fellowship
at
HUMAN Security
7. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Chester Higgins/The New York Times
8. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Spoilers!
9. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
10. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Zip Slip
152 Pull Requests!
11. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
It Started
With a Simple Vulnerability
12. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
HTTP Download of Dependencies in the Java Ecosystem
// build.gradle
maven {
setUrl("http://dl.bintray.com/kotlin/ktor")
}
13. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Why is HTTPS important?
13
14. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
HTTP Download of Dependencies in the Java Ecosystem
<!-- Compiler & Test Dependencies -->
<repositories>
<repository>
<id>example-id</id>
<name>Example insecure repository</name>
<url>http://[SOME URL HERE]</url>
</repository>
</repositories>
15. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
HTTP Download of Dependencies in the Java Ecosystem
<!-- Artifact upload - Credentials!! -->
<distributionManagement>
<repository>
<id>example-id</id>
<name>Example insecure repository</name>
<url>http://[SOME URL HERE]</url>
</repository>
</distributionManagement>
16. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
This Vulnerability was Everywhere!
17. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
18. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Who else was vulnerable?
19. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
“25% of Sonatype Maven
Central downloads are still
using HTTP”
- Sonatype June 2019 -
20. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
How do we fix this?
21. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Decommissioning HTTP Support
On or around January 15th, 2020
● Maven Central (Sonatype)
● JCenter (JFrog)
● Spring (Pivotal)
● Gradle Plugin Portal (Gradle)
22. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
23. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
However!
24. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
“20% of Sonatype Maven
Central Traffic is STILL using
HTTP”
- Sonatype January 2020 -
25. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
You can imagine what happened...
January 15th, 2020
26. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
27. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
We stopped the bleeding
28. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
What about the other repositories?
29. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Only the most commonly used repositories
● Maven Central (Sonatype)
● JCenter (JFrog)
● Spring (Pivotal)
● Gradle Plugin Portal (Gradle)
30. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
How do we fix the rest?
31. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Bulk Pull Request Generation!
32. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
How?
33. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
import java
import semmle.code.xml.MavenPom
private class DeclaredRepository extends PomElement {
DeclaredRepository() {
this.getName() = "repository" or
this.getName() = "snapshotRepository" or
this.getName() = "pluginRepository"
}
string getUrl() { result = getAChild("url").(PomElement).getValue() }
predicate isInsecureRepositoryUsage() {
getUrl().matches("http://%") or
getUrl().matches("ftp://%")
}
}
from DeclaredRepository repository
where repository.isInsecureRepositoryUsage()
select repository,
"Downloading or uploading artifacts over insecure protocol (eg. http or ftp) to/from repository " +
repository.getUrl()
CodeQL
34. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
CodeQL scans 100Ks of OSS Projects
35. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
import java
import semmle.code.xml.MavenPom
private class DeclaredRepository extends PomElement {
DeclaredRepository() {
this.getName() = "repository" or
this.getName() = "snapshotRepository" or
this.getName() = "pluginRepository"
}
string getUrl() { result = getAChild("url").(PomElement).getValue() }
predicate isInsecureRepositoryUsage() {
getUrl().matches("http://%") or
getUrl().matches("ftp://%")
}
}
from DeclaredRepository repository
where repository.isInsecureRepositoryUsage()
select repository,
"Downloading or uploading artifacts over insecure protocol (eg. http or ftp) to/from repository " +
repository.getUrl()
CodeQL
$2,300 Bounty
36. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Pull Request
Generator
Version 1
● Python Based
● Wrapper over ‘hub’ CLI
● One Nasty Regular
Expression
● Bouncing off GitHub’s
rate limiter
37. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
38. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
39. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
40. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
It worked!
41. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
42. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
43. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
HTTP Download of Dependencies
1,596
Pull Requests
~40%
Merged or Accepted
44. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
$4,000
Thanks to the GitHub Security Lab!
45. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
There’s more still out there
46. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
47. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
48. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
More Pull Request Generation
For this in the Future!
49. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
I got hooked on
Bulk Pull Request Generation
50. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
51. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
I have a Problem
52. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
53. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
I was finding too many security vulnerabilities!
54. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
55. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
I was finding too many security vulnerabilities!
56. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
I was finding too many security vulnerabilities!
I needed automation!
57. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Automated Accurate Transformations
at a
Massive Scale
58. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
OpenRewrite
59. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Abstract Syntax Tree (AST)
60. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Abstract Syntax Tree (AST)
61. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Format Preserving AST
Whitespace and comments are preserved
62. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Tabs
Spaces
Braces on new line
Generated code matches the Surrounding Formatting
63. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
log.info("...");
Is that log4j, slf4j, LogBack?
Accurate Transformations Require
Fully Type-attributed ASTs
64. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
The OpenRewrite AST is both
Syntactically and Semantically aware.
With type attribution and formatting
Syntax alone
65. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Even simple code produces complex AST
66. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Even simple code produces complex AST
67. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
68. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
With the ability to Transform Code
How can we transform source files while
preserving the style?
69. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Open Rewrite
● Automatically Detects the the Code Style
during Parsing
● Provides a Templating Engine to add New
Source Code
● Auto-format applies the detected style
70. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
71. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Transform ASTs using AutoFormat and the JavaTemplate
72. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Easily transform ASTs using AutoFormat and the JavaTemplate
String template =
"if(!#{any(java.nio.file.Path)}.normalize().startsWith(#{any(java.nio.file.Path)})){throw new
RuntimeException("Bad zip entry");}"
73. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Easily transform ASTs using AutoFormat and the JavaTemplate
String template =
"if(!#{any(java.nio.file.Path)}.normalize().startsWith(#{any(java.nio.file.Path)})){throw new
RuntimeException("Bad zip entry");}"
block = maybeAutoFormat(
block, block.withTemplate(JavaTemplate.builder(this::getCursor, template).build(),
resolvePathStatement.getCoordinates().after(),
zipEntryArg, parentDirArg),
ctx);
74. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Easily transform ASTs using AutoFormat and the JavaTemplate
JavaTemplate template = JavaTemplate.builder(this::getCursor,
"if(!#{any(java.nio.file.Path)}.normalize().startsWith(#{any(java.nio.file.Path)})){throw new
RuntimeException("Bad zip entry");}").build();
75. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Easily transform ASTs using AutoFormat and the JavaTemplate
JavaTemplate template = JavaTemplate.builder(this::getCursor,
"if(!#{any(java.nio.file.Path)}.normalize().startsWith(#{any(java.nio.file.Path)})){throw new
RuntimeException("Bad zip entry");}").build();
76. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
77. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
78. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
79. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Data and Control flow are new additions to
rewrite….
80. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
What is possible now?
81. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
What other vulnerabilities can we fix?
82. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Three Vulnerabilities
1. Temporary Directory Hijacking
2. Partial Path Traversal
3. Zip Slip
83. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Vulnerability #1
Temporary Directory Hijacking
84. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Temporary Directory on
Unix-Like Systems is
Shared between All Users
85. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Temporary Directory Hijacking - Vulnerable
File f = File.createTempFile(
"prefix",
"suffix"
);
f.delete();
f.mkdir();
86. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
87. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Temporary Directory Hijacking - Vulnerable
File f = File.createTempFile(
"prefix",
"suffix"
);
f.delete();
f.mkdir();
88. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Temporary Directory Hijacking - Vulnerable
File f = File.createTempFile(
"prefix",
"suffix"
);
f.delete();
// 🏁 Race condition
f.mkdir(); // Returns `false`
89. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Temporary Directory Hijacking - Imperfect Fix
File f = File.createTempFile(
"prefix",
"suffix"
);
f.delete();
if(!f.mkdir())
throw new IOException("Error");
90. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Temporary Directory Hijacking - Fix
// Since Java 1.7
File f =
Files
.createTempDirectory("prefix")
.toFile();
91. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Temporary Directory Hijacking - CVEs
● CVE-2022-27772 - Spring Boot
● CVE-2021-20202 - Keycloak
● CVE-2021-21331 - DataDog API
● CVE-2020-27216 - Eclipse Jetty
● CVE-2020-17521 - Apache Groovy
● CVE-2020-17534 - Apache netbeans-html4j
92. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Temporary Directory Hijacking
Pull Request Statistics
93. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Temporary Directory Hijacking
64 Pull Requests!
94. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Temporary Directory Hijacking - Pull Requests
95. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Temporary Directory Hijacking - Putting it all together
96. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Temporary Directory Hijacking - Putting it all together
97. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Vulnerability #2
Partial Path Traversal
98. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
"/user/sam"
Partial Path Traversal
99. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
"/user/sam"
"/user/samantha"
Partial Path Traversal
100. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Allows an attacker access to a sibling
directory with the same prefix
Partial Path Traversal
101. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Allows an attacker access to a sibling
directory with the same prefix
"/user/sam"
Partial Path Traversal
102. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Allows an attacker access to a sibling
directory with the same prefix
"/user/sam"
"/user/samantha"
Partial Path Traversal
103. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Allows an attacker access to a sibling
directory with the same prefix
"/user/sam"
"/user/samantha"
Partial Path Traversal
104. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal - Vulnerability
File dir = new File(
parent, userControlled()
);
if (!dir.getCanonicalPath()
.startsWith(parent.getCanonicalPath())) {
throw new IOException(
"Detected path traversal attack!"
);
}
105. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
new File("/user/sam/")
106. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
new File("/user/sam/")
File.getCanonicalPath()
107. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
new File("/user/sam/")
File.getCanonicalPath()
"/user/sam"
108. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
new File("/user/sam/")
File.getCanonicalPath()
"/user/sam"
109. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal - Vulnerability
File dir = new File(
parent, userControlled()
);
if (!dir.getCanonicalPath()
.startsWith(parent.getCanonicalPath())) {
throw new IOException(
"Detected path traversal attack!"
);
}
110. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal - Vulnerability
File dir = new File(
"/user/sam/", userControlled()
);
if (!dir.getCanonicalPath()
.startsWith("/user/sam")) {
...
}
111. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal - Vulnerability
File dir = new File(
"/user/sam/", "../samantha/baz"
);
if (!dir.getCanonicalPath()
.startsWith("/user/sam")) {
...
}
112. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal - Vulnerability
File dir = new File(
"/user/sam/", "../samantha/baz"
);
if (!"/user/samantha/baz"
.startsWith("/user/sam")) {
...
}
113. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal - Vulnerability
File dir = new File(
"/user/sam/", "../samantha/baz"
);
if (!"/user/samantha/baz"
.startsWith("/user/sam")) {
throw new IOException(
"Detected path traversal attack!"
);
}
❌
114. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal
Fix!
115. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal - Vulnerability
File dir = new File(
parent, userControlled()
);
if (!dir.getCanonicalPath()
.startsWith(parent.getCanonicalPath())) {
throw new IOException(
"Detected path traversal attack!"
);
}
116. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal - Vulnerability
if (!dir.getCanonicalPath()
.startsWith(parent.getCanonicalPath())) {
...
}
117. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal - Fix #1
if (!dir.getCanonicalPath()
.startsWith(parent.getCanonicalPath() +
File.separatorChar)) {
...
}
118. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal - Fix #2
if (!dir.getCanonicalFile()
.toPath().startsWith(
parent.getCanonicalFile().toPath())) {
...
}
119. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal - Fix #2 - Better
if (!dir.getCanonicalFile()
.toPath().startsWith(
parent.getCanonicalFile().toPath())) {
...
} ✅
120. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
How do we find this vulnerability?
121. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal - Vulnerability
File dir = new File(
parent, userControlled()
);
if (!dir.getCanonicalPath()
.startsWith(parent.getCanonicalPath())) {
throw new IOException(
"Detected path traversal attack!"
);
}
122. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal - Vulnerability
if (!dir.getCanonicalPath()
.startsWith(parent.getCanonicalPath())) {
...
}
123. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal - Vulnerability
if (!dir.getCanonicalPath()
.startsWith(parent.getCanonicalPath())) {
...
}
124. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal - Safe
if (!dir.getCanonicalPath()
.startsWith(parent.getCanonicalPath() +
File.separatorChar)) {
...
}
125. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
It can’t be that easy, can it?
126. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal - Vulnerability
if (!dir.getCanonicalPath()
.startsWith(parent.getCanonicalPath())) {
...
}
127. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal - Vulnerability
String dirCanonical = dir.getCanonicalPath();
if (!dirCanonical
.startsWith(parent.getCanonicalPath())) {
...
}
128. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal - Vulnerability
String dirCanonical = dir.getCanonicalPath();
String pCanonical = parent.getCanonicalPath();
if (!dirCanonical
.startsWith(pCanonical)) {
...
}
129. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal - Vulnerability
String dirCanonical = dir.getCanonicalPath();
String pCanonical = parent.getCanonicalPath() +
File.separatorChar;
if (!dirCanonical
.startsWith(pCanonical)) {
...
}
130. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
We need Data Flow Analysis
131. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal - DataFlow
String dirCanonical = dir.getCanonicalPath();
String pCanonical = parent.getCanonicalPath() +
File.separatorChar;
if (!dirCanonical
.startsWith(pCanonical)) {
...
}
132. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal - Data Flow
String dirCanonical = dir.getCanonicalPath();
String pCanonical = parent.getCanonicalPath() +
File.separatorChar;
if (!dirCanonical
.startsWith(pCanonical)) {
...
}
133. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal - Data Flow
String dirCanonical = dir.getCanonicalPath();
String pCanonical = parent.getCanonicalPath() +
File.separatorChar;
if (!dirCanonical
.startsWith(pCanonical)) {
...
}
134. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal - Data Flow
String dirCanonical = dir.getCanonicalPath();
String pCanonical = parent.getCanonicalPath() +
File.separatorChar;
if (!dirCanonical
.startsWith(pCanonical)) {
...
}
135. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal - Data Flow
String dirCanonical = dir.getCanonicalPath();
String pCanonical = parent.getCanonicalPath() +
File.separatorChar;
String pCanonical2 = pCanonical;
if (!dirCanonical
.startsWith(pCanonical2)) {
...
}
136. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Data Flow
Uncovers hard to find Vulnerabilities
and prevents
False Positives
137. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Data Flow Analysis
class GetCanonicalPathToStartsWithLocalFlowextends LocalFlowSpec<J.MethodInvocation
, Expression> {
@Override
public boolean isSource(J.MethodInvocation methodInvocation, Cursor cursor) {
return new MethodMatcher(
"java.io.File getCanonicalPath()"
)
.matches(
methodInvocation);
}
@Override
public boolean isSink(Expression expression, Cursor cursor) {
return InvocationMatcher
.
fromMethodMatcher(
new MethodMatcher(
"java.lang.String startsWith(java.lang.String)"
)
)
.advanced()
.isSelect(
cursor);
}
}
138. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Partial Path Traversal - Putting it all together
139. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Example Case: AWS Java SDK
CVE-2022-31159
140. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
141. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
142. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Vulnerability Disclosure Drama!
143. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Aside: Email with AWS Security Team
AWS: We’d like to award you a bug bounty, however you’d need
to sign an NDA.
144. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Aside: Email with AWS Security Team
AWS: We’d like to award you a bug bounty, however you’d need
to sign an NDA.
Jonathan: I don’t normally agree to NDA’s. Can I read it first
before potentially agreeing?
145. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Aside: Email with AWS Security Team
AWS: We’d like to award you a bug bounty, however you’d need
to sign an NDA.
Jonathan: I don’t normally agree to NDA’s. Can I read it first
before potentially agreeing?
AWS: We’re unable to share the bug bounty program NDA since
it and other contract documents are considered sensitive by the
legal team.
146. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
147. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
148. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
149. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Vulnerability #3
Zip Slip
150. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Zip Slip
Path Traversal Vulnerability
while
Unpacking Zip File Entries
151. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Zip Slip
void zipSlip(File destination, ZipFile zip) {
Enumeration<? extends ZipEntry> entries = zip.entries();
while (entries.hasMoreElements()) {
ZipEntry e = entries.nextElement();
File f = new File(destination, e.getName());
IOUtils.copy(
zip.getInputStream(e),
new FileOutputStream(f)
);
}
}
152. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Zip Slip
ZipEntry e = entries.nextElement();
File f = new File(destination, e.getName());
IOUtils.copy(
zip.getInputStream(e),
new FileOutputStream(f)
);
153. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Zip Slip is Complicated
154. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Zip Slip
ZipEntry e = ...
File f = new File(destination, e.getName());
IOUtils.copy(
zip.getInputStream(e),
new FileOutputStream(f)
);
155. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Zip Slip
ZipEntry e = ...
File f = new File(destination, e.getName());
if (!f.toPath().startsWith(destination.toPath())) {
throw new IOException("Bad Zip Entry!");
}
IOUtils.copy(
zip.getInputStream(e),
new FileOutputStream(f)
);
156. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
The Problem
with
Zip Slip
157. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Zip Slip
ZipEntry e = ...
File f = new File(destination, e.getName());
if (!f.toPath().startsWith(destination.toPath())) {
throw new IOException("Bad Zip Entry!");
}
IOUtils.copy(
zip.getInputStream(e),
new FileOutputStream(f)
);
158. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Zip Slip
ZipEntry e = ...
File f = new File(destination, e.getName());
if (f.toPath().startsWith(destination.toPath())) {
IOUtils.copy(
zip.getInputStream(e),
new FileOutputStream(f)
);
}
159. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Control Flow Analysis
160. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Control Flow Analysis
File f = new File(destination, e.getName());
IOUtils.copy(
zip.getInputStream(e),
new FileOutputStream(f)
);
File f = new File(destination, e.getName());
if (!f.toPath().startsWith(destination.toPath())){
throw new IOException("Bad Zip Entry!");
}
IOUtils.copy(
zip.getInputStream(e),
new FileOutputStream(f)
);
161. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Control Flow - OpenRewrite
162. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Zip Slip
ZipEntry e = ...
File f = new File(destination, e.getName());
if (!f.toPath().startsWith(destination.toPath())) {
throw new IOException("Bad Zip Entry!");
}
IOUtils.copy(
zip.getInputStream(e),
new FileOutputStream(f)
);
163. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Zip Slip
File f = new File(destination, e.getName());
if (!f.toPath().startsWith(
destination.toPath())) {
throw new IOException("Bad Zip Entry!"
);
}
IOUtils.copy(
zip.getInputStream(
e),
new FileOutputStream(
f)
);
164. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Zip Slip - Putting it all together
165. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Zip Slip - Putting it all together
166. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Zip Slip - Putting it all together
167. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Pull Request Generation!
168. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
169. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Problems with Pull Request Generation
170. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
How fast can we generate
Pull Requests?
171. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Pull Request Generation Steps
1. Checkout (ie. Download) code Repository
172. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Pull Request Generation Steps
1. Checkout (ie. Download) code Repository
2. Branch, Apply Diff, & Commit
173. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Pull Request Generation Steps
1. Checkout (ie. Download) code Repository
2. Branch, Apply Diff, & Commit
3. Fork Repository on GitHub
174. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Pull Request Generation Steps
1. Checkout (ie. Download) code Repository
2. Branch, Apply Diff, & Commit
3. Fork Repository on GitHub
4. Rename Repository on GitHub
175. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Pull Request Generation Steps
1. Checkout (ie. Download) code Repository
2. Branch, Apply Diff, & Commit
3. Fork Repository on GitHub
4. Rename Repository on GitHub
5. Push changes
176. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Pull Request Generation Steps
1. Checkout (ie. Download) code Repository
2. Branch, Apply Diff, & Commit
3. Fork Repository on GitHub
4. Rename Repository on GitHub
5. Push changes
6. Create Pull Request on GitHub
177. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Pull Request Generation Steps
1. Checkout (ie. Download) code Repository
2. Branch, Apply Diff, & Commit
3. Fork Repository on GitHub
4. Rename Repository on GitHub
5. Push changes
6. Create Pull Request on GitHub
178. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Pull Request Generation Steps
File IO Git Operation GitHub API .
179. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Pull Request Generation Steps
1. Checkout (ie. Download) code Repository
File IO Git Operation GitHub API .
180. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Pull Request Generation Steps
1. Checkout (ie. Download) code Repository
2. Branch, Apply Diff, & Commit
File IO Git Operation GitHub API .
181. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Pull Request Generation Steps
1. Checkout (ie. Download) code Repository
2. Branch, Apply Diff, & Commit
3. Fork Repository on GitHub
File IO Git Operation GitHub API .
182. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Pull Request Generation Steps
1. Checkout (ie. Download) code Repository
2. Branch, Apply Diff, & Commit
3. Fork Repository on GitHub
4. Rename Repository on GitHub
File IO Git Operation GitHub API .
183. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Pull Request Generation Steps
1. Checkout (ie. Download) code Repository
2. Branch, Apply Diff, & Commit
3. Fork Repository on GitHub
4. Rename Repository on GitHub
5. Push changes
File IO Git Operation GitHub API .
184. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Pull Request Generation Steps
1. Checkout (ie. Download) code Repository
2. Branch, Apply Diff, & Commit
3. Fork Repository on GitHub
4. Rename Repository on GitHub
5. Push changes
6. Create Pull Request on GitHub
File IO Git Operation GitHub API .
185. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Pull Request Generation Steps
1. Checkout (ie. Download) code Repository
2. Branch, Apply Diff, & Commit
3. Fork Repository on GitHub
4. Rename Repository on GitHub
5. Push changes
6. Create Pull Request on GitHub
File IO Git Operation GitHub API .
186. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Pull Request Generation Steps
1. Checkout (ie. Download) code Repository
2. Branch, Apply Diff, & Commit
3. Fork Repository on GitHub
4. Rename Repository on GitHub
5. Push changes
6. Create Pull Request on GitHub
File IO Git Operation GitHub API .
187. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Pull Request Generation Steps
1. Checkout (ie. Download) code Repository
2. Branch, Apply Diff, & Commit
3. Fork Repository on GitHub
4. Rename Repository on GitHub
5. Push changes
6. Create Pull Request on GitHub
188. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Let’s talk about...
GitHub’s API Rate Limiter
189. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Github Documentation
“If you're making a large number of POST, PATCH, PUT,
or DELETE requests for a single user or client ID, wait at
least one second between each request.”
190. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Github Documentation
“When you have been limited, use the Retry-After
response header to slow down. The value of the
Retry-After header will always be an integer,
representing the number of seconds you should wait
before making requests again.”
191. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Something New Appeared in 2022
192. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Github Documentation
“Requests that create content which triggers notifications,
such as issues, comments and pull requests, may be
further limited and will not include a Retry-After
header in the response. Please create this content at a
reasonable pace to avoid further limiting.”
193. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Github Documentation
“Requests that create content which triggers notifications,
such as issues, comments and pull requests, may be
further limited and will not include a Retry-After
header in the response. Please create this content at a
reasonable pace to avoid further limiting.”
194. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Github Documentation
“Requests that create content which triggers notifications,
such as issues, comments and pull requests, may be
further limited and will not include a Retry-After
header in the response. Please create this content at a
reasonable pace to avoid further limiting.”
195. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
196. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
We’ve made it this far
✅ Vulnerabilities Detected
✅ Style Detected
✅ Code Fixed & Diff Generated
✅ Rate Limit Bypassed
197. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
We’ve made it this far
✅ Vulnerabilities Detected
✅ Style Detected
✅ Code Fixed & Diff Generated
✅ Rate Limit Bypassed
How do we do this for all the repositories?
198. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Moderne
● Free for Open Source Projects!
● ~7,000 Repositories indexed
● Run Open Rewrite Transformations at Scale
● Generates and Updates Pull Requests
199. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
800+ OpenRewrite Recipes including complete
Framework Migrations
200. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
It’s not just your code that needs to be secure
It’s also the dependencies
201. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
800+ OpenRewrite Recipes including complete
Framework Migrations
202. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Bulk Pull Request Generation - public.moderne.io
203. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
204. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
205. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
But there are more than just 7,000
repositories in the world
How do we find the other vulnerable projects?
206. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
CodeQL
207. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
CodeQL
100k+ OSS Projects Indexed
35k+ OSS Java Projects
208. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
https://github.com/moderneinc/jenkins-ingest
209. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
CodeQL: Partial Path Traversal
if (!dir.getCanonicalPath()
.startsWith(parent.getCanonicalPath())) {
...
}
210. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
With the list of vulnerable projects in hand!
211. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Finally!
Let’s generate some
Open Source Software
Pull Requests!
212. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
213. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Bulk Pull Request Generation Statistics
Project PR Generator Pull Requests Merge Rate
HTTP Download of Dependencies Python Bot 1,596 40%
CVE-2019-16303: JHipster RNG Vulnerability Python Bot + Moderne 3,467 2.3%
CVE-2020-8597: rhostname array overflow Python Bot 1,885 7.6%
Temporary Directory Hijacking Moderne 64 25%
Partial Path Traversal Moderne 50 22%
Zip Slip Moderne 152 20%
214. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Bulk Pull Request Generation Statistics
Project PR Generator Pull Requests Merge Rate
HTTP Download of Dependencies Python Bot 1,596 40%
CVE-2019-16303: JHipster RNG Vulnerability Python Bot + Moderne 3,467 2.3%
CVE-2020-8597: rhostname array overflow Python Bot 1,885 7.6%
Temporary Directory Hijacking Moderne 64 25%
Partial Path Traversal Moderne 50 22%
Zip Slip Moderne 152 20%
New Pull Requests Generated in 2022: 600+
215. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Bulk Pull Request Generation Statistics
Project PR Generator Pull Requests Merge Rate
HTTP Download of Dependencies Python Bot 1,596 40%
CVE-2019-16303: JHipster RNG Vulnerability Python Bot + Moderne 3,467 2.3%
CVE-2020-8597: rhostname array overflow Python Bot 1,885 7.6%
Temporary Directory Hijacking Moderne 64 25%
Partial Path Traversal Moderne 50 22%
Zip Slip Moderne 152 20%
Personally Generated: 5,200+ Pull Requests
216. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
217. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
218. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Best Practices for Bulk Pull Request
Generation
219. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Messaging!
220. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
All Software Problems are
People Problems
In Disguise
221. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Lesson 1
Sign off all Commits
--signoff
222. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Sign off on Commits
Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
223. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Sign off on Commits
Why?!
224. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Sign off on Commits
“It was introduced in the wake of the SCO lawsuit, (and other accusations of
copyright infringement from SCO, most of which they never actually took to court),
as a Developers Certificate of Origin. It is used to say that you certify that you
have created the patch in question, or that you certify that to the best of your
knowledge, it was created under an appropriate open-source license, or that it has
been provided to you by someone else under those terms.”
- Stack Overflow
225. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
TL;DR
226. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Lawyers
227. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
228. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Lesson 2
Be a good commitizen
229. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Lesson 2
Be a good commitizen
GPG Sign your Commits
230. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
231. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
232. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Lesson 3
SECOM
Commit Format
233. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
SECOM
234. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Lesson 4
There are risks using your
personal
GitHub Account
235. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Anyone here familiar with
GitHub’s
Angry Unicorn?
236. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
This was my GitHub Profile Page for most of 2020
237. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Remember GitHub’s Rate Limit?
238. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
239. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Lesson 5
Coordinate with GitHub
240. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Before Attempting
Reach out to GitHub!
SecurityLab@github.com
241. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Lesson 6
Consider the Implications
242. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
243. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Conclusion
244. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
As Security Researchers
245. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
We have an obligation to society
246. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
We know these vulnerabilities are out there
247. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
“For every 500 developers
you have one security
researcher.”
- GitHub 2020
248. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
249. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
- Dan Kaminsky (1979 – 2021)
“We can fix it. We have the technology. OK. We need
to create the technology. Alright. The policy guys are
mucking with the technology. Relax. WE'RE ON IT.
250. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
● Learn CodeQL! Seriously! It’s an incredibly powerful language!
● Contribute to OpenRewrite! Deploy your security fixes at scale!
● Join the GitHub Security Lab & OpenRewrite Slack Channels!
● Join the Open Source Security Foundation (OSSF)!
251. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
Thanks
Lidia Giuliano
Shyam Mehta
252. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
@JLLeitschuh
Jonathan.Leitschuh@gmail.com
253. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
254. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
CodeQL: Partial Path Traversal
255. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
CodeQL: Partial Path Traversal
256. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
CodeQL: Partial Path Traversal
257. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
CodeQL: Partial Path Traversal
258. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
CodeQL: Partial Path Traversal
259. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
CodeQL: Partial Path Traversal
260. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
CodeQL: Partial Path Traversal
261. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
CodeQL: Partial Path Traversal
262. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
CodeQL: Partial Path Traversal
263. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
CodeQL: Partial Path Traversal
264. Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All - Jonathan Leitschuh @JLLeitschuh
CodeQL: Partial Path Traversal