[Security] Make release URL as constant type (fix CWE-88) #141
Conversation
Signed-off-by: Aadhitya A <[email protected]>
|
Yay, your first pull request! 👍 A contributor will be by to give feedback soon. In the meantime, please review the Layer5 Community Welcome Guide and sure to join the community Slack. |
| releaseAPIURL := "https://api.github.com/repos/traefik/mesh/releases?per_page=" + fmt.Sprint(releases) | ||
| func GetLatestReleases() ([]*Release, error) { | ||
| // Making the results to 10 to avoid fetching lot of releases (to avoid CWE-88) | ||
| const releaseAPIURL = "https://api.github.com/repos/traefik/mesh/releases?per_page=10" |
There was a problem hiding this comment.
Makes sense.
@meshery/adapter-maintainers please take note.
There was a problem hiding this comment.
This uses github API, I have added the page scraping way in meshkit. I think, that should be reused everywhere. We need to get off github API completely for fetching latest releases
There was a problem hiding this comment.
Yes, very good point, @Revolyssup.
@manav1403 or @piyushsingariya might point out examples of where this has been done elsewhere, so that we can move entirely away from any api.github.com requests and over to github.com requests.
There was a problem hiding this comment.
Never mind. I think @Revolyssup has this covered here - https://github.com/meshery/meshery/pull/4667/files/040346d6d219572aad6e1979b6cd0a00e0db083c..dd64b57cf7825d0094b4bc00a512f945fccfc942
There was a problem hiding this comment.
OK... This makes sense, if that change is implemented I'll include the method here too
Signed-off-by: Unnati <[email protected]>
Signed-off-by: Unnati <[email protected]>
|
@alphaX86 thanks for submitting a PR , security fixes are always welcom |
Updated slack.yml and added newcomers.yml to workflows folder
Signed-off-by: Abhijay Jain <[email protected]>
Signed-off-by: Pranav Singh <[email protected]>
Signed-off-by: Pranav Singh <[email protected]>
Signed-off-by: Pranav Singh <[email protected]>
…sue139 [Cl] Update e2etest.yaml
Signed-off-by: Pranav Singh <[email protected]>
[Cl] Fix minor syntax error in e2etest.yaml
Signed-off-by: Pranav Singh <[email protected]>
…test Signed-off-by: Pranav Singh <[email protected]>
[Cl] Add step for generating short_sha for the filename
Signed-off-by: ashish <[email protected]>
Add Ashish and Rudraksh in reviewers
Signed-off-by: ashish <[email protected]>
Signed-off-by: ashish <[email protected]>
Signed-off-by: ashish <[email protected]>
Signed-off-by: ashish <[email protected]>
Signed-off-by: ashish <[email protected]>
Signed-off-by: ashish <[email protected]>
Add build time and modify run time comp generation
Bumps [github.com/layer5io/meshkit](https://github.com/layer5io/meshkit) from 0.2.34 to 0.5.2. - [Release notes](https://github.com/layer5io/meshkit/releases) - [Commits](meshery/meshkit@v0.2.34...v0.5.2) --- updated-dependencies: - dependency-name: github.com/layer5io/meshkit dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Signed-off-by: l5io <[email protected]>
…hub.com/layer5io/meshkit-0.5.2 Bump github.com/layer5io/meshkit from 0.2.34 to 0.5.2
Signed-off-by: ashish <[email protected]>
Signed-off-by: asubedy <[email protected]>
Signed-off-by: Aadhitya A <[email protected]>
|
@alphaX86, it seems that this branch might need resynced. |
Noted that Lee 👍 I may need to rebase the branch correctly and implement the function which @Revolyssup has created in Meshkit to solve this up |
|
I'll open a new PR... in mean time I'll close this one as it's bit dirty due to improper rebasing |
Signed-off-by: Aadhitya A [email protected]
Description
This PR fixes #138
Notes for Reviewers
Gosec checks need to be monitored
Signed commits