Skip to content

Qua 543: hide sensitive information and bump cc-parser version #372

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
May 5, 2022
Merged

Qua 543: hide sensitive information and bump cc-parser version #372

merged 4 commits into from
May 5, 2022

Conversation

camillof
Copy link
Contributor

@camillof camillof commented May 4, 2022

Purpose

NCC Group audit on our system discovered multiple places where we are revealing sensitive information, like messages containing software versions, which an attacker may use this information to aid further attacks, or as a part of a social engineering attack.

In other words: to increase security.

In this case, Ruby deprecation warnings were revealing some versions used:

codeclimate/codeclimate-duplication
13
Parser process id: 13
codeclimate-parser socket not present
waiting 1s...
D, [2022-05-04T13:59:23.882746 #1] DEBUG -- : Processing 0 csharp files concurrency=2
/home/app/.rubies/ruby-2.5.1/lib/ruby/gems/2.5.0/gems/concurrent-ruby-1.0.0/lib/concurrent/atomic/mutex_atomic_fixnum.rb:80: warning: constant ::Fixnum is deprecated
...

Also, we were printing exceptions backtrace, which also reveals versions:

I, [2022-05-04T18:50:24.607503 #1]  INFO -- : Skipping file ./reports/account_usage_calculator.rb due to exception (RubyParser::SyntaxError): Odd number (2) list for Hash. s(:array, s(:call, nil, :repo_id))
/home/app/.rubies/ruby-2.5.1/lib/ruby/gems/2.5.0/gems/ruby_parser-3.11.0/lib/ruby_parser_extras.rb:51:in `syntax_error'
/home/app/.rubies/ruby-2.5.1/lib/ruby/gems/2.5.0/gems/ruby_parser-3.11.0/lib/ruby18_parser.rb:5708:in `_reduce_493'
/home/app/.rubies/ruby-2.5.1/lib/ruby/2.5.0/racc/parser.rb:259:in `_racc_do_parse_c'
/home/app/.rubies/ruby-2.5.1/lib/ruby/2.5.0/racc/parser.rb:259:in `do_parse'
/home/app/.rubies/ruby-2.5.1/lib/ruby/gems/2.5.0/gems/ruby_parser-3.11.0/lib/ruby_parser_extras.rb:1082:in `block in process'
/home/app/.rubies/ruby-2.5.1/lib/ruby/2.5.0/timeout.rb:93:in `block in timeout'
/home/app/.rubies/ruby-2.5.1/lib/ruby/2.5.0/timeout.rb:33:in `block in catch'
/home/app/.rubies/ruby-2.5.1/lib/ruby/2.5.0/timeout.rb:33:in `catch'
/home/app/.rubies/ruby-2.5.1/lib/ruby/2.5.0/timeout.rb:33:in `catch'
/home/app/.rubies/ruby-2.5.1/lib/ruby/2.5.0/timeout.rb:108:in `timeout'
/home/app/.rubies/ruby-2.5.1/lib/ruby/gems/2.5.0/gems/ruby_parser-3.11.0/lib/ruby_parser_extras.rb:1070:in `process'
/home/app/.rubies/ruby-2.5.1/lib/ruby/gems/2.5.0/gems/ruby_parser-3.11.0/lib/ruby_parser.rb:31:in `block in process'

Description

  • Adding the -W0 flag before the ruby server starts silences the warnings (deprecation warnings) -> Some useful info here
  • Updated bundler version, the older one would raise an error when installing gems while building the docker image.
  • Removed the exception backtrace printing as it discloses too much information.
  • Updated cc-parser base image to version b879

f-moya
f-moya approved these changes May 4, 2022
View reviewed changes
Copy link
Contributor

@f-moya f-moya left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome ✨

@camillof camillof merged commit 5a6fef1 into master May 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@f-moya f-moya f-moya approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@camillof @f-moya @filipesperandio
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy