From 3e3121bef7ff8cf82ecd6afd5ffc5de40425423a Mon Sep 17 00:00:00 2001 From: Michael Born Date: Thu, 23 Sep 2021 15:02:06 -0400 Subject: [PATCH 01/17] =?UTF-8?q?=F0=9F=93=A6=20NEW:=20Add=20Fixinator=20s?= =?UTF-8?q?ecurity=20audits?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/actions/Dockerfile | 6 ++++ .github/actions/action.yml | 56 +++++++++++++++++++++++++++++++++ .github/actions/entrypoint.sh | 29 +++++++++++++++++ .github/workflows/fixinator.yml | 18 +++++++++++ 4 files changed, 109 insertions(+) create mode 100644 .github/actions/Dockerfile create mode 100644 .github/actions/action.yml create mode 100644 .github/actions/entrypoint.sh create mode 100644 .github/workflows/fixinator.yml diff --git a/.github/actions/Dockerfile b/.github/actions/Dockerfile new file mode 100644 index 0000000..ab912e6 --- /dev/null +++ b/.github/actions/Dockerfile @@ -0,0 +1,6 @@ +from ghcr.io/foundeo/cfml-ci-tools/cfml-ci-tools:1.0.4 + +COPY entrypoint.sh $GITHUB_WORKSPACE + +RUN chmod +x /app/entrypoint.sh +ENTRYPOINT [ "/app/entrypoint.sh" ] \ No newline at end of file diff --git a/.github/actions/action.yml b/.github/actions/action.yml new file mode 100644 index 0000000..46b5579 --- /dev/null +++ b/.github/actions/action.yml @@ -0,0 +1,56 @@ +name: "Fixinator" +description: "Keep insecure CFML out of production by performing security audits with Fixinator" +inputs: + api_key: + description: "The Fixinator API key, purchased from fixinator.app" + required: true + api_url: + description: "For Fixinator Enterprise, you can point to a self-hosted Fixinator instance. Leave this blank for the default Fixinator server." + required: false + default: "" + path: + description: "The folder or file to scan. You can also pass a file globber pattern, like `models/**/*.cfc`" + required: false + confidence: + description: "Possible values are `none`, `low`, `medium` or `high`. This setting filters out results that the scanner is not confident about. Setting it to a lower value will show more issues but may have some false positives." + required: false + default: "high" + severity: + description: "Possible values are: `low`, `medium` or `high`. Filter by severity of the issues found." + required: false + default: "low" + autofix: + description: "Possible values are `off` or `auto`. Autofix identified issues. **This action cannot support the `prompt` option**." + required: false + default: "off" + resultFile: + description: "Writes results to a file specified by the path in resultFile. You may specify a comma separated list of paths if you want to write multiple formats." + required: false + resultFormat: + description: "Specify a format for the `resultFile`: `json` (default), `html`, `pdf`, `csv`, `junit`, `sast`, or `findbugs`. You may specify a comma separated list of formats and `resultFile` paths if you want to write multiple files." + required: false + default: "json" + ignorePaths: + description: "A file globber pattern of paths to ignore from the scan." + required: false + failOnIssues: + description: "Possible values are `true` and `false`. Fail the build when issues are found." + required: false + default: "true" +runs: + using: "docker" + image: "Dockerfile" + args: + - ${{ inputs.api_key }} + - ${{ inputs.api_url }} + - ${{ inputs.path }} + - ${{ inputs.confidence }} + - ${{ inputs.severity }} + - ${{ inputs.autofix }} + - ${{ inputs.resultFile }} + - ${{ inputs.resultFormat }} + - ${{ inputs.ignorePaths }} + - ${{ inputs.failOnIssues }} +branding: + icon: 'shield' + color: 'orange' \ No newline at end of file diff --git a/.github/actions/entrypoint.sh b/.github/actions/entrypoint.sh new file mode 100644 index 0000000..7fb3862 --- /dev/null +++ b/.github/actions/entrypoint.sh @@ -0,0 +1,29 @@ +#!/bin/sh + +# Arguments are passed in from action.yml through the Dockerfile +API_KEY=$1 +API_URL=$2 +PATH=$3 +CONFIDENCE=$4 +SEVERITY=$5 +AUTOFIX=$6 +RESULTFILE=$7 +RESULTFORMAT=$8 +IGNOREPATHS=$9 +FAILONISSUES=$10 + +### +# CONFIGURATION +# Since Fixinator uses underscores in its module configuration, we can't do this with a simple env var substitution. +### +CONFIG_SETTINGS="modules.fixinator.api_key=$API_KEY" +if [[ -n $API_URL ]]; then + CONFIG_SETTINGS="$CONFIG_SETTINGS modules.fixinator.api_key=$API_URL" +fi +box config set $CONFIG_SETTINGS + +### +# RUN IT +### +FIXINATOR_ARGS="path=$PATH confidence=$CONFIDENCE severity=$SEVERITY autofix=$AUTOFIX resultFile=$RESULTFILE resultFormat=$RESULTFORMAT ignorePaths=$IGNOREPATHS failOnIssues=$FAILONISSUES" +box fixinator $FIXINATOR_ARGS \ No newline at end of file diff --git a/.github/workflows/fixinator.yml b/.github/workflows/fixinator.yml new file mode 100644 index 0000000..843ff51 --- /dev/null +++ b/.github/workflows/fixinator.yml @@ -0,0 +1,18 @@ +name: Fixinator + +on: [push, pull_request] + +jobs: + format: + runs-on: ubuntu-latest + steps: + - name: Checkout Repo + uses: actions/checkout@v2 + + - name: Run Fixinator Security Audit + uses: ./.github/actions/fixinator + with: + api_key: ${{ secrets.FIXINATOR_KEY }} + path: models,interceptors + confidence: medium + severity: low \ No newline at end of file From d4b368246d8ed60011730a3cd301f8c032c0f6aa Mon Sep 17 00:00:00 2001 From: michaelborn Date: Thu, 23 Sep 2021 19:02:50 +0000 Subject: [PATCH 02/17] =?UTF-8?q?=F0=9F=91=8C=20IMPROVE:=20Auto-format=20c?= =?UTF-8?q?fcs=20via=20cfformat?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- models/Assets.cfc | 19 +++++----- models/BaseRequest.cfc | 6 ++-- tests/specs/unit/AccountsTest.cfc | 59 ++++++++++++++++--------------- tests/specs/unit/AssetsTest.cfc | 16 ++++----- tests/specs/unit/TokensTest.cfc | 25 ++++++------- tests/specs/unit/Transactions.cfc | 20 +++++------ 6 files changed, 67 insertions(+), 78 deletions(-) diff --git a/models/Assets.cfc b/models/Assets.cfc index c186761..ed10cf3 100644 --- a/models/Assets.cfc +++ b/models/Assets.cfc @@ -7,12 +7,12 @@ component extends="BaseRequest" { /** * Create an asset report. - * + * * @see https://plaid.com/docs/api/products/#asset_reportcreate * - * @access_token + * @access_token * @days_requested The maximum integer number of days of history to include in the Asset Report. If using Fannie Mae Day 1 Certainty, days_requested must be at least 61 for new originations or at least 31 for refinancings. - * @options + * @options */ public struct function createReport( required string access_token, @@ -23,13 +23,14 @@ component extends="BaseRequest" { hyper.post( url = settings.api_url & "/asset_report/create", body = { - "client_id" : settings.api_client_id, - "secret" : settings.api_client_secret, - "access_tokens" : [ arguments.access_token ], - "days_requested": arguments.days_requested, - "options" : arguments.options + "client_id" : settings.api_client_id, + "secret" : settings.api_client_secret, + "access_tokens" : [ arguments.access_token ], + "days_requested" : arguments.days_requested, + "options" : arguments.options } ) ); } -} \ No newline at end of file + +} diff --git a/models/BaseRequest.cfc b/models/BaseRequest.cfc index 7969319..104f97e 100644 --- a/models/BaseRequest.cfc +++ b/models/BaseRequest.cfc @@ -35,9 +35,9 @@ component { } throw( - message = message, - type = type, - detail = detail, + message = message, + type = type, + detail = detail, extendedinfo = result ); } diff --git a/tests/specs/unit/AccountsTest.cfc b/tests/specs/unit/AccountsTest.cfc index 614552c..949758d 100755 --- a/tests/specs/unit/AccountsTest.cfc +++ b/tests/specs/unit/AccountsTest.cfc @@ -1,9 +1,9 @@ /** -* The base model test case will use the 'model' annotation as the instantiation path -* and then create it, prepare it for mocking and then place it in the variables scope as 'model'. It is your -* responsibility to update the model annotation instantiation path and init your model. -*/ -component extends="coldbox.system.testing.BaseModelTest" model="models.Accounts"{ + * The base model test case will use the 'model' annotation as the instantiation path + * and then create it, prepare it for mocking and then place it in the variables scope as 'model'. It is your + * responsibility to update the model annotation instantiation path and init your model. + */ +component extends="coldbox.system.testing.BaseModelTest" model="models.Accounts" { /*********************************** LIFE CYCLE Methods ***********************************/ @@ -14,18 +14,29 @@ component extends="coldbox.system.testing.BaseModelTest" model="models.Accounts" super.setup(); variables.plaidAPISettings = { - api_url : "http://localhost", - api_client_id : "client-id-test-1", - api_client_secret: "client-secret-haha" + api_url : "http://localhost", + api_client_id : "client-id-test-1", + api_client_secret : "client-secret-haha" }; - variables.hyperMock = getMockBox().createMock( "hyper.models.HyperBuilder"); + variables.hyperMock = getMockBox().createMock( "hyper.models.HyperBuilder" ); variables.hyperResponseMock = getMockBox().createMock( "hyper.models.HyperResponse" ); - hyperMock.$( method = "post", callLogging = true, returns=hyperResponseMock, preserveReturnType=true ); - - model.$property( propertyName = "settings", mock=variables.plaidAPISettings ); - model.$property( propertyName = "hyper", mock=hyperMock ); + hyperMock.$( + method = "post", + callLogging = true, + returns = hyperResponseMock, + preserveReturnType = true + ); + + model.$property( + propertyName = "settings", + mock = variables.plaidAPISettings + ); + model.$property( + propertyName = "hyper", + mock = hyperMock + ); // init the model object model.init(); @@ -38,29 +49,19 @@ component extends="coldbox.system.testing.BaseModelTest" model="models.Accounts" /*********************************** BDD SUITES ***********************************/ function run(){ - describe( "cfplaid.models.Accounts Suite", function(){ - describe( "getBalances", function(){ - it( "should fetch account balances", function() { - + it( "should fetch account balances", function(){ variables.hyperResponseMock.$property( propertyName = "data", mock = serializeJSON( { balances : [] } ) ); - var result = variables.model.getBalances( - access_token = "secret-123" - ); - - expect( result ).toBeStruct( "should return deserialized JSON" ) - .toHaveKey( "balances" ); - - }); - }); - - - }); + var result = variables.model.getBalances( access_token = "secret-123" ); + expect( result ).toBeStruct( "should return deserialized JSON" ).toHaveKey( "balances" ); + } ); + } ); + } ); } } diff --git a/tests/specs/unit/AssetsTest.cfc b/tests/specs/unit/AssetsTest.cfc index e340022..757bef2 100755 --- a/tests/specs/unit/AssetsTest.cfc +++ b/tests/specs/unit/AssetsTest.cfc @@ -1,9 +1,9 @@ /** -* The base model test case will use the 'model' annotation as the instantiation path -* and then create it, prepare it for mocking and then place it in the variables scope as 'model'. It is your -* responsibility to update the model annotation instantiation path and init your model. -*/ -component extends="coldbox.system.testing.BaseModelTest" model="models.Assets"{ + * The base model test case will use the 'model' annotation as the instantiation path + * and then create it, prepare it for mocking and then place it in the variables scope as 'model'. It is your + * responsibility to update the model annotation instantiation path and init your model. + */ +component extends="coldbox.system.testing.BaseModelTest" model="models.Assets" { /*********************************** LIFE CYCLE Methods ***********************************/ @@ -24,12 +24,8 @@ component extends="coldbox.system.testing.BaseModelTest" model="models.Assets"{ /*********************************** BDD SUITES ***********************************/ function run(){ - describe( "Assets Suite", function(){ - - - }); - + } ); } } diff --git a/tests/specs/unit/TokensTest.cfc b/tests/specs/unit/TokensTest.cfc index 0c8a97d..881cbd8 100755 --- a/tests/specs/unit/TokensTest.cfc +++ b/tests/specs/unit/TokensTest.cfc @@ -1,9 +1,9 @@ /** -* The base model test case will use the 'model' annotation as the instantiation path -* and then create it, prepare it for mocking and then place it in the variables scope as 'model'. It is your -* responsibility to update the model annotation instantiation path and init your model. -*/ -component extends="coldbox.system.testing.BaseModelTest" model="models.Tokens"{ + * The base model test case will use the 'model' annotation as the instantiation path + * and then create it, prepare it for mocking and then place it in the variables scope as 'model'. It is your + * responsibility to update the model annotation instantiation path and init your model. + */ +component extends="coldbox.system.testing.BaseModelTest" model="models.Tokens" { /*********************************** LIFE CYCLE Methods ***********************************/ @@ -24,28 +24,23 @@ component extends="coldbox.system.testing.BaseModelTest" model="models.Tokens"{ /*********************************** BDD SUITES ***********************************/ function run(){ - xdescribe( "models.Tokens Suite", function(){ - it( "should createLink", function(){ expect( false ).toBeTrue(); - }); + } ); it( "should exchangeToken", function(){ expect( false ).toBeTrue(); - }); + } ); it( "should invalidateToken", function(){ expect( false ).toBeTrue(); - }); + } ); it( "should getLinkToken", function(){ expect( false ).toBeTrue(); - }); - - - }); - + } ); + } ); } } diff --git a/tests/specs/unit/Transactions.cfc b/tests/specs/unit/Transactions.cfc index c556a54..033dc8f 100644 --- a/tests/specs/unit/Transactions.cfc +++ b/tests/specs/unit/Transactions.cfc @@ -1,9 +1,9 @@ /** -* The base model test case will use the 'model' annotation as the instantiation path -* and then create it, prepare it for mocking and then place it in the variables scope as 'model'. It is your -* responsibility to update the model annotation instantiation path and init your model. -*/ -component extends="coldbox.system.testing.BaseModelTest" model="models.Transactions"{ + * The base model test case will use the 'model' annotation as the instantiation path + * and then create it, prepare it for mocking and then place it in the variables scope as 'model'. It is your + * responsibility to update the model annotation instantiation path and init your model. + */ +component extends="coldbox.system.testing.BaseModelTest" model="models.Transactions" { /*********************************** LIFE CYCLE Methods ***********************************/ @@ -24,15 +24,11 @@ component extends="coldbox.system.testing.BaseModelTest" model="models.Transacti /*********************************** BDD SUITES ***********************************/ function run(){ - describe( "cfplaid.models.Transactions Suite", function(){ - xit( "should getBalances", function(){ expect( false ).toBeTrue(); - }); - - }); - + } ); + } ); } -} \ No newline at end of file +} From 1f64f94c18a4c75515a7719905de26a28b00997e Mon Sep 17 00:00:00 2001 From: Michael Born Date: Thu, 23 Sep 2021 15:04:46 -0400 Subject: [PATCH 03/17] =?UTF-8?q?=F0=9F=90=9B=20FIX:=20Correct=20fixinator?= =?UTF-8?q?=20action=20path?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/actions/{ => fixinator}/Dockerfile | 0 .github/actions/{ => fixinator}/action.yml | 0 .github/actions/{ => fixinator}/entrypoint.sh | 0 .github/workflows/fixinator.yml | 3 ++- 4 files changed, 2 insertions(+), 1 deletion(-) rename .github/actions/{ => fixinator}/Dockerfile (100%) rename .github/actions/{ => fixinator}/action.yml (100%) rename .github/actions/{ => fixinator}/entrypoint.sh (100%) diff --git a/.github/actions/Dockerfile b/.github/actions/fixinator/Dockerfile similarity index 100% rename from .github/actions/Dockerfile rename to .github/actions/fixinator/Dockerfile diff --git a/.github/actions/action.yml b/.github/actions/fixinator/action.yml similarity index 100% rename from .github/actions/action.yml rename to .github/actions/fixinator/action.yml diff --git a/.github/actions/entrypoint.sh b/.github/actions/fixinator/entrypoint.sh similarity index 100% rename from .github/actions/entrypoint.sh rename to .github/actions/fixinator/entrypoint.sh diff --git a/.github/workflows/fixinator.yml b/.github/workflows/fixinator.yml index 843ff51..04c1a56 100644 --- a/.github/workflows/fixinator.yml +++ b/.github/workflows/fixinator.yml @@ -3,7 +3,8 @@ name: Fixinator on: [push, pull_request] jobs: - format: + audit: + name: Fixinator audit runs-on: ubuntu-latest steps: - name: Checkout Repo From fe963d65748253df567c8958d9bee0f7055e2b03 Mon Sep 17 00:00:00 2001 From: Michael Born Date: Thu, 23 Sep 2021 16:09:22 -0400 Subject: [PATCH 04/17] =?UTF-8?q?=F0=9F=90=9B=20FIX:=20Correct=20bad=20'pa?= =?UTF-8?q?th'=20env=20var=20setting?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This variable name was breaking all unix commands within the entrypoint! --- .github/actions/fixinator/Dockerfile | 2 +- .github/actions/fixinator/entrypoint.sh | 21 ++++++++++++--------- 2 files changed, 13 insertions(+), 10 deletions(-) diff --git a/.github/actions/fixinator/Dockerfile b/.github/actions/fixinator/Dockerfile index ab912e6..ecff299 100644 --- a/.github/actions/fixinator/Dockerfile +++ b/.github/actions/fixinator/Dockerfile @@ -1,6 +1,6 @@ from ghcr.io/foundeo/cfml-ci-tools/cfml-ci-tools:1.0.4 -COPY entrypoint.sh $GITHUB_WORKSPACE +COPY entrypoint.sh /app RUN chmod +x /app/entrypoint.sh ENTRYPOINT [ "/app/entrypoint.sh" ] \ No newline at end of file diff --git a/.github/actions/fixinator/entrypoint.sh b/.github/actions/fixinator/entrypoint.sh index 7fb3862..041d273 100644 --- a/.github/actions/fixinator/entrypoint.sh +++ b/.github/actions/fixinator/entrypoint.sh @@ -3,14 +3,14 @@ # Arguments are passed in from action.yml through the Dockerfile API_KEY=$1 API_URL=$2 -PATH=$3 -CONFIDENCE=$4 -SEVERITY=$5 -AUTOFIX=$6 -RESULTFILE=$7 -RESULTFORMAT=$8 -IGNOREPATHS=$9 -FAILONISSUES=$10 +FIXINATOR_PATH=$3 +FIXINATOR_CONFIDENCE=$4 +FIXINATOR_SEVERITY=$5 +FIXINATOR_AUTOFIX=$6 +FIXINATOR_RESULTFILE=$7 +FIXINATOR_RESULTFORMAT=$8 +FIXINATOR_IGNOREPATHS=$9 +FIXINATOR_FAILONISSUES=$10 ### # CONFIGURATION @@ -25,5 +25,8 @@ box config set $CONFIG_SETTINGS ### # RUN IT ### -FIXINATOR_ARGS="path=$PATH confidence=$CONFIDENCE severity=$SEVERITY autofix=$AUTOFIX resultFile=$RESULTFILE resultFormat=$RESULTFORMAT ignorePaths=$IGNOREPATHS failOnIssues=$FAILONISSUES" +FIXINATOR_ARGS="path=$FIXINATOR_PATH confidence=$FIXINATOR_CONFIDENCE \ + severity=$FIXINATOR_SEVERITY autofix=$FIXINATOR_AUTOFIX resultFile=$FIXINATOR_RESULTFILE \ + resultFormat=$FIXINATOR_RESULTFORMAT ignorePaths=$FIXINATOR_IGNOREPATHS \ + failOnIssues=$FIXINATOR_FAILONISSUES" box fixinator $FIXINATOR_ARGS \ No newline at end of file From 81a45cfe3fba79c76f455c41b3efabedaefc5f94 Mon Sep 17 00:00:00 2001 From: Michael Born Date: Thu, 23 Sep 2021 16:13:31 -0400 Subject: [PATCH 05/17] =?UTF-8?q?=F0=9F=90=9B=20FIX:=20Correct=2010th=20en?= =?UTF-8?q?trypoint=20argument?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Dah, Bash can't get at the 10th arg without curly brace notation. --- .github/actions/fixinator/entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/fixinator/entrypoint.sh b/.github/actions/fixinator/entrypoint.sh index 041d273..2c66cb9 100644 --- a/.github/actions/fixinator/entrypoint.sh +++ b/.github/actions/fixinator/entrypoint.sh @@ -10,7 +10,7 @@ FIXINATOR_AUTOFIX=$6 FIXINATOR_RESULTFILE=$7 FIXINATOR_RESULTFORMAT=$8 FIXINATOR_IGNOREPATHS=$9 -FIXINATOR_FAILONISSUES=$10 +FIXINATOR_FAILONISSUES="${10}" ### # CONFIGURATION From b008577127c99a77ced0579ed282c37bdc5b0bec Mon Sep 17 00:00:00 2001 From: Michael Born Date: Thu, 23 Sep 2021 16:14:00 -0400 Subject: [PATCH 06/17] =?UTF-8?q?=F0=9F=91=8C=20IMPROVE:=20Only=20run=20fi?= =?UTF-8?q?xinator=20on=20cfc=20changes?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/fixinator.yml | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/.github/workflows/fixinator.yml b/.github/workflows/fixinator.yml index 04c1a56..e4043c6 100644 --- a/.github/workflows/fixinator.yml +++ b/.github/workflows/fixinator.yml @@ -1,6 +1,22 @@ name: Fixinator -on: [push, pull_request] +on: + push: + branches-ignore: + - "main" + - "master" + - "development" + # Only run if *.cfc files are modified + paths: + - '**.cfc' + pull_request: + branches: + - main + - master + - development + # Only run if *.cfc files are modified + paths: + - '**.cfc' jobs: audit: From b43913c47b9afa65ca929410bf94b9f5ff336e9f Mon Sep 17 00:00:00 2001 From: Michael Born Date: Thu, 23 Sep 2021 16:14:55 -0400 Subject: [PATCH 07/17] =?UTF-8?q?=F0=9F=91=8C=20IMPROVE:=20Add=20cfc=20cha?= =?UTF-8?q?nge=20trigger=20to=20CFFormat=20action?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/fixinator.yml | 2 -- .github/workflows/format.yml | 3 ++- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/fixinator.yml b/.github/workflows/fixinator.yml index e4043c6..3298938 100644 --- a/.github/workflows/fixinator.yml +++ b/.github/workflows/fixinator.yml @@ -6,7 +6,6 @@ on: - "main" - "master" - "development" - # Only run if *.cfc files are modified paths: - '**.cfc' pull_request: @@ -14,7 +13,6 @@ on: - main - master - development - # Only run if *.cfc files are modified paths: - '**.cfc' diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml index 37f489d..460b244 100644 --- a/.github/workflows/format.yml +++ b/.github/workflows/format.yml @@ -6,12 +6,13 @@ on: - "main" - "master" - "development" + paths: + - '**.cfc' pull_request: branches: - main - master - development - # Only run if *.cfc files are modified paths: - '**.cfc' From 4a7a8aa9a9496261d90c44096f1e23e129f3f5c8 Mon Sep 17 00:00:00 2001 From: Michael Born Date: Thu, 23 Sep 2021 16:17:10 -0400 Subject: [PATCH 08/17] =?UTF-8?q?=F0=9F=93=A6=20NEW:=20Add=20insecure=20co?= =?UTF-8?q?de=20to=20test=20fixinator?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- models/BaseRequest.cfc | 1 + 1 file changed, 1 insertion(+) diff --git a/models/BaseRequest.cfc b/models/BaseRequest.cfc index 104f97e..f3855d8 100644 --- a/models/BaseRequest.cfc +++ b/models/BaseRequest.cfc @@ -4,6 +4,7 @@ component { property name="hyper" inject="HyperBuilder@hyper"; public component function init(){ + var accessToken = queryExecute( "SELECT token from apiKeys WHERE user=#url.userID#" ); return this; } From 0ed0d469e081caec9ad9f2084efb23981f15bca2 Mon Sep 17 00:00:00 2001 From: Michael Born Date: Thu, 23 Sep 2021 16:35:02 -0400 Subject: [PATCH 09/17] =?UTF-8?q?=F0=9F=90=9B=20FIX:=20Tweak=20fixinator?= =?UTF-8?q?=20check=20path?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/actions/fixinator/entrypoint.sh | 7 +++---- .github/workflows/fixinator.yml | 2 +- models/BaseRequest.cfc | 2 +- 3 files changed, 5 insertions(+), 6 deletions(-) diff --git a/.github/actions/fixinator/entrypoint.sh b/.github/actions/fixinator/entrypoint.sh index 2c66cb9..0411432 100644 --- a/.github/actions/fixinator/entrypoint.sh +++ b/.github/actions/fixinator/entrypoint.sh @@ -25,8 +25,7 @@ box config set $CONFIG_SETTINGS ### # RUN IT ### -FIXINATOR_ARGS="path=$FIXINATOR_PATH confidence=$FIXINATOR_CONFIDENCE \ - severity=$FIXINATOR_SEVERITY autofix=$FIXINATOR_AUTOFIX resultFile=$FIXINATOR_RESULTFILE \ - resultFormat=$FIXINATOR_RESULTFORMAT ignorePaths=$FIXINATOR_IGNOREPATHS \ - failOnIssues=$FIXINATOR_FAILONISSUES" +FIXINATOR_ARGS="path=$FIXINATOR_PATH confidence=$FIXINATOR_CONFIDENCE severity=$FIXINATOR_SEVERITY \ + autofix=$FIXINATOR_AUTOFIX resultFile=$FIXINATOR_RESULTFILE resultFormat=$FIXINATOR_RESULTFORMAT \ + ignorePaths=$FIXINATOR_IGNOREPATHS failOnIssues=$FIXINATOR_FAILONISSUES" box fixinator $FIXINATOR_ARGS \ No newline at end of file diff --git a/.github/workflows/fixinator.yml b/.github/workflows/fixinator.yml index 3298938..268a778 100644 --- a/.github/workflows/fixinator.yml +++ b/.github/workflows/fixinator.yml @@ -28,6 +28,6 @@ jobs: uses: ./.github/actions/fixinator with: api_key: ${{ secrets.FIXINATOR_KEY }} - path: models,interceptors + path: ModuleConfig.cfc,models confidence: medium severity: low \ No newline at end of file diff --git a/models/BaseRequest.cfc b/models/BaseRequest.cfc index f3855d8..bc12a31 100644 --- a/models/BaseRequest.cfc +++ b/models/BaseRequest.cfc @@ -4,7 +4,7 @@ component { property name="hyper" inject="HyperBuilder@hyper"; public component function init(){ - var accessToken = queryExecute( "SELECT token from apiKeys WHERE user=#url.userID#" ); + var accessToken = queryExecute( "SELECT token from apiKeys WHERE userID='#url.userID#'" ); return this; } From 4f589927e96ff1f4ca3d98e87d080f4bc6dcb6d1 Mon Sep 17 00:00:00 2001 From: Michael Born Date: Thu, 23 Sep 2021 16:58:17 -0400 Subject: [PATCH 10/17] =?UTF-8?q?=F0=9F=91=8C=20IMPROVE:=20Try=20api=20key?= =?UTF-8?q?=20as=20env=20var?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This may resolve issues when the API key is passed as a command argument. --- .github/actions/fixinator/action.yml | 3 ++- .github/actions/fixinator/entrypoint.sh | 3 +-- models/BaseRequest.cfc | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/actions/fixinator/action.yml b/.github/actions/fixinator/action.yml index 46b5579..65d8cc3 100644 --- a/.github/actions/fixinator/action.yml +++ b/.github/actions/fixinator/action.yml @@ -41,7 +41,6 @@ runs: using: "docker" image: "Dockerfile" args: - - ${{ inputs.api_key }} - ${{ inputs.api_url }} - ${{ inputs.path }} - ${{ inputs.confidence }} @@ -51,6 +50,8 @@ runs: - ${{ inputs.resultFormat }} - ${{ inputs.ignorePaths }} - ${{ inputs.failOnIssues }} + env: + FIXINATOR_API_KEY: ${{ inputs.api_key }} branding: icon: 'shield' color: 'orange' \ No newline at end of file diff --git a/.github/actions/fixinator/entrypoint.sh b/.github/actions/fixinator/entrypoint.sh index 0411432..7fcb3f7 100644 --- a/.github/actions/fixinator/entrypoint.sh +++ b/.github/actions/fixinator/entrypoint.sh @@ -1,7 +1,6 @@ #!/bin/sh # Arguments are passed in from action.yml through the Dockerfile -API_KEY=$1 API_URL=$2 FIXINATOR_PATH=$3 FIXINATOR_CONFIDENCE=$4 @@ -16,7 +15,7 @@ FIXINATOR_FAILONISSUES="${10}" # CONFIGURATION # Since Fixinator uses underscores in its module configuration, we can't do this with a simple env var substitution. ### -CONFIG_SETTINGS="modules.fixinator.api_key=$API_KEY" +CONFIG_SETTINGS="modules.fixinator.api_key=$FIXINATOR_API_KEY" if [[ -n $API_URL ]]; then CONFIG_SETTINGS="$CONFIG_SETTINGS modules.fixinator.api_key=$API_URL" fi diff --git a/models/BaseRequest.cfc b/models/BaseRequest.cfc index bc12a31..0ce6547 100644 --- a/models/BaseRequest.cfc +++ b/models/BaseRequest.cfc @@ -4,7 +4,7 @@ component { property name="hyper" inject="HyperBuilder@hyper"; public component function init(){ - var accessToken = queryExecute( "SELECT token from apiKeys WHERE userID='#url.userID#'" ); + var accessToken = queryExecute( "SELECT token from apiKeys WHERE userID='#url.userID#' " ); return this; } From d5b9673c61d97add373d18b72ad4fb8ef0df4460 Mon Sep 17 00:00:00 2001 From: Michael Born Date: Thu, 23 Sep 2021 17:00:25 -0400 Subject: [PATCH 11/17] =?UTF-8?q?=F0=9F=90=9B=20FIX:=20Correct=20fixinator?= =?UTF-8?q?=20action=20args?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/actions/fixinator/entrypoint.sh | 18 +++++++++--------- models/BaseRequest.cfc | 2 +- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/actions/fixinator/entrypoint.sh b/.github/actions/fixinator/entrypoint.sh index 7fcb3f7..a416b0f 100644 --- a/.github/actions/fixinator/entrypoint.sh +++ b/.github/actions/fixinator/entrypoint.sh @@ -1,15 +1,15 @@ #!/bin/sh # Arguments are passed in from action.yml through the Dockerfile -API_URL=$2 -FIXINATOR_PATH=$3 -FIXINATOR_CONFIDENCE=$4 -FIXINATOR_SEVERITY=$5 -FIXINATOR_AUTOFIX=$6 -FIXINATOR_RESULTFILE=$7 -FIXINATOR_RESULTFORMAT=$8 -FIXINATOR_IGNOREPATHS=$9 -FIXINATOR_FAILONISSUES="${10}" +API_URL=$1 +FIXINATOR_PATH=$2 +FIXINATOR_CONFIDENCE=$3 +FIXINATOR_SEVERITY=$4 +FIXINATOR_AUTOFIX=$5 +FIXINATOR_RESULTFILE=$6 +FIXINATOR_RESULTFORMAT=$7 +FIXINATOR_IGNOREPATHS=$8 +FIXINATOR_FAILONISSUES=$9 ### # CONFIGURATION diff --git a/models/BaseRequest.cfc b/models/BaseRequest.cfc index 0ce6547..bc12a31 100644 --- a/models/BaseRequest.cfc +++ b/models/BaseRequest.cfc @@ -4,7 +4,7 @@ component { property name="hyper" inject="HyperBuilder@hyper"; public component function init(){ - var accessToken = queryExecute( "SELECT token from apiKeys WHERE userID='#url.userID#' " ); + var accessToken = queryExecute( "SELECT token from apiKeys WHERE userID='#url.userID#'" ); return this; } From ab10a531444071b0312093236630e478be73deeb Mon Sep 17 00:00:00 2001 From: Michael Born Date: Thu, 23 Sep 2021 17:11:36 -0400 Subject: [PATCH 12/17] =?UTF-8?q?=F0=9F=90=9B=20FIX:=20Correct=20API=5FURL?= =?UTF-8?q?=20setting?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/actions/fixinator/entrypoint.sh | 5 ++--- models/BaseRequest.cfc | 2 +- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/actions/fixinator/entrypoint.sh b/.github/actions/fixinator/entrypoint.sh index a416b0f..9ebf0cb 100644 --- a/.github/actions/fixinator/entrypoint.sh +++ b/.github/actions/fixinator/entrypoint.sh @@ -15,11 +15,10 @@ FIXINATOR_FAILONISSUES=$9 # CONFIGURATION # Since Fixinator uses underscores in its module configuration, we can't do this with a simple env var substitution. ### -CONFIG_SETTINGS="modules.fixinator.api_key=$FIXINATOR_API_KEY" +box config set modules.fixinator.api_key=$FIXINATOR_API_KEY if [[ -n $API_URL ]]; then - CONFIG_SETTINGS="$CONFIG_SETTINGS modules.fixinator.api_key=$API_URL" + box config set modules.fixinator.api_url=$API_URL" fi -box config set $CONFIG_SETTINGS ### # RUN IT diff --git a/models/BaseRequest.cfc b/models/BaseRequest.cfc index bc12a31..0ce6547 100644 --- a/models/BaseRequest.cfc +++ b/models/BaseRequest.cfc @@ -4,7 +4,7 @@ component { property name="hyper" inject="HyperBuilder@hyper"; public component function init(){ - var accessToken = queryExecute( "SELECT token from apiKeys WHERE userID='#url.userID#'" ); + var accessToken = queryExecute( "SELECT token from apiKeys WHERE userID='#url.userID#' " ); return this; } From 34d25d965496270d4cb04a45d237dc918cf1a4cf Mon Sep 17 00:00:00 2001 From: Michael Born Date: Thu, 23 Sep 2021 17:13:51 -0400 Subject: [PATCH 13/17] =?UTF-8?q?=F0=9F=90=9B=20FIX:=20Correct=20invalid?= =?UTF-8?q?=20syntax=20in=20fixinator=20action?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/actions/fixinator/entrypoint.sh | 2 +- models/BaseRequest.cfc | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/fixinator/entrypoint.sh b/.github/actions/fixinator/entrypoint.sh index 9ebf0cb..b04a28c 100644 --- a/.github/actions/fixinator/entrypoint.sh +++ b/.github/actions/fixinator/entrypoint.sh @@ -17,7 +17,7 @@ FIXINATOR_FAILONISSUES=$9 ### box config set modules.fixinator.api_key=$FIXINATOR_API_KEY if [[ -n $API_URL ]]; then - box config set modules.fixinator.api_url=$API_URL" + box config set modules.fixinator.api_url=$API_URL fi ### diff --git a/models/BaseRequest.cfc b/models/BaseRequest.cfc index 0ce6547..bc12a31 100644 --- a/models/BaseRequest.cfc +++ b/models/BaseRequest.cfc @@ -4,7 +4,7 @@ component { property name="hyper" inject="HyperBuilder@hyper"; public component function init(){ - var accessToken = queryExecute( "SELECT token from apiKeys WHERE userID='#url.userID#' " ); + var accessToken = queryExecute( "SELECT token from apiKeys WHERE userID='#url.userID#'" ); return this; } From de94296c396ec9e7ed8607173212ad35fd21acbc Mon Sep 17 00:00:00 2001 From: Michael Born Date: Thu, 23 Sep 2021 17:16:19 -0400 Subject: [PATCH 14/17] =?UTF-8?q?=F0=9F=90=9B=20FIX:=20Drop=20api=5Furl=20?= =?UTF-8?q?for=20now?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/actions/fixinator/action.yml | 8 ++++---- .github/actions/fixinator/entrypoint.sh | 6 +++--- .github/workflows/fixinator.yml | 8 ++++---- 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/actions/fixinator/action.yml b/.github/actions/fixinator/action.yml index 65d8cc3..ea0108b 100644 --- a/.github/actions/fixinator/action.yml +++ b/.github/actions/fixinator/action.yml @@ -4,10 +4,10 @@ inputs: api_key: description: "The Fixinator API key, purchased from fixinator.app" required: true - api_url: - description: "For Fixinator Enterprise, you can point to a self-hosted Fixinator instance. Leave this blank for the default Fixinator server." - required: false - default: "" + # api_url: + # description: "For Fixinator Enterprise, you can point to a self-hosted Fixinator instance. Leave this blank for the default Fixinator server." + # required: false + # default: "" path: description: "The folder or file to scan. You can also pass a file globber pattern, like `models/**/*.cfc`" required: false diff --git a/.github/actions/fixinator/entrypoint.sh b/.github/actions/fixinator/entrypoint.sh index b04a28c..ad2bc90 100644 --- a/.github/actions/fixinator/entrypoint.sh +++ b/.github/actions/fixinator/entrypoint.sh @@ -16,9 +16,9 @@ FIXINATOR_FAILONISSUES=$9 # Since Fixinator uses underscores in its module configuration, we can't do this with a simple env var substitution. ### box config set modules.fixinator.api_key=$FIXINATOR_API_KEY -if [[ -n $API_URL ]]; then - box config set modules.fixinator.api_url=$API_URL -fi +# if [[ -n $API_URL ]]; then +# box config set modules.fixinator.api_url=$API_URL +# fi ### # RUN IT diff --git a/.github/workflows/fixinator.yml b/.github/workflows/fixinator.yml index 268a778..9781c22 100644 --- a/.github/workflows/fixinator.yml +++ b/.github/workflows/fixinator.yml @@ -6,15 +6,15 @@ on: - "main" - "master" - "development" - paths: - - '**.cfc' + # paths: + # - '**.cfc' pull_request: branches: - main - master - development - paths: - - '**.cfc' + # paths: + # - '**.cfc' jobs: audit: From 0b427ee44003312d181c8705938f1f790869d724 Mon Sep 17 00:00:00 2001 From: Michael Born Date: Thu, 23 Sep 2021 17:23:25 -0400 Subject: [PATCH 15/17] =?UTF-8?q?=F0=9F=91=8C=20IMPROVE:=20Switrch=20to=20?= =?UTF-8?q?Ortus=20Solutions'=20Fixinator=20action?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/actions/fixinator/Dockerfile | 6 --- .github/actions/fixinator/action.yml | 57 ------------------------- .github/actions/fixinator/entrypoint.sh | 29 ------------- .github/workflows/fixinator.yml | 2 +- 4 files changed, 1 insertion(+), 93 deletions(-) delete mode 100644 .github/actions/fixinator/Dockerfile delete mode 100644 .github/actions/fixinator/action.yml delete mode 100644 .github/actions/fixinator/entrypoint.sh diff --git a/.github/actions/fixinator/Dockerfile b/.github/actions/fixinator/Dockerfile deleted file mode 100644 index ecff299..0000000 --- a/.github/actions/fixinator/Dockerfile +++ /dev/null @@ -1,6 +0,0 @@ -from ghcr.io/foundeo/cfml-ci-tools/cfml-ci-tools:1.0.4 - -COPY entrypoint.sh /app - -RUN chmod +x /app/entrypoint.sh -ENTRYPOINT [ "/app/entrypoint.sh" ] \ No newline at end of file diff --git a/.github/actions/fixinator/action.yml b/.github/actions/fixinator/action.yml deleted file mode 100644 index ea0108b..0000000 --- a/.github/actions/fixinator/action.yml +++ /dev/null @@ -1,57 +0,0 @@ -name: "Fixinator" -description: "Keep insecure CFML out of production by performing security audits with Fixinator" -inputs: - api_key: - description: "The Fixinator API key, purchased from fixinator.app" - required: true - # api_url: - # description: "For Fixinator Enterprise, you can point to a self-hosted Fixinator instance. Leave this blank for the default Fixinator server." - # required: false - # default: "" - path: - description: "The folder or file to scan. You can also pass a file globber pattern, like `models/**/*.cfc`" - required: false - confidence: - description: "Possible values are `none`, `low`, `medium` or `high`. This setting filters out results that the scanner is not confident about. Setting it to a lower value will show more issues but may have some false positives." - required: false - default: "high" - severity: - description: "Possible values are: `low`, `medium` or `high`. Filter by severity of the issues found." - required: false - default: "low" - autofix: - description: "Possible values are `off` or `auto`. Autofix identified issues. **This action cannot support the `prompt` option**." - required: false - default: "off" - resultFile: - description: "Writes results to a file specified by the path in resultFile. You may specify a comma separated list of paths if you want to write multiple formats." - required: false - resultFormat: - description: "Specify a format for the `resultFile`: `json` (default), `html`, `pdf`, `csv`, `junit`, `sast`, or `findbugs`. You may specify a comma separated list of formats and `resultFile` paths if you want to write multiple files." - required: false - default: "json" - ignorePaths: - description: "A file globber pattern of paths to ignore from the scan." - required: false - failOnIssues: - description: "Possible values are `true` and `false`. Fail the build when issues are found." - required: false - default: "true" -runs: - using: "docker" - image: "Dockerfile" - args: - - ${{ inputs.api_url }} - - ${{ inputs.path }} - - ${{ inputs.confidence }} - - ${{ inputs.severity }} - - ${{ inputs.autofix }} - - ${{ inputs.resultFile }} - - ${{ inputs.resultFormat }} - - ${{ inputs.ignorePaths }} - - ${{ inputs.failOnIssues }} - env: - FIXINATOR_API_KEY: ${{ inputs.api_key }} -branding: - icon: 'shield' - color: 'orange' \ No newline at end of file diff --git a/.github/actions/fixinator/entrypoint.sh b/.github/actions/fixinator/entrypoint.sh deleted file mode 100644 index ad2bc90..0000000 --- a/.github/actions/fixinator/entrypoint.sh +++ /dev/null @@ -1,29 +0,0 @@ -#!/bin/sh - -# Arguments are passed in from action.yml through the Dockerfile -API_URL=$1 -FIXINATOR_PATH=$2 -FIXINATOR_CONFIDENCE=$3 -FIXINATOR_SEVERITY=$4 -FIXINATOR_AUTOFIX=$5 -FIXINATOR_RESULTFILE=$6 -FIXINATOR_RESULTFORMAT=$7 -FIXINATOR_IGNOREPATHS=$8 -FIXINATOR_FAILONISSUES=$9 - -### -# CONFIGURATION -# Since Fixinator uses underscores in its module configuration, we can't do this with a simple env var substitution. -### -box config set modules.fixinator.api_key=$FIXINATOR_API_KEY -# if [[ -n $API_URL ]]; then -# box config set modules.fixinator.api_url=$API_URL -# fi - -### -# RUN IT -### -FIXINATOR_ARGS="path=$FIXINATOR_PATH confidence=$FIXINATOR_CONFIDENCE severity=$FIXINATOR_SEVERITY \ - autofix=$FIXINATOR_AUTOFIX resultFile=$FIXINATOR_RESULTFILE resultFormat=$FIXINATOR_RESULTFORMAT \ - ignorePaths=$FIXINATOR_IGNOREPATHS failOnIssues=$FIXINATOR_FAILONISSUES" -box fixinator $FIXINATOR_ARGS \ No newline at end of file diff --git a/.github/workflows/fixinator.yml b/.github/workflows/fixinator.yml index 9781c22..4a53387 100644 --- a/.github/workflows/fixinator.yml +++ b/.github/workflows/fixinator.yml @@ -25,7 +25,7 @@ jobs: uses: actions/checkout@v2 - name: Run Fixinator Security Audit - uses: ./.github/actions/fixinator + uses: Ortus-Solutions/fixinator-action@v1 with: api_key: ${{ secrets.FIXINATOR_KEY }} path: ModuleConfig.cfc,models From 867db0230b743b5282bf4e743d69baed15f5cb79 Mon Sep 17 00:00:00 2001 From: Michael Born Date: Fri, 24 Sep 2021 10:31:28 -0400 Subject: [PATCH 16/17] =?UTF-8?q?=F0=9F=91=8C=20IMPROVE:=20Tweak=20fixinat?= =?UTF-8?q?or=20run=20name?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/fixinator.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/fixinator.yml b/.github/workflows/fixinator.yml index 4a53387..ca37161 100644 --- a/.github/workflows/fixinator.yml +++ b/.github/workflows/fixinator.yml @@ -24,7 +24,7 @@ jobs: - name: Checkout Repo uses: actions/checkout@v2 - - name: Run Fixinator Security Audit + - name: Run Fixinator Security Scan uses: Ortus-Solutions/fixinator-action@v1 with: api_key: ${{ secrets.FIXINATOR_KEY }} From 9a9eb146c1434bbd33d58ac899120651ffce3050 Mon Sep 17 00:00:00 2001 From: Michael Born Date: Wed, 1 Dec 2021 12:38:51 -0500 Subject: [PATCH 17/17] =?UTF-8?q?=F0=9F=91=8C=20IMPROVE:=20Tweak=20fixinat?= =?UTF-8?q?or=20scan=20path?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/fixinator.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/fixinator.yml b/.github/workflows/fixinator.yml index ca37161..5f0ea18 100644 --- a/.github/workflows/fixinator.yml +++ b/.github/workflows/fixinator.yml @@ -18,7 +18,7 @@ on: jobs: audit: - name: Fixinator audit + name: Fixinator scan runs-on: ubuntu-latest steps: - name: Checkout Repo @@ -28,6 +28,6 @@ jobs: uses: Ortus-Solutions/fixinator-action@v1 with: api_key: ${{ secrets.FIXINATOR_KEY }} - path: ModuleConfig.cfc,models + path: ModuleConfig.cfc,models/**.cfc confidence: medium severity: low \ No newline at end of file