Add some fixes for security vulnerabilities #40
Merged
Conversation
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Escape database-sourced content before rendering in HTML reports to prevent XSS attacks. Database content from ACPI tables, BIOS strings, kernel logs, and power rail labels is now properly escaped using html.escape() before being incorporated into HTML output. Changes: - Add HTML escaping to get_cycle_data() for cycle data and debug messages - Add HTML escaping to get_prereq_data() for prerequisite debug messages - Add HTML escaping to power rail summary data - Use markupsafe.Markup to mark pre-escaped HTML as safe Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Enable autoescape=True when creating the Jinja2 Environment to automatically escape all template variables by default. This provides defense-in-depth protection against XSS attacks from database-sourced content rendered in HTML reports. Variables that contain pre-escaped HTML (constructed with html.escape() and wrapped in Markup()) are correctly preserved and not double-escaped. This complements the manual escaping added in the previous commit by ensuring that any template variables not explicitly handled are still safely escaped. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Prevent symlink attacks when creating log directories and files as root via sudo. An attacker could create a symlink at ~/.local/share/amd-debug-tools or set XDG_DATA_HOME to point to a symlink, causing root to chown arbitrary files when the tool is run with sudo. Changes: - Check if log directory path is a symlink before and after creation - Use os.lchown() instead of os.chown() to avoid following symlinks - Use os.open() with O_NOFOLLOW when creating log files - Fall back to /dev/null if a safe log directory cannot be created - Verify existing log files are not symlinks before using them This prevents local privilege escalation where an attacker could: 1. Create symlink at ~/.local/share/amd-debug-tools -> /etc 2. Run the tool with sudo 3. Have root chown /etc to the attacker's UID Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #40 +/- ##
==========================================
- Coverage 85.60% 85.19% -0.42%
==========================================
Files 36 36
Lines 8073 8119 +46
Branches 759 766 +7
==========================================
+ Hits 6911 6917 +6
- Misses 940 980 +40
Partials 222 222 ☔ View full report in Codecov by Sentry. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.