MDL Blog
mdllife / mdl Goto Github PK
View Code? Open in Web Editor NEWMDL Talent Hub
Home Page: http://MDL.life
MDL Talent Hub
Home Page: http://MDL.life
https://travis-ci.org/MDLlife/MDL/jobs/349165205
--- FAIL: TestFromString (0.00s)
--- FAIL: TestFromString/MDL (0.00s)
Error Trace: droplet_test.go:124
Error: Not equal:
expected: &errors.errorString{s:"can't convert 100MDL to decimal"}
actual: &errors.errorString{s:"can't convert MDL to decimal"}
Diff:
--- Expected
+++ Actual
@@ -1,2 +1,2 @@
-(*errors.errorString)(can't convert 100MDL to decimal)
+(*errors.errorString)(can't convert MDL to decimal)
FAIL
FAIL github.com/MDLlife/MDL/src/util/droplet 0.006s
Probably not a lot of risk here since it looks like the data is currently coming from a config file, but still a good idea to sanitize host before passing it on through the application.
cmd/mdl/mdl.go
// Run starts the mdl node
func Run(c *Config) {
[........]
host := fmt.Sprintf("%s:%d", c.WebInterfaceAddr, c.WebInterfacePort)
fullAddress := fmt.Sprintf("%s://%s", scheme, host)
[........]
if c.LaunchBrowser {
wg.Add(1)
go func() {
defer wg.Done()
// Wait a moment just to make sure the http interface is up
time.Sleep(time.Millisecond * 100)
logger.Info("Launching System Browser with %s", fullAddress)
if err := browser.Open(fullAddress); err != nil { // HERE
logger.Error(err.Error())
return
}
browser.Open() basically maps to https://github.com/toqueteos/webbrowser/blob/master/webbrowser.go where it doesn't ensure that params passed to it only contain host-looking characters, eg. alphanumeric only. It just executes them as a command where special characters could be injected and execute arbitrary commands.
func (b browserCommand) Command(s string) (*exec.Cmd, error) {
u, err := url.Parse(s)
if err != nil {
return nil, err
}
validUrl := ensureValidURL(u)
b.args = append(b.args, validUrl)
return exec.Command(b.cmd, b.args...), nil
}
Easiest solution here is just sanitize host and strip all non-alphanumeric (maybe allow -'s though) characters from it before passing it on to be used in the application.
References:
https://www.owasp.org/index.php/Data_Validation#Sanitize_with_Whitelist
Windows wallet, told me, that update I available, but gave no link to download it!
cmd/mdl/mdl.go
// init logging settings
func initLogging(dataDir string, level string, color, logtofile bool) (func(), error) {
[.......]
// open log file
tf := "2006-01-02-030405"
logfile := filepath.Join(logDir,
fmt.Sprintf("%s-v%s.log", time.Now().Format(tf), Version))
var err error
fd, err = os.OpenFile(logfile, os.O_RDWR|os.O_CREATE, 0666) // HERE
The permissions should be ideally 0600 (owner r/w) or 0640 (owner r/w, group read) max, otherwise the file is open to everyone to read and write to it which is not great from a security point of view.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.