Vulnerability

"APPS PLAID" uses as its base Docker image php:5.6-apache-jessie.

Debian Linux jessie reached end-of-life on 2018-06-17 and end of long-term support on 2020-06-30. It has received no security updates since then.

PHP 5.6 reached end of life on 2019-01-01 and has no long-term support. It has received no security updates since then.

Upgrading the base image of "APPS PLAID" is strenuously recommended.

Software Version

main

in the README.md ?

https://pds.nasa.gov/datastandards/dictionaries/

Current implementation

#15 will be implemented using a temporary solution where all discipline LDDs and the PDS common namespace are all in one uber JSON.

Proposed improvement

For a more refined solution, we would like to have each discipline LDD have its own JSON, and PLAID will parse that JSON for a new namespaces key to determine all dependent namespaces for the LDD, and load those other JSONs as appropriate.

Per this improvement to LDDTool, generated LDDs now contain this new key. See attached for the CART LDD: PDS4_CART_1G00_1950.JSON.txt

From this example you can see the new namespaces key:

[
  {
    "dataDictionary": {
      "Title": "PDS4 Data Dictionary" ,
      "Version": "1.16.0.0" ,
      "Date": "Tue Jan 19 19:36:45 PST 2021" ,
      "Description": "This document is a dump of the contents of the PDS4 Data Dictionary" ,
      "namespaces": ["pds:", "geom:", "cart:"] ,
      "classDictionary": [
...

PLAID should use this to then go through the other JSON files and parse each of those namespaces

Per #4, some LDDs are missing from web page. Update to include those.

Current list of discipline LDDs:

./proc
./sp
./img_surface
./nucspec
./msn
./img
./geom
./speclib
./msss_cam_mh
./disp
./cart
./msn_surface
./rings
./survey

Current User Guide is not very helpful and trail and error is necessary to figure out how to use the software. Improvements and/or tutorials would better help onboard new users.

Per January tag-up, here is the plan to fix these issues:

• PDS4 IM versions 1.14.0.0 and earlier - LDDs are not organized. Grab all dictionaries, use the latest
• PDS4 IM versions 1.15.0.0 and on - group by IM version. Once a user selects an IM version, we have a specific subset of discipline LDDs

@jeffyuhaoliu identified an issue with the JSON including all dependencies. near term solution: have @jshughes create on uber JSON with all LDDs in it. future solution: JSON output for each dLDD will contain all dependent LDDs

📖 Additional Details

• See PR here for initial version of docs: #29
• Per this comment, we need to update the Docker deployment and procedures to use publicly available images

⚖️ Acceptance Criteria

Given a desire to deploy PLAID
When I perform the procedure described here (link TBD) to deploy using docker containers for dev purposes
Then I expect to be able to spin up PLAID and run in a dev environment

Given a desire to deploy PLAID
When I perform the procedure described here (link TBD) to deploy using docker containers for ops purposes (includes instructions for necessary HTTP proxying, file system mounting, etc)
Then I expect to be able to spin up PLAID and run in a dev environment

Vulnerability

In 9 places in the PLAID source code, call_user_func and call_user_func_array appear. In at least 3 of those locations, the first argument (the name of the function to call) is passed in from the HTTP client; for example:

if(isset($_POST['Function'])){
    $DOC = readInXML(getLabelXML());
    call_user_func($_POST['Function'], $_POST['Data']);
}

No checking is performed before making this call. A client could construct a specially formulated POST payload to execute an arbitrary PHP function with an arbitrary argument, such as system with rm -rf /. As a proof of concept, I was able to execute phpinfo() as well as pcntl_exec().

Software Version

main as of 2022-01-04.

💪 Motivation

...so that we can publish and track release and tags.

📖 Additional Details

⚖️ Acceptance Criteria

Given
When I perform
Then I expect

⚙️ Engineering Details

Came across issues with trying to upgrade some LDDs. Need to test and debug where the issues are.

Determine if these customizations in PLAID will cause significant overhead in the future

🐛 Describe the bug

Whenever I try to create a product not Observational (e.g. Document, Context, etc.), the software tries to drop this into Product_Observational and it does not work.

Minimal support should include:
See https://pds.nasa.gov/datastandards/documents/im/v1/index_1G00.html#class_pds_observation_area for:

• Product_Observational

See https://pds.nasa.gov/datastandards/documents/im/v1/index_1G00.html#class_pds_context_area for:

• Product_Context
• Product_Document
• Product_Collection
• Product_Bundle

Hi there,

I've just taken PLAID for a spin at it seems to be a really nifty tool. However, I am wondering whether there are plans to update PLAID to support v1.13 of the information model? If not, could you provide a rough estimate of the work required to complete such work?

All the best,
Ariel Ladegaard

💪 Motivation

So that I can more effectively containerize, open-sourcerize, and otherwise whip APPS PLAID into shape (especially with regard to how #30 is growing in scope), it would be great to see exception and error condition details.

📖 Additional Details

In eight different locations (and perhaps more) in the APPS PLAID code, there are lines like these:

} catch (PDOException $ed) {
    //print($ex->getMessage()); // Don't print any error message, for security reasons
    return true;
}

That makes debugging APPS PLAID about 43× more difficult.

I get that PHP is awful and sort of insecure by default but there probably is some way to at least write exception details to the server log without it also going to the HTTP client.

⚖️ Acceptance Criteria

Given an exceptional condition
When I perform viewing the server log via docker-compose logs plaid
Then I expect to see stack traces or other exception data

⚙️ Engineering Details

Motivation

... so that I can quickly spot check test that the new version worked.

Draft checklist

• Verify new IM version appears on "create" page
• Spot check 1+ changes to the new IM version appears in the PDS common portion of the workflow
• Verify all new LDD versions appear on Discipline Dictonaries tab of the workflow
• Spot check 1+ changes to 1+ LDDs appear in the LDD portion of the workflow

TBD if this is still an issue. Follow up with Carol Neese for more details.

• EN to test deployment of PLAID to Staging (/tools/plaid)
• EN deploy to Production
  • deploy to production
  • export from PLAID.jpl.nasa.gov and import to production
  • redirect plaid.jpl.nasa.gov to pds.nasa.gov/tools/plaid

We need a procedure for how to deploy PLAID to plaid.jpl.nasa.gov OR just simply the installation and deployment instructions if they differ at all in production versus test regarding MySQL / Docker / etc. and we can forward plaid.jpl.nasa.gov to something like pds.nasa.gov/tools/plaid