address security findings (#875)

* Address security findings * javascript/InsecureHash * python/Ssrf --------- Signed-off-by: Richard Gebhardt <[email protected]>
ansible · Mar 26, 2024 · 89521a4 · 89521a4 · github-actions · Mar 26, 2024
1 parent 586a06a
commit 89521a4
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 4 deletions.
diff --git a/ansible_wisdom_console_react/config/webpack/persistentCache/createEnvironmentHash.js b/ansible_wisdom_console_react/config/webpack/persistentCache/createEnvironmentHash.js
@@ -2,7 +2,7 @@
 const { createHash } = require("crypto");
 
 module.exports = (env) => {
-  const hash = createHash("md5");
+  const hash = createHash("sha256");
   hash.update(JSON.stringify(env));
 
   return hash.digest("hex");

diff --git a/tools/authz/validate_ams.py b/tools/authz/validate_ams.py
@@ -2,11 +2,21 @@
 # NOTE: require the sso.stage credentials
 
 import os
+import re
 from datetime import datetime, timedelta
 from http import HTTPStatus
+from urllib.error import URLError
+from urllib.parse import urlsplit, urlunsplit
 
 import requests
 
+AUTHZ_SSO_PATTERN = r"^sso.(.+\.)?redhat.com$"
+AUTHZ_API_PATTERN = r"^api.(.+\.)?openshift.com$"
+
+
+class AuthzURLError(URLError):
+    pass
+
 
 class Token:
     def __init__(self, client_id, client_secret) -> None:
@@ -23,11 +33,22 @@ def refresh(self) -> None:
             "scope": "api.iam.access",
         }
 
+        url = urlsplit(os.environ['AUTHZ_SSO_SERVER'])
+        url = url._replace(path="/auth/realms/redhat-external/protocol/openid-connect/token")
+
+        if not re.search(AUTHZ_SSO_PATTERN, url.netloc):
+            raise AuthzURLError(
+                f"Authz SSO URL host ('{url.netloc}') must match '{AUTHZ_SSO_PATTERN}'"
+            )
+
+        if url.scheme != "https":
+            raise AuthzURLError(f"Authz SSO URL scheme ('{url.scheme}') must be 'https'")
+
         r = requests.post(
-            os.environ['AUTHZ_SSO_SERVER']
-            + "/auth/realms/redhat-external/protocol/openid-connect/token",
+            urlunsplit(url),
             data=data,
         )
+
         data = r.json()
         self.access_token = data["access_token"]
         expires_in = data["expires_in"]
@@ -45,8 +66,17 @@ def get(self) -> str:
 def get_ams_org(rh_org_id: int) -> str:
     params = {"search": f"external_id='{rh_org_id}'"}
 
+    url = urlsplit(os.environ['AUTHZ_API_SERVER'])
+    url = url._replace(path="/api/accounts_mgmt/v1/organizations")
+
+    if not re.search(AUTHZ_API_PATTERN, url.netloc):
+        raise AuthzURLError(f"Authz API URL host ('{url.netloc}') must match '{AUTHZ_API_PATTERN}'")
+
+    if url.scheme != "https":
+        raise AuthzURLError(f"Authz API URL scheme ('{url.scheme}') must be 'https'")
+
     r = requests.get(
-        f"{os.environ['AUTHZ_API_SERVER']}/api/accounts_mgmt/v1/organizations",
+        urlunsplit(url),
         headers={
             "Content-Type": "application/json",
             "Authorization": f"Bearer {my_token.get()}",