@cyclonedx/cdxgen 12.1.2 → 12.1.4

package/lib/server/server.js

@@ -66,6 +66,19 @@ app.use(
 );
 app.use(compression());
 
+/**
+ * Return git allow protocol string from the environment variables.
+ *
+ * @returns {string} git allow protocol string
+ */
+function getGitAllowProtocol() {
+  return (
+    process.env.GIT_ALLOW_PROTOCOL ||
+    process.env.CDXGEN_SERVER_GIT_ALLOW_PROTOCOL ||
+    (isSecureMode ? "https:ssh" : "https:git:ssh")
+  );
+}
+
 /**
  * Checks the given hostname against the allowed list.
  *
@@ -152,13 +165,104 @@ export function isAllowedPath(p) {
   }
   return (process.env.CDXGEN_SERVER_ALLOWED_PATHS || "")
     .split(",")
-    .some((ap) => p.startsWith(ap));
+    .filter(Boolean)
+    .some((ap) => {
+      const resolvedP = path.resolve(p);
+      const resolvedAp = path.resolve(ap);
+      const relativePath = path.relative(resolvedAp, resolvedP);
+      return (
+        relativePath === "" ||
+        (!relativePath.startsWith("..") && !path.isAbsolute(relativePath))
+      );
+    });
+}
+
+/**
+ * Determine if the file path could be a remote URL.
+ *
+ * @param {string} filePath The Git URL or local path
+ * @returns {Boolean} True if the file path is a remote URL. false otherwise.
+ */
+export function maybeRemotePath(filePath) {
+  return /^[a-zA-Z0-9+.-]+:\/\//.test(filePath) || filePath.startsWith("git@");
+}
+
+/**
+ * Validates a given Git URL/Path against dangerous protocols and allowed hosts.
+ *
+ * @param {string} filePath The Git URL or local path
+ * @returns {Object|null} Error object if invalid, or null if valid
+ */
+export function validateAndRejectGitSource(filePath) {
+  if (/^(ext|fd)::/i.test(filePath)) {
+    return {
+      status: 400,
+      error: "Invalid Protocol",
+      details: "The provided protocol is not allowed.",
+    };
+  }
+  if (maybeRemotePath(filePath)) {
+    let gitUrlObj;
+    try {
+      let urlToParse = filePath;
+      if (filePath.startsWith("git@") && !filePath.includes("://")) {
+        urlToParse = `ssh://${filePath.replace(":", "/")}`;
+      }
+      gitUrlObj = new URL(urlToParse);
+    } catch (_err) {
+      return {
+        status: 400,
+        error: "Invalid URL Format",
+        details: "The provided Git URL is malformed.",
+      };
+    }
+    const gitAllowProtocol = getGitAllowProtocol();
+    const allowedSchemes = gitAllowProtocol
+      .split(":")
+      .filter(Boolean)
+      .map((p) => `${p.toLowerCase()}:`);
+
+    if (
+      allowedSchemes.includes("ssh:") &&
+      !allowedSchemes.includes("git+ssh:")
+    ) {
+      allowedSchemes.push("git+ssh:");
+    }
+
+    if (!allowedSchemes.includes(gitUrlObj.protocol)) {
+      return {
+        status: 400,
+        error: "Protocol Not Allowed",
+        details: `The protocol '${gitUrlObj.protocol}' is not permitted by GIT_ALLOW_PROTOCOL.`,
+      };
+    }
+
+    if (gitUrlObj.href.includes("::")) {
+      return {
+        status: 400,
+        error: "Invalid URL Syntax",
+        details: "Git remote helper syntax (::) is not allowed.",
+      };
+    }
+
+    if (!isAllowedHost(gitUrlObj.hostname)) {
+      return {
+        status: 403,
+        error: "Host Not Allowed",
+        details: "The Git URL host is not allowed as per the allowlist.",
+      };
+    }
+  }
+
+  return null;
 }
 
 function gitClone(repoUrl, branch = null) {
-  const tempDir = fs.mkdtempSync(
-    path.join(getTmpDir(), path.basename(repoUrl)),
-  );
+  let baseDirName = path.basename(repoUrl);
+  if (!/^[a-zA-Z0-9_-]+$/.test(baseDirName)) {
+    baseDirName = "repo-";
+  }
+  const tempDir = fs.mkdtempSync(path.join(getTmpDir(), baseDirName));
 
   const gitArgs = [
     "-c",
@@ -170,16 +274,30 @@ function gitClone(repoUrl, branch = null) {
     tempDir,
   ];
   if (branch) {
-    const cloneIndex = gitArgs.indexOf("clone");
-    gitArgs.splice(cloneIndex + 1, 0, "--branch", branch);
+    const firstBranchStr = Array.isArray(branch) ? branch[0] : String(branch);
+    if (firstBranchStr.startsWith("-")) {
+      console.log(
+        `Skipping branch clone: invalid branch name ${firstBranchStr}`,
+      );
+    } else {
+      const cloneIndex = gitArgs.indexOf("clone");
+      gitArgs.splice(cloneIndex + 1, 0, "--branch", firstBranchStr);
+    }
   }
   console.log(
     `Cloning Repo${branch ? ` with branch ${branch}` : ""} to ${tempDir}`,
   );
+  const gitAllowProtocol = getGitAllowProtocol();
   // See issue #1956
   const env = isSecureMode
-    ? { ...process.env, GIT_CONFIG_NOSYSTEM: "1", GIT_CONFIG_NOGLOBAL: "1" }
-    : { ...process.env };
+    ? {
+        ...process.env,
+        GIT_CONFIG_NOSYSTEM: "1",
+        GIT_CONFIG_NOGLOBAL: "1",
+        GIT_ALLOW_PROTOCOL: gitAllowProtocol,
+      }
+    : { ...process.env, GIT_ALLOW_PROTOCOL: gitAllowProtocol };
+
   const result = safeSpawnSync("git", gitArgs, {
     shell: false,
     env,
@@ -352,7 +470,21 @@ const start = (options) => {
   }
   if (!process.env.CDXGEN_SERVER_ALLOWED_HOSTS) {
     console.log(
-      "No allowlist for hosts has been specified. This is a security risk that could expose the system to SSRF vulnerabilities!",
+      "No allowlist for git hosts has been specified. This is a security risk that could expose the system to SSRF vulnerabilities!",
+    );
+    if (isSecureMode) {
+      process.exit(1);
+    }
+  }
+  if (isSecureMode && !process.env.CDXGEN_SERVER_ALLOWED_PATHS) {
+    console.log(
+      "No allowlist for paths has been specified. This is a security risk that could expose the filesystem and internal secrets!",
+    );
+    process.exit(1);
+  }
+  if (/(ext|fd):/i.test(getGitAllowProtocol())) {
+    console.log(
+      "The Git protocols 'ext' and 'fd' are known to be problematic. Allowing those is a security risk that could expose the system to RCE vulnerabilities!",
     );
     if (isSecureMode) {
       process.exit(1);
@@ -406,22 +538,24 @@ const start = (options) => {
         }),
       );
     }
-    let srcDir = filePath;
-    if (filePath.startsWith("http") || filePath.startsWith("git")) {
-      // Validate the hostnames
-      const gitUrlObj = new URL(filePath);
-      if (!isAllowedHost(gitUrlObj.hostname)) {
-        res.writeHead(403, { "Content-Type": "application/json" });
-        return res.end(
-          JSON.stringify({
-            error: "Host Not Allowed",
-            details: "The Git URL host is not allowed as per the allowlist.",
-          }),
-        );
-      }
+    const validationError = validateAndRejectGitSource(filePath);
+    if (validationError) {
+      res.writeHead(validationError.status, {
+        "Content-Type": "application/json",
+      });
+      return res.end(
+        JSON.stringify({
+          error: validationError.error,
+          details: validationError.details,
+        }),
+      );
+    }
+    let srcDir;
+    if (maybeRemotePath(filePath)) {
       srcDir = gitClone(filePath, reqOptions.gitBranch);
       cleanup = true;
     } else {
+      srcDir = filePath;
       if (
         !isAllowedPath(path.resolve(srcDir)) ||
         (isWin && !isAllowedWinPath(srcDir))
@@ -436,18 +570,13 @@ const start = (options) => {
       }
     }
     if (srcDir !== path.resolve(srcDir)) {
-      console.log(
-        `Invoke the API with an absolute path '${path.resolve(srcDir)}' to reduce security risks.`,
+      res.writeHead(500, { "Content-Type": "application/json" });
+      return res.end(
+        JSON.stringify({
+          error: "Absolute path needed",
+          details: "Relative paths are not supported in server mode.",
+        }),
       );
-      if (isSecureMode) {
-        res.writeHead(500, { "Content-Type": "application/json" });
-        return res.end(
-          JSON.stringify({
-            error: "Absolute path needed",
-            details: "Relative paths are not supported in secure mode.",
-          }),
-        );
-      }
     }
     console.log("Generating SBOM for", srcDir);
     let bomNSData = (await createBom(srcDir, reqOptions)) || {};
@@ -498,10 +627,11 @@ const start = (options) => {
       }
     }
     res.end("\n");
-    if (cleanup && srcDir && srcDir.startsWith(getTmpDir()) && fs.rmSync) {
+    if (cleanup && srcDir?.startsWith(getTmpDir()) && fs.rmSync) {
       console.log(`Cleaning up ${srcDir}`);
       fs.rmSync(srcDir, { recursive: true, force: true });
     }
   });
 };
+
 export { configureServer, start };

package/lib/server/server.poku.js

@@ -8,6 +8,7 @@ import {
   isAllowedWinPath,
   parseQueryString,
   parseValue,
+  validateAndRejectGitSource,
 } from "./server.js";
 
 it("parseValue tests", () => {
@@ -129,28 +130,73 @@ describe("isAllowedPath()", () => {
   });
 
   afterEach(() => {
-    process.env.CDXGEN_SERVER_ALLOWED_PATHS = originalPaths;
+    if (originalPaths === undefined) {
+      delete process.env.CDXGEN_SERVER_ALLOWED_PATHS;
+    } else {
+      process.env.CDXGEN_SERVER_ALLOWED_PATHS = originalPaths;
+    }
+  });
+
+  it("returns false for non-string inputs", () => {
+    process.env.CDXGEN_SERVER_ALLOWED_PATHS = "/api";
+    assert.strictEqual(isAllowedPath(null), false);
+    assert.strictEqual(isAllowedPath(123), false);
+    assert.strictEqual(isAllowedPath({}), false);
+    assert.strictEqual(isAllowedPath(undefined), false);
   });
 
   it("returns true if CDXGEN_SERVER_ALLOWED_PATHS is not set", () => {
     delete process.env.CDXGEN_SERVER_ALLOWED_PATHS;
-    assert.deepStrictEqual(isAllowedPath("/any/path"), true);
+    assert.strictEqual(isAllowedPath("/any/path"), true);
   });
 
-  it("returns true for paths that start with an allowed prefix", () => {
+  it("treats an empty-string env var as unset (returns true)", () => {
+    process.env.CDXGEN_SERVER_ALLOWED_PATHS = "";
+    assert.strictEqual(isAllowedPath("/anything"), true);
+  });
+
+  it("returns true for exact directory matches", () => {
     process.env.CDXGEN_SERVER_ALLOWED_PATHS = "/api,/public";
-    assert.deepStrictEqual(isAllowedPath("/api/resource"), true);
-    assert.deepStrictEqual(isAllowedPath("/public/index.html"), true);
+    assert.strictEqual(isAllowedPath("/api"), true);
+    assert.strictEqual(isAllowedPath("/public"), true);
   });
 
-  it("returns false for paths that do not match any prefix", () => {
+  it("returns true for files safely nested inside allowed directories", () => {
     process.env.CDXGEN_SERVER_ALLOWED_PATHS = "/api,/public";
-    assert.deepStrictEqual(isAllowedPath("/private/data"), false);
+    assert.strictEqual(isAllowedPath("/api/resource"), true);
+    assert.strictEqual(isAllowedPath("/public/index.html"), true);
+    assert.strictEqual(isAllowedPath("/public/assets/css/main.css"), true);
   });
 
-  it("treats an empty-string env var as unset (returns true)", () => {
-    process.env.CDXGEN_SERVER_ALLOWED_PATHS = "";
-    assert.deepStrictEqual(isAllowedPath("/anything"), true);
+  it("returns false for completely unrelated paths", () => {
+    process.env.CDXGEN_SERVER_ALLOWED_PATHS = "/api,/public";
+    assert.strictEqual(isAllowedPath("/private/data"), false);
+    assert.strictEqual(isAllowedPath("/etc/passwd"), false);
+  });
+
+  it("prevents directory prefix bypass (e.g., /var/www vs /var/www-secret)", () => {
+    process.env.CDXGEN_SERVER_ALLOWED_PATHS = "/api,/var/www";
+    assert.strictEqual(isAllowedPath("/api-secret/data"), false);
+    assert.strictEqual(isAllowedPath("/api-secret"), false);
+    assert.strictEqual(isAllowedPath("/var/www-backup"), false);
+  });
+
+  it("prevents path traversal attacks using ../", () => {
+    process.env.CDXGEN_SERVER_ALLOWED_PATHS = "/api";
+    assert.strictEqual(isAllowedPath("/api/../private"), false);
+    assert.strictEqual(isAllowedPath("/api/../../etc/passwd"), false);
+  });
+
+  it("allows paths that contain ../ but safely resolve inside the allowed directory", () => {
+    process.env.CDXGEN_SERVER_ALLOWED_PATHS = "/api";
+    assert.strictEqual(isAllowedPath("/api/resource/../data"), true);
+  });
+
+  it("gracefully handles comma-separated lists with empty segments", () => {
+    process.env.CDXGEN_SERVER_ALLOWED_PATHS = "/api,,/public,";
+    assert.strictEqual(isAllowedPath("/api/resource"), true);
+    assert.strictEqual(isAllowedPath("/public/index.html"), true);
+    assert.strictEqual(isAllowedPath("/private/data"), false);
   });
 });
 
@@ -385,3 +431,179 @@ describe("getQueryParams", () => {
     });
   });
 });
+describe("validateGitSource() tests", () => {
+  let originalGitAllow;
+  let originalAllowedHosts;
+
+  beforeEach(() => {
+    originalGitAllow = process.env.CDXGEN_SERVER_GIT_ALLOW_PROTOCOL;
+    originalAllowedHosts = process.env.CDXGEN_SERVER_ALLOWED_HOSTS;
+    delete process.env.CDXGEN_SERVER_GIT_ALLOW_PROTOCOL;
+    delete process.env.CDXGEN_SERVER_ALLOWED_HOSTS;
+  });
+
+  afterEach(() => {
+    if (originalGitAllow)
+      process.env.CDXGEN_SERVER_GIT_ALLOW_PROTOCOL = originalGitAllow;
+    if (originalAllowedHosts)
+      process.env.CDXGEN_SERVER_ALLOWED_HOSTS = originalAllowedHosts;
+  });
+
+  it("should reject ext:: and fd:: outright", () => {
+    assert.deepStrictEqual(
+      validateAndRejectGitSource("ext::sh -c id").error,
+      "Invalid Protocol",
+    );
+    assert.deepStrictEqual(
+      validateAndRejectGitSource("fd::123").error,
+      "Invalid Protocol",
+    );
+    assert.deepStrictEqual(
+      validateAndRejectGitSource("EXT::sh -c id").error,
+      "Invalid Protocol",
+    );
+  });
+
+  it("should allow standard local paths to bypass validation", () => {
+    assert.deepStrictEqual(validateAndRejectGitSource("/tmp/local-path"), null);
+    assert.deepStrictEqual(
+      validateAndRejectGitSource("C:\\Users\\local"),
+      null,
+    );
+  });
+
+  it("should handle ssh git@ format gracefully", () => {
+    assert.deepStrictEqual(
+      validateAndRejectGitSource("git@github.com:foo/bar.git"),
+      null,
+    );
+  });
+
+  it("should reject malformed git URLs", () => {
+    // invalid URL format (can't parse via node's new URL object)
+    assert.deepStrictEqual(
+      validateAndRejectGitSource("http://[:::1]/bad-ipv6").error,
+      "Invalid URL Format",
+    );
+  });
+
+  it("should enforce GIT_ALLOW_PROTOCOL default schemes", () => {
+    assert.deepStrictEqual(
+      validateAndRejectGitSource("https://github.com/repo"),
+      null,
+    );
+    assert.deepStrictEqual(
+      validateAndRejectGitSource("http://github.com/repo"),
+      {
+        status: 400,
+        error: "Protocol Not Allowed",
+        details: "The protocol 'http:' is not permitted by GIT_ALLOW_PROTOCOL.",
+      },
+    );
+    assert.deepStrictEqual(
+      validateAndRejectGitSource("git://github.com/repo"),
+      null,
+    );
+    assert.deepStrictEqual(
+      validateAndRejectGitSource("ssh://github.com/repo"),
+      null,
+    );
+    assert.deepStrictEqual(
+      validateAndRejectGitSource("git+ssh://github.com/repo"),
+      null,
+    );
+
+    // ftp is not allowed by default
+    const res = validateAndRejectGitSource("ftp://github.com/repo");
+    assert.deepStrictEqual(res.error, "Protocol Not Allowed");
+    assert.deepStrictEqual(
+      res.details,
+      "The protocol 'ftp:' is not permitted by GIT_ALLOW_PROTOCOL.",
+    );
+  });
+
+  it("should reject protocol smuggling techniques", () => {
+    assert.deepStrictEqual(
+      validateAndRejectGitSource("git+ext://github.com/repo").error,
+      "Protocol Not Allowed",
+    );
+    assert.deepStrictEqual(
+      validateAndRejectGitSource("http+ext://github.com/repo").error,
+      "Protocol Not Allowed",
+    );
+  });
+
+  it("should respect custom CDXGEN_SERVER_GIT_ALLOW_PROTOCOL configs", () => {
+    process.env.CDXGEN_SERVER_GIT_ALLOW_PROTOCOL = "https:git";
+    assert.deepStrictEqual(
+      validateAndRejectGitSource("https://github.com/repo"),
+      null,
+    );
+    assert.deepStrictEqual(
+      validateAndRejectGitSource("git://github.com/repo"),
+      null,
+    );
+
+    // http is no longer allowed
+    const res = validateAndRejectGitSource("http://github.com/repo");
+    assert.deepStrictEqual(res.error, "Protocol Not Allowed");
+    assert.deepStrictEqual(
+      res.details,
+      "The protocol 'http:' is not permitted by GIT_ALLOW_PROTOCOL.",
+    );
+  });
+
+  it("should reject remote helper syntax (::) inside valid schemes", () => {
+    assert.deepStrictEqual(
+      validateAndRejectGitSource("https://github.com/ext::sh -c id").error,
+      "Invalid URL Syntax",
+    );
+    assert.deepStrictEqual(
+      validateAndRejectGitSource("git://foo::bar/repo").error,
+      "Invalid URL Format",
+    );
+  });
+
+  it("should validate allowed hosts", () => {
+    process.env.CDXGEN_SERVER_ALLOWED_HOSTS = "github.com,gitlab.com";
+    assert.deepStrictEqual(
+      validateAndRejectGitSource("https://github.com/repo"),
+      null,
+    );
+
+    const res = validateAndRejectGitSource("https://evil.com/repo");
+    assert.deepStrictEqual(res.error, "Host Not Allowed");
+    assert.deepStrictEqual(res.status, 403);
+  });
+});
+it("should correctly normalize and validate various git@ (SCP-like) formats", () => {
+  assert.deepStrictEqual(
+    validateAndRejectGitSource("git@gitlab.com:group/project.git"),
+    null,
+  );
+  assert.deepStrictEqual(
+    validateAndRejectGitSource("git@bitbucket.org:workspace/repo:name.git"),
+    null,
+  );
+  assert.deepStrictEqual(
+    validateAndRejectGitSource("git@github.com/user/repo.git"),
+    null,
+  );
+  assert.deepStrictEqual(
+    validateAndRejectGitSource("ssh://git@github.com/user/repo.git"),
+    null,
+  );
+  process.env.CDXGEN_SERVER_ALLOWED_HOSTS = "github.com,bitbucket.org";
+  assert.deepStrictEqual(
+    validateAndRejectGitSource("git@github.com:user/repo.git"),
+    null,
+  );
+  assert.deepStrictEqual(
+    validateAndRejectGitSource("git@bitbucket.org:workspace/repo.git"),
+    null,
+  );
+  const deniedRes = validateAndRejectGitSource("git@evil.com:foo/bar.git");
+  assert.deepStrictEqual(deniedRes.status, 403);
+  assert.deepStrictEqual(deniedRes.error, "Host Not Allowed");
+  delete process.env.CDXGEN_SERVER_ALLOWED_HOSTS;
+});