feat(connd): own all connectivity logic #723
Conversation
orb-connd/src/telemetry/net_stats.rs
Outdated
| .trim() | ||
| .parse()?; | ||
| let tx_bytes = String::from_utf8_lossy(&fs::read(tx_path).await?).parse()?; | ||
| let rx_bytes = String::from_utf8_lossy(&fs::read(rx_path).await?).parse()?; |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files.
Dataflow graph
flowchart LR
classDef invis fill:white, stroke: none
classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none
subgraph File0["<b>orb-connd/src/telemetry/net_stats.rs</b>"]
direction LR
%% Source
subgraph Source
direction LR
v0["<a href=https://github.com/worldcoin/orb-software/blob/4df282d5a78c351722bc55606e5c68f7c72e3e8d/orb-connd/src/telemetry/net_stats.rs#L14 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 14] sysfs</a>"]
end
%% Intermediate
subgraph Traces0[Traces]
direction TB
v2["<a href=https://github.com/worldcoin/orb-software/blob/4df282d5a78c351722bc55606e5c68f7c72e3e8d/orb-connd/src/telemetry/net_stats.rs#L14 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 14] stats_path</a>"]
v3["<a href=https://github.com/worldcoin/orb-software/blob/4df282d5a78c351722bc55606e5c68f7c72e3e8d/orb-connd/src/telemetry/net_stats.rs#L22 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 22] rx_path</a>"]
end
v2 --> v3
%% Sink
subgraph Sink
direction LR
v1["<a href=https://github.com/worldcoin/orb-software/blob/4df282d5a78c351722bc55606e5c68f7c72e3e8d/orb-connd/src/telemetry/net_stats.rs#L25 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 25] rx_path</a>"]
end
end
%% Class Assignment
Source:::invis
Sink:::invis
Traces0:::invis
File0:::invis
%% Connections
Source --> Traces0
Traces0 --> Sink
To resolve this comment:
✨ Commit Assistant Fix Suggestion
- Validate and sanitize the
ifacevariable before using it in the file path. Only allow valid interface names (e.g., containing only alphanumeric characters, dashes and underscores). For example, add a check like:if !iface.chars().all(|c| c.is_ascii_alphanumeric() || c == '-' || c == '_') { return Err(...); }before composing the path. - Optionally, check that the resulting
stats_pathstays within the expected sysfs directory to prevent directory traversal, by canonicalizing the constructed path and confirming it starts with your intended sysfs root. - Handle the case where the path does not exist or is not a regular file by returning an error before reading with
fs::read. - Alternatively, if interface names are coming from a trusted system source, ensure this trust by documenting and enforcing the boundaries of where interface names can originate.
These checks will mitigate path traversal risks by ensuring that an attacker cannot manipulate iface to point to unintended files.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by tainted-path.
You can view more details about this finding in the Semgrep AppSec Platform.
orb-connd/src/telemetry/net_stats.rs
Outdated
| .ok_or_else(|| eyre!("Missing tx_bytes info line."))? | ||
| .trim() | ||
| .parse()?; | ||
| let tx_bytes = String::from_utf8_lossy(&fs::read(tx_path).await?).parse()?; |
There was a problem hiding this comment.
Semgrep identified an issue, but thinks it may be safe to ignore.
The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files.
Why this might be safe to ignore:
The code reads kernel sysfs paths built from an internal sysfs base and an interface name (used for local telemetry), not from untrusted external input; this is expected behavior for collecting stats and not a remotely exploitable path-traversal in normal use. If iface/sysfs can be set from untrusted sources, validate/sanitize them before joining paths.
Dataflow graph
flowchart LR
classDef invis fill:white, stroke: none
classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none
subgraph File0["<b>orb-connd/src/telemetry/net_stats.rs</b>"]
direction LR
%% Source
subgraph Source
direction LR
v0["<a href=https://github.com/worldcoin/orb-software/blob/4df282d5a78c351722bc55606e5c68f7c72e3e8d/orb-connd/src/telemetry/net_stats.rs#L14 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 14] sysfs</a>"]
end
%% Intermediate
subgraph Traces0[Traces]
direction TB
v2["<a href=https://github.com/worldcoin/orb-software/blob/4df282d5a78c351722bc55606e5c68f7c72e3e8d/orb-connd/src/telemetry/net_stats.rs#L14 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 14] stats_path</a>"]
v3["<a href=https://github.com/worldcoin/orb-software/blob/4df282d5a78c351722bc55606e5c68f7c72e3e8d/orb-connd/src/telemetry/net_stats.rs#L21 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 21] tx_path</a>"]
end
v2 --> v3
%% Sink
subgraph Sink
direction LR
v1["<a href=https://github.com/worldcoin/orb-software/blob/4df282d5a78c351722bc55606e5c68f7c72e3e8d/orb-connd/src/telemetry/net_stats.rs#L24 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 24] tx_path</a>"]
end
end
%% Class Assignment
Source:::invis
Sink:::invis
Traces0:::invis
File0:::invis
%% Connections
Source --> Traces0
Traces0 --> Sink
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by tainted-path.
You can view more details about this finding in the Semgrep AppSec Platform.
|
|
||
| pub async fn import_wpa_conf(&self, wpa_conf_dir: impl AsRef<Path>) -> Result<()> { | ||
| let wpa_conf = wpa_conf_dir.as_ref().join("wpa_supplicant-wlan0.conf"); | ||
| match File::open(&wpa_conf).await { |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files.
Dataflow graph
flowchart LR
classDef invis fill:white, stroke: none
classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none
subgraph File0["<b>orb-connd/src/service/mod.rs</b>"]
direction LR
%% Source
subgraph Source
direction LR
v0["<a href=https://github.com/worldcoin/orb-software/blob/9eb3d14a7f73d26ea277dee93d1354dd1855a6a5/orb-connd/src/service/mod.rs#L118 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 118] wpa_conf_dir</a>"]
end
%% Intermediate
subgraph Traces0[Traces]
direction TB
v2["<a href=https://github.com/worldcoin/orb-software/blob/9eb3d14a7f73d26ea277dee93d1354dd1855a6a5/orb-connd/src/service/mod.rs#L118 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 118] wpa_conf</a>"]
end
%% Sink
subgraph Sink
direction LR
v1["<a href=https://github.com/worldcoin/orb-software/blob/9eb3d14a7f73d26ea277dee93d1354dd1855a6a5/orb-connd/src/service/mod.rs#L119 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 119] &wpa_conf</a>"]
end
end
%% Class Assignment
Source:::invis
Sink:::invis
Traces0:::invis
File0:::invis
%% Connections
Source --> Traces0
Traces0 --> Sink
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by tainted-path.
You can view more details about this finding in the Semgrep AppSec Platform.
orb-connd/src/service/wifi.rs
Outdated
| let wifi_str = wifi_str.replace("WIFI:", ""); | ||
| let map: HashMap<_, _> = wifi_str | ||
| .split(";") | ||
| .flat_map(|entry| entry.split_once(":")) | ||
| .collect(); | ||
|
|
||
| let sec = map | ||
| .get("T") | ||
| .and_then(|sec| WifiSec::parse(sec)) | ||
| .wrap_err_with(|| { | ||
| format!("invalid or missing wifi sec on qr code: {wifi_str}") | ||
| })?; | ||
|
|
||
| let ssid = map | ||
| .get("S") | ||
| .wrap_err_with(|| format!("missing wifi ssid on qr code: {wifi_str}"))? | ||
| .to_string(); | ||
|
|
||
| let hidden = map | ||
| .get("H") | ||
| .map(|h| h.parse()) | ||
| .transpose()? | ||
| .unwrap_or_default(); | ||
|
|
||
| let psk = map.get("P").map(|p| p.to_string()); |
There was a problem hiding this comment.
Why not keep using the existing nom-based Mecard parser for this?
There was a problem hiding this comment.
switched back to nom parser, but removed hex encoding for ssids (kept it for pws, but changed check to make sure psks are 64 chars to avoid false positives)
orb-connd/src/service/netconfig.rs
Outdated
| } | ||
|
|
||
| impl NetConfig { | ||
| pub fn parse(netconfig_str: &str) -> Result<NetConfig> { |
There was a problem hiding this comment.
Have you considered using nom crate for this kind of parser?
orb-connd/src/service/netconfig.rs
Outdated
|
|
||
| impl NetConfig { | ||
| pub fn parse(netconfig_str: &str) -> Result<NetConfig> { | ||
| let netconfig_str = netconfig_str.replace("WIFI:", ""); |
There was a problem hiding this comment.
What if there is an SSID named MYWIFI:HOME? A real parser wouldn't have this issue.
orb-connd/src/service/netconfig.rs
Outdated
| let map: HashMap<_, _> = netconfig_str | ||
| .split(";") | ||
| .flat_map(|entry| entry.split_once(":")) | ||
| .collect(); |
There was a problem hiding this comment.
If there is an entry without a colon, we ignore it. Perhaps this is fine.
But what if there is a password that contains a colon? This is quite common.
There was a problem hiding this comment.
Ok, a password with a colon would pass, because we use split_once here, and it would be something like this: P:abc:def
There was a problem hiding this comment.
But what if the password contains ;? What if it contains \"? What if it's quoted?
new
hotspotwlan profile is created on startupcellularwwan profile is created on startupwpa-supplicantconf toNetworkManageron startup then deletes old filehttps://fleet.orb.worldcoin.org/api/v2/online_checkfor conn checkchanged
ModemManagerfor testingdogstatd::Clientrefactored to be behindStatdClientfor testingiccidis optional when reporting tobackend-statusrelated PRs
https://github.com/worldcoin/priv-orb-core/pull/1744
https://github.com/worldcoin/orb-os/pull/1234
todo
network-mangaer/varlibon/usr/persistentif too big (.leaseandseen-bssidsonly)manual tests
(performed on a dev orb)