feat(osv): add last_affected and limit fields (#232)

2023-08-03 16:06:44 +03:00 · 2023-08-03 16:06:44 +03:00 · c2f1e32f0f
commit c2f1e32f0f
parent dccdb4d01c
4 changed files with 280 additions and 2 deletions
--- a/osv/osv_test.go
+++ b/osv/osv_test.go
@ -30,6 +30,7 @@ func Test_Update(t *testing.T) {
 				filepath.Join("python", "cherrypy", "PYSEC-2006-1.json"),
 				filepath.Join("python", "trac", "PYSEC-2005-1.json"),
 				filepath.Join("python", "trac", "PYSEC-2006-2.json"),
+				filepath.Join("python", "aiohttp", "PYSEC-2023-120.json"),
 			},
 		},
 		{
--- a/osv/testdata/golden/python/aiohttp/PYSEC-2023-120.json
+++ b/osv/testdata/golden/python/aiohttp/PYSEC-2023-120.json
@ -0,0 +1,275 @@
+{
+    "id": "PYSEC-2023-120",
+    "summary": "aiohttp.web.Application vulnerable to HTTP request smuggling via llhttp HTTP request parser",
+    "details": "### Impact\n\naiohttp v3.8.4 and earlier are [bundled with llhttp v6.0.6](https://github.com/aio-libs/aiohttp/blob/v3.8.4/.gitmodules) which is vulnerable to CVE-2023-30589. The vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel.\n\nThis vulnerability only affects users of aiohttp as an HTTP server (ie `aiohttp.Application`), you are not affected by this vulnerability if you are using aiohttp as an HTTP client library (ie `aiohttp.ClientSession`).\n\n### Reproducer\n\n```python\nfrom aiohttp import web\n\nasync def example(request: web.Request):\n    headers = dict(request.headers)\n    body = await request.content.read()\n    return web.Response(text=f\"headers: {headers} body: {body}\")\n\napp = web.Application()\napp.add_routes([web.post('/', example)])\nweb.run_app(app)\n```\n\nSending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling.\n\n```console\n$ printf \"POST / HTTP/1.1\\r\\nHost: localhost:8080\\r\\nX-Abc: \\rxTransfer-Encoding: chunked\\r\\n\\r\\n1\\r\\nA\\r\\n0\\r\\n\\r\\n\" \\\n  | nc localhost 8080\n\nExpected output:\n  headers: {'Host': 'localhost:8080', 'X-Abc': '\\rxTransfer-Encoding: chunked'} body: b''\n\nActual output (note that 'Transfer-Encoding: chunked' is an HTTP header now and body is treated differently)\n  headers: {'Host': 'localhost:8080', 'X-Abc': '', 'Transfer-Encoding': 'chunked'} body: b'A'\n```\n\n### Patches\n\nUpgrade to the latest version of aiohttp to resolve this vulnerability. It has been fixed in v3.8.5: [`pip install aiohttp >= 3.8.5`](https://pypi.org/project/aiohttp/3.8.5/)\n\n### Workarounds\n\nIf you aren't able to upgrade you can reinstall aiohttp using `AIOHTTP_NO_EXTENSIONS=1` as an environment variable to disable the llhttp HTTP request parser implementation. The pure Python implementation isn't vulnerable to request smuggling:\n\n```console\n$ python -m pip uninstall --yes aiohttp\n$ AIOHTTP_NO_EXTENSIONS=1 python -m pip install --no-binary=aiohttp --no-cache aiohttp\n```\n\n### References\n\n* https://nvd.nist.gov/vuln/detail/CVE-2023-30589\n* https://hackerone.com/reports/2001873\n",
+    "aliases": [
+      "GHSA-45c4-8wx5-qw6w",
+      "CVE-2023-37276"
+    ],
+    "modified": "2023-07-24T14:58:05.562874Z",
+    "published": "2023-07-20T14:52:00Z",
+    "references": [
+      {
+        "type": "ADVISORY",
+        "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w"
+      },
+      {
+        "type": "ADVISORY",
+        "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37276"
+      },
+      {
+        "type": "PACKAGE",
+        "url": "https://github.com/aio-libs/aiohttp"
+      },
+      {
+        "type": "WEB",
+        "url": "https://hackerone.com/reports/2001873"
+      }
+    ],
+    "affected": [
+      {
+        "package": {
+          "name": "aiohttp",
+          "ecosystem": "PyPI",
+          "purl": "pkg:pypi/aiohttp"
+        },
+        "ranges": [
+          {
+            "type": "ECOSYSTEM",
+            "events": [
+              {
+                "introduced": "0"
+              },
+              {
+                "last_affected": "3.8.4"
+              }
+            ]
+          }
+        ],
+        "versions": [
+          "0.1",
+          "0.10.0",
+          "0.10.1",
+          "0.10.2",
+          "0.11.0",
+          "0.12.0",
+          "0.13.0",
+          "0.13.1",
+          "0.14.0",
+          "0.14.1",
+          "0.14.2",
+          "0.14.3",
+          "0.14.4",
+          "0.15.0",
+          "0.15.1",
+          "0.15.2",
+          "0.15.3",
+          "0.16.0",
+          "0.16.1",
+          "0.16.2",
+          "0.16.3",
+          "0.16.4",
+          "0.16.5",
+          "0.16.6",
+          "0.17.0",
+          "0.17.1",
+          "0.17.2",
+          "0.17.3",
+          "0.17.4",
+          "0.18.0",
+          "0.18.1",
+          "0.18.2",
+          "0.18.3",
+          "0.18.4",
+          "0.19.0",
+          "0.2",
+          "0.20.0",
+          "0.20.1",
+          "0.20.2",
+          "0.21.0",
+          "0.21.1",
+          "0.21.2",
+          "0.21.4",
+          "0.21.5",
+          "0.21.6",
+          "0.22.0",
+          "0.22.0a0",
+          "0.22.0b0",
+          "0.22.0b1",
+          "0.22.0b2",
+          "0.22.0b3",
+          "0.22.0b4",
+          "0.22.0b5",
+          "0.22.0b6",
+          "0.22.1",
+          "0.22.2",
+          "0.22.3",
+          "0.22.4",
+          "0.22.5",
+          "0.3",
+          "0.4",
+          "0.4.1",
+          "0.4.2",
+          "0.4.3",
+          "0.4.4",
+          "0.5.0",
+          "0.6.0",
+          "0.6.1",
+          "0.6.2",
+          "0.6.3",
+          "0.6.4",
+          "0.6.5",
+          "0.7.0",
+          "0.7.1",
+          "0.7.2",
+          "0.7.3",
+          "0.8.0",
+          "0.8.1",
+          "0.8.2",
+          "0.8.3",
+          "0.8.4",
+          "0.9.0",
+          "0.9.1",
+          "0.9.2",
+          "0.9.3",
+          "1.0.0",
+          "1.0.1",
+          "1.0.2",
+          "1.0.3",
+          "1.0.5",
+          "1.1.0",
+          "1.1.1",
+          "1.1.2",
+          "1.1.3",
+          "1.1.4",
+          "1.1.5",
+          "1.1.6",
+          "1.2.0",
+          "1.3.0",
+          "1.3.1",
+          "1.3.2",
+          "1.3.3",
+          "1.3.4",
+          "1.3.5",
+          "2.0.0",
+          "2.0.0rc1",
+          "2.0.1",
+          "2.0.2",
+          "2.0.3",
+          "2.0.4",
+          "2.0.5",
+          "2.0.6",
+          "2.0.7",
+          "2.1.0",
+          "2.2.0",
+          "2.2.1",
+          "2.2.2",
+          "2.2.3",
+          "2.2.4",
+          "2.2.5",
+          "2.3.0",
+          "2.3.0a1",
+          "2.3.0a2",
+          "2.3.0a3",
+          "2.3.0a4",
+          "2.3.1",
+          "2.3.10",
+          "2.3.1a1",
+          "2.3.2",
+          "2.3.2b2",
+          "2.3.2b3",
+          "2.3.3",
+          "2.3.4",
+          "2.3.5",
+          "2.3.6",
+          "2.3.7",
+          "2.3.8",
+          "2.3.9",
+          "3.0.0",
+          "3.0.0b0",
+          "3.0.0b1",
+          "3.0.0b2",
+          "3.0.0b3",
+          "3.0.0b4",
+          "3.0.1",
+          "3.0.2",
+          "3.0.3",
+          "3.0.4",
+          "3.0.5",
+          "3.0.6",
+          "3.0.7",
+          "3.0.8",
+          "3.0.9",
+          "3.1.0",
+          "3.1.1",
+          "3.1.2",
+          "3.1.3",
+          "3.2.0",
+          "3.2.1",
+          "3.3.0",
+          "3.3.0a0",
+          "3.3.1",
+          "3.3.2",
+          "3.3.2a0",
+          "3.4.0",
+          "3.4.0a0",
+          "3.4.0a3",
+          "3.4.0b1",
+          "3.4.0b2",
+          "3.4.1",
+          "3.4.2",
+          "3.4.3",
+          "3.4.4",
+          "3.5.0",
+          "3.5.0a1",
+          "3.5.0b1",
+          "3.5.0b2",
+          "3.5.0b3",
+          "3.5.1",
+          "3.5.2",
+          "3.5.3",
+          "3.5.4",
+          "3.6.0",
+          "3.6.0a0",
+          "3.6.0a1",
+          "3.6.0a11",
+          "3.6.0a12",
+          "3.6.0a2",
+          "3.6.0a3",
+          "3.6.0a4",
+          "3.6.0a5",
+          "3.6.0a6",
+          "3.6.0a7",
+          "3.6.0a8",
+          "3.6.0a9",
+          "3.6.0b0",
+          "3.6.1",
+          "3.6.1b3",
+          "3.6.1b4",
+          "3.6.2",
+          "3.6.2a0",
+          "3.6.2a1",
+          "3.6.2a2",
+          "3.6.3",
+          "3.7.0",
+          "3.7.0b0",
+          "3.7.0b1",
+          "3.7.1",
+          "3.7.2",
+          "3.7.3",
+          "3.7.4",
+          "3.7.4.post0",
+          "3.8.0",
+          "3.8.0a7",
+          "3.8.0b0",
+          "3.8.1",
+          "3.8.2",
+          "3.8.3",
+          "3.8.4"
+        ],
+        "database_specific": {
+          "source": "https://github.com/pypa/advisory-database/blob/main/vulns/aiohttp/PYSEC-2023-120.yaml"
+        }
+      }
+    ]
+  }
--- a/osv/testdata/python/all.zip
+++ b/osv/testdata/python/all.zip
--- a/osv/types.go
+++ b/osv/types.go
@ -19,8 +19,10 @@ type Range struct {
 	Events []Event `json:"events,omitempty"`
 }
 type Event struct {
-	Introduced string `json:"introduced,omitempty"`
-	Fixed      string `json:"fixed,omitempty"`
+	Introduced   string `json:"introduced,omitempty"`
+	Fixed        string `json:"fixed,omitempty"`
+	LastAffected string `json:"last_affected,omitempty"`
+	Limit        string `json:"limit,omitempty"`
 }

 type Reference struct {