Procházet zdrojové kódy

chore: add SECURITY_ADVISORY_DUPLICATES maintainer guide

Document known duplicate advisory clusters and triage steps referenced
from SECURITY.md.

Co-authored-by: Cursor <cursoragent@cursor.com>
jamesread před 19 hodinami
rodič
revize
615d62779e
1 změnil soubory, kde provedl 116 přidání a 0 odebrání
  1. 116 0
      .github/SECURITY_ADVISORY_DUPLICATES.md

+ 116 - 0
.github/SECURITY_ADVISORY_DUPLICATES.md

@@ -0,0 +1,116 @@
+# Security Advisory Duplicates — Maintainer Guide
+
+This document lists known duplicate security advisory clusters for [OliveTin/OliveTin](https://github.com/OliveTin/OliveTin). When triaging new reports, check here and [open advisories](https://github.com/OliveTin/OliveTin/security/advisories) before accepting.
+
+**Duplicate policy:** the earliest reporter on the canonical advisory receives primary credit. Later reporters are credited on the canonical advisory when closed as duplicates. See [SECURITY.md](../SECURITY.md).
+
+## Triage checklist
+
+1. Search open advisories for the same component and attack path.
+2. Match against clusters below.
+3. If duplicate: close the newer advisory, link to canonical, add reporter to canonical credits.
+4. If unique: accept, patch on a private branch, reassess CVSS with OliveTin context (see SECURITY.md — OliveTin is intentional RCE by design).
+5. Merge fix to `next`, publish advisory, credit reporters in advisory body (not commit message).
+
+---
+
+## shellAfterCompleted command injection
+
+**Canonical:** [GHSA-vc6p-m6vx-6cwq](https://github.com/OliveTin/OliveTin/security/advisories/GHSA-vc6p-m6vx-6cwq) — reporter **knight-yagami** (2026-03-04)
+
+Untrusted command output or template variables interpolated into `shellAfterCompleted` and executed via `sh -c`.
+
+| GHSA | Reporter | Status | Notes |
+|------|----------|--------|-------|
+| GHSA-vc6p-m6vx-6cwq | knight-yagami | closed (canonical) | Original report |
+| GHSA-v5gc-hqpq-227p | 0xkakash1 | closed (duplicate) | Output template variant |
+| GHSA-m7wr-wj5j-7459 | Ryu7zz | duplicate | Webhook `exec` → output → `shellAfterCompleted` |
+| GHSA-cjxm-x848-6vmc | Yesuhei | duplicate | Missing shell safety on after-completion |
+| GHSA-j9p9-36jc-2v8w | anushkavirgaonkar | duplicate | Same root cause |
+
+**Fix:** shell-quote `output`/`exitCode` before template render; block `shellAfterCompleted` for webhook-tagged actions.
+
+**CVSS note:** requires admin-configured `shellAfterCompleted` and attacker influence on output — typically PR:H not PR:N.
+
+---
+
+## OAuth2 state map memory exhaustion (DoS)
+
+**Canonical:** [GHSA-xpxj-f2fm-rqch](https://github.com/OliveTin/OliveTin/security/advisories/GHSA-xpxj-f2fm-rqch) — reporter **knight-yagami** (2026-03-04)
+
+Unauthenticated `/oauth/login` grows `registeredStates` without TTL or cap.
+
+| GHSA | Reporter | Status | Notes |
+|------|----------|--------|-------|
+| GHSA-xpxj-f2fm-rqch | knight-yagami | closed (canonical) | Original report |
+| GHSA-cj96-c55v-2f3c | Dredsen | duplicate | Same unbounded map |
+
+**Fix:** TTL sweep (match 15-minute cookie MaxAge), max map size, cleanup on failed callback.
+
+**CVSS note:** unauthenticated DoS — reported 7.5 is appropriate.
+
+---
+
+## URL argument type — unrestricted URI schemes (SSRF / file read)
+
+**Canonical:** [GHSA-45pc-w4ph-hrq4](https://github.com/OliveTin/OliveTin/security/advisories/GHSA-45pc-w4ph-hrq4) — reporter **fg0x0** (2026-03-09)
+
+`url` type accepts `file://`, `gopher://`, etc. Blocked in `shell:` mode but still validated weakly for `exec:` actions.
+
+| GHSA | Reporter | Status | Notes |
+|------|----------|--------|-------|
+| GHSA-45pc-w4ph-hrq4 | fg0x0 | closed (canonical) | Original report |
+| GHSA-cchg-25m4-q6rj | anushkavirgaonkar | duplicate | Same scheme validation gap |
+
+**Fix:** allowlist `http`/`https` in `typeSafetyCheckUrl`.
+
+**CVSS note:** admin must configure `exec:` action passing URL to external tool — PR:H.
+
+---
+
+## Custom `regex:` argument type in shell actions
+
+**Canonical:** [GHSA-xc5w-4v5w-7x65](https://github.com/OliveTin/OliveTin/security/advisories/GHSA-xc5w-4v5w-7x65) — reporter **Ayantaker** (2026-05-06)
+
+`regex:` types not in shell denylist; partial `MatchString` allows injection suffixes.
+
+| GHSA | Reporter | Status | Notes |
+|------|----------|--------|-------|
+| GHSA-xc5w-4v5w-7x65 | Ayantaker | canonical | Missing denylist entry |
+| GHSA-gvxq-7gvp-4ggr | anushkavirgaonkar | duplicate | Unanchored partial match |
+
+**Fix:** deny `regex:` in shell mode; enforce full-string match for custom regex types.
+
+---
+
+## Shell denylist incomplete (post CVE-2026-27626)
+
+**Canonical:** [GHSA-c26w-h42g-jfp9](https://github.com/OliveTin/OliveTin/security/advisories/GHSA-c26w-h42g-jfp9) — reporter **sec-reex** (2026-07-03)
+
+CVE-2026-27626 added `password` to denylist only; `html`, `confirmation`, and choiceless `checkbox` still skip validation and are allowed in `shell:` actions.
+
+**Fix:** extend `checkShellArgumentSafety` denylist.
+
+---
+
+## StartActionAndWait logs ACL bypass
+
+**Canonical:** [GHSA-jm28-2wcr-qf3h](https://github.com/OliveTin/OliveTin/security/advisories/GHSA-jm28-2wcr-qf3h) — reporter **offset** (2026-03-12)
+
+`StartActionAndWait` / `StartActionByGetAndWait` return full log output without `logs` ACL check.
+
+No known duplicates.
+
+**Fix:** apply `isLogEntryAllowed` before returning `LogEntry`.
+
+**CVSS note:** requires authenticated user with `exec` but not `logs` — typically 4.3–5.3 not 6.5.
+
+---
+
+## Easy to confuse (not duplicates)
+
+| Topic | Advisories | Distinction |
+|-------|------------|-------------|
+| OAuth2 state DoS vs OAuth2 auth bypass | GHSA-xpxj vs GHSA-3v7p | DoS fills state map; bypass spoofs `authHttpHeaderUsername` |
+| `shellAfterCompleted` vs direct `shell` injection | GHSA-vc6p vs GHSA-49gm | Second-order via output vs first-order argument injection |
+| `ValidateArgumentType` enumeration | GHSA-f637 vs GHSA-x6q3 | Same issue; GHSA-f637 published |