Skip to content

Dependabot suggested updates #24

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
iolivergithub wants to merge 132 commits into from
Closed

Dependabot suggested updates #24

iolivergithub wants to merge 132 commits into from

Conversation

@iolivergithub
Copy link
Owner

@iolivergithub iolivergithub commented Jan 8, 2026

No description provided.

iolivergithub and others added 30 commits July 6, 2024 13:39
@iolivergithub
remaned ta10 to tarzan
028e578
@iolivergithub
Merge pull request #1 from iolivergithub/tarzan
de795d5 
remaned ta10 to tarzan
@iolivergithub
updated tarzan documentation
fd8d96f
@iolivergithub
Merge pull request #2 from iolivergithub/tarzan
4cbc0ac 
updated tarzan documentation
@deeglaze
Fix tpm typo in intents.md
7a0a872
@iolivergithub
Merge pull request #3 from deeglaze/patch-1
793f45c 
Fix tpm typo in intents.md
updated new element form
de4f91e
updated Dockerfile
f829b79
updated the new element stuff
0bccea3
added loadstandardintents and some documentation updates
8d03835
fixed loading of standard intents
c382d63
A minor minor typos and updates
9c9932e
bug fixes and added more standard intents
95f214b
updates
ade8203
New EV works, but not quite yet
b477194
working new EVs page
4af9de9
Opaque objects working, webpages and update to the standard intents
0e336e0
update
3742183
minor things- no big fixes
7f52d07
@iolivergithub
fixed small but in results order on elements page
9a890c9
@iolivergithub
fixed encoding issue with claims PCRDigest and Expected Values - now …
8070c60 
…base64 throughout
@iolivergithub
various updates and tweaks
628979d
added some scripting ideas
2b64226
@iolivergithub
added some more help and updated a few internal pages
089f62c
@iolivergithub
Update gettingstarted.md
6650be5
@iolivergithub
Update codeql-analysis.yml
d2916de
@iolivergithub
Update codeql-analysis.yml
a422c9f
not much
b176c48
various
4266d08
some updates to the claim page
3f6e7bc
Ian Oliver and others added 27 commits July 29, 2025 16:23
Added error check to PCRSelection processing
3fcb93c
bug fixed, ran go vet at fixed those errors, some file renaming in ta…
95cb41a 
…rzan
updates to UI. Discovered an error in verification handling, See issues
61b1f23
fixed odd error with GetExpectedValues ... err.Error() segfaults when…
2315512 
… err is nil
added time duration to session.html
8f16722
fixed base64 error in the tpm2rules
6bae9fd
minor update to ratds protocols
89d546b
Working nonce for chares call in ratsd protocol
d36bc4a
Added provisioner code
7f67f8a
@iolivergithub
working buggy provisioner
572d900
@iolivergithub
added files to provisioner to make it work with python zipapp
78009b5
updates to provisioner script
7356924
fixes to the provisioner
dc5109c
Added get elements by tag to RESI API
c759c9e
graceful shutdown works, almost...well...gracefully
3a2114e
Updates to debbuild for building of the provisioner
a01666d
Added initial archiving structure
81290da
Updated archival to record history, modified element and ev operation…
862bdf9 
…s and webpages
typos
ef24600
Fixed zipapp generation, a few typos etc
65b09d0
Fixed typos, fixed zipapp generation
765567a
@iolivergithub
Update codeql-analysis.yml
1979d86 
Signed-off-by: Ian <[email protected]>
fixed annoying machine id comparision issue in the sys rules...it was…
1ecb090 
… tarzans fault
@iolivergithub
Update codeql-analysis.yml
294bf6c 
Signed-off-by: Ian <[email protected]>
quick update with modified restapi for getting evs correctly and prov…
059b354 
…isioner with update
safety things for the provisioner
031f9e4
debduild scripts, split provisioner build away
7dd0ffe
@github-advanced-security
Copy link

github-advanced-security bot commented Jan 8, 2026

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 8, 2026
View reviewed changes
janeserver/operations/expectedValues.go
dbcursorerror := datalayer.DB.Collection("expectedvalues").FindOne(context.TODO(), filter).Decode(&elem)

//dbcursorerror := datalayer.DB.Collection("expectedvalues").FindOne(context.TODO(), filter).Decode(&elem)
datalayer.DB.Collection("expectedvalues").FindOne(context.TODO(), filter).Decode(&elem)

Check failure

Code scanning / CodeQL

Database query built from user-controlled sources High

This query depends on a
user-provided value
Loading
.
This query depends on a
user-provided value
Loading
.
This query depends on a
user-provided value
Loading
.

Copilot Autofix

AI 9 days ago

Copilot could not generate an autofix suggestion

Copilot could not generate an autofix suggestion for this alert. Try pushing a new commit or if the problem persists contact support.

janeserver/operations/opaqueobjects.go
_, dberr := datalayer.DB.Collection("opaqueobjects").UpdateOne(context.TODO(), filter, h, options)
update := bson.D{{"$set", h}}

_, dberr := datalayer.DB.Collection("opaqueobjects").UpdateOne(context.TODO(), filter, update, options)

Check failure

Code scanning / CodeQL

Database query built from user-controlled sources High

This query depends on a
user-provided value
Loading
.
This query depends on a
user-provided value
Loading
.

Copilot Autofix

AI 9 days ago

Copilot could not generate an autofix suggestion

Copilot could not generate an autofix suggestion for this alert. Try pushing a new commit or if the problem persists contact support.

tarzan/uefi/endpoints.go

u := GetEventLogLocation(fmt.Sprintf("%v", postbody["uefi/eventlog"]))

fcontent, err := ioutil.ReadFile(u)

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression High

This path depends on a
user-provided value
Loading
.

Copilot Autofix

AI 9 days ago

In general, the fix is to ensure that any file path ultimately passed to ioutil.ReadFile is either (a) a constant or from an allow list, or (b) validated so it cannot escape a trusted directory or become an arbitrary absolute path. Here, we only see this endpoint reading the UEFI event log, which should come from a known location. The simplest, least invasive fix is to stop honoring the user‑provided path altogether and always use UEFIEVENTLOGLOCATION, even when utilities.IsUnsafe() is true.

The single best fix without changing visible functionality (other than removing the dangerous behavior) is to change GetEventLogLocation so it no longer returns the caller‑supplied loc when unsafe mode is enabled. Instead, it should always return UEFIEVENTLOGLOCATION. We can keep the debug printing to avoid disrupting logging. This change is localized to GetEventLogLocation in tarzan/uefi/endpoints.go; Eventlog can remain unchanged, though its argument to GetEventLogLocation will become effectively ignored. No new imports or helper methods are needed.

Concretely:

  • In tarzan/uefi/endpoints.go, lines 32–38 inside GetEventLogLocation should be replaced so that both branches return UEFIEVENTLOGLOCATION. We can preserve the IsUnsafe() information only for logging if desired, but the path returned must no longer depend on loc.
Suggested changeset 1
tarzan/uefi/endpoints.go

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/tarzan/uefi/endpoints.go b/tarzan/uefi/endpoints.go
--- a/tarzan/uefi/endpoints.go
+++ b/tarzan/uefi/endpoints.go
@@ -29,13 +29,10 @@
 func GetEventLogLocation(loc string) string {
 	fmt.Printf("UEFI Log requested from %v, unsafe mode is %v, giving: ", loc, utilities.IsUnsafe())
 
-	if utilities.IsUnsafe() == true {
-		fmt.Printf("%v\n", loc)
-		return loc
-	} else {
-		fmt.Printf("%v\n", UEFIEVENTLOGLOCATION)
-		return UEFIEVENTLOGLOCATION
-	}
+	// Always return the fixed, trusted event log location to avoid using
+	// user-controlled paths, even when running in unsafe mode.
+	fmt.Printf("%v\n", UEFIEVENTLOGLOCATION)
+	return UEFIEVENTLOGLOCATION
 }
 
 func Eventlog(c echo.Context) error {
EOF
@@ -29,13 +29,10 @@
func GetEventLogLocation(loc string) string {
fmt.Printf("UEFI Log requested from %v, unsafe mode is %v, giving: ", loc, utilities.IsUnsafe())

if utilities.IsUnsafe() == true {
fmt.Printf("%v\n", loc)
return loc
} else {
fmt.Printf("%v\n", UEFIEVENTLOGLOCATION)
return UEFIEVENTLOGLOCATION
}
// Always return the fixed, trusted event log location to avoid using
// user-controlled paths, even when running in unsafe mode.
fmt.Printf("%v\n", UEFIEVENTLOGLOCATION)
return UEFIEVENTLOGLOCATION
}

func Eventlog(c echo.Context) error {
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@iolivergithub @deeglaze