Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/jlleitschuh/bulk-security-pr-generator

Generate thousands of pull requests to fix widespread security vulnerabilities across GitHub.
https://github.com/jlleitschuh/bulk-security-pr-generator

Last synced: 11 months ago
JSON representation

Generate thousands of pull requests to fix widespread security vulnerabilities across GitHub.

Awesome Lists containing this project

README 

          
# Bulk Security Pull Request Generator



Used to generate bulk pull requests (PRs) against projects to fix security vulnerabilities.



These 'bulk fixes' are done as a part of the new [GitHub Security Lab](https://securitylab.github.com/) Bug Bounty Program.



Data is sourced from queries on [lgtm.com](https://lgtm.com) and used to create bulk pull-requests to fix these security

vulnerabilities.



### Features



 - Built-in crash recovery -- Saves state during execution to allow recovering from a crash

 - Records metrics -- Files fixed, Number of Fixes, PR URLs

 - Fast -- Asynchronous IO using python async API



### To Implement



 - Commit messages follow the [SECOM](https://tqrg.github.io/sec-commits/) standard.



## Project 1: HTTPS Everywhere to Resolve Dependencies in Maven POM Files Everywhere! 



[![mitm_build](https://user-images.githubusercontent.com/1323708/59226671-90645200-8ba1-11e9-8ab3-39292bef99e9.jpeg)](https://medium.com/@jonathan.leitschuh/want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-1fc329d898fb?source=friends_link&sk=3c99970c55a899ad9ef41f126efcde0e)



[Want to take over the Java ecosystem? All you need is a MITM!](https://medium.com/@jonathan.leitschuh/want-to-take-over-the-java-ecosystem-all-you-need-is-a-mitm-1fc329d898fb?source=friends_link&sk=3c99970c55a899ad9ef41f126efcde0e)



This project has been used to generate PRs that automatically fix a security vulnerability in Maven POM files that

are using HTTP instead of HTTPS to resolve dependencies.



**Pull Requests Generated: 1,596**



## Project 1.5: Prevent `rhostname` array overflow



GitHub Security Lab's [pwntester](https://github.com/pwntester) leveraged this project to generate pull requests to fix an array overflow. This is a variant of [CVE-2020-8597](https://nvd.nist.gov/vuln/detail/CVE-2020-8597).



You can read in more detail about this vulnerability in [CERT Advisory VU#782301](https://kb.cert.org/vuls/id/782301/).



The vulnerability occurs because, given that `vallen` was checked to be less than len, it can never be the case that `vallen >= len + sizeof(rhostname)`. Therefore, `rhostname` never gets trimmed and the `rhostname` array may overflow.



**Pull Requests Generated: [1,885](https://github.com/search?o=desc&q=author%3Aghsecuritylab+&s=comments&type=Issues)**



## Project 2: CVE-2019-16303 - JHipster Vulnerability Fix - Use CSPRNG in RandomUtil



In 2019, I discovered a vulnerability in the [JHipster](https://www.jhipster.tech/) code generator where it was

generating vulnerable implementations of a class called `RandomUtil.java`.

  

Using one password reset token from these apps combined with the POC below, an attacker can determine all future password

reset tokens to be generated by these vulnerable servers.

This would allow an attacker to pick and choose what account they would like to takeover by sending account password reset requests for targeted accounts.



[POC code](http://web.archive.org/web/20191126104359/https://medium.com/@alex91ar/the-java-soothsayer-a-practical-application-for-insecure-randomness-c67b0cd148cd) has existed since March 3rd, 2018 for taking one RNG value generated by `RandomStringUtils` and reversing it to generate all of the past/future RNG values.



The fix was generated for each vulnerable file, preserving the original style of the file, by the [Rewrite project](https://github.com/openrewrite/rewrite).

See the specific code for this fix [here](https://github.com/moderneinc/jhipster-cwe-338).



**Pull Requests Generated: 3,880**