Bump netaddr gem for CVE-2019-17383 #2369
Conversation
| @@ -255,7 +255,7 @@ module Bosh::Director::DeploymentPlan | |||
|
|
|||
| expect(existing_plans[0].reservation.network.name).to eq('my-network-2') | |||
| expect(existing_plans[0].reservation.instance_model).to eq(instance_model) | |||
| expect(ip_to_netaddr(existing_plans[0].reservation.ip)).to eq('192.168.1.2') | |||
| expect(ip_to_netaddr(existing_plans[0].reservation.ip).to_s).to eq('192.168.1.2') | |||
There was a problem hiding this comment.
How about using the format_ip method in all these expects with ip_to_netaddr(..).to_s
There was a problem hiding this comment.
Good idea, I changed all of them.
src/bosh-director/lib/bosh/director/deployment_plan/manual_network_subnet.rb
Show resolved
Hide resolved
| raise NetworkReservedIpOutOfRange, | ||
| "Reserved IP '#{format_ip(ip)}' is out of " \ | ||
| "Reserved IP '#{format_ip(ip_obj)}' is out of " \ |
There was a problem hiding this comment.
I would use the raw ip from json here. Otherwise an exception could raise for. {"ip" : {...}} and you don't get the expected exception.
"Reserved IP '#{ip}' is out of "
There was a problem hiding this comment.
each_ip iterates over the json and supplies the integer representation of each ip. To have a human-readable error message the ip has to be converted back to its string representation. Therefore, either format_ip(ip) or CIDRIP.parse(ip).to_s are required.
FlorianNachtigall
force-pushed
the
bump-gems
branch
6 times, most recently
from
56acdd8 to
44f1975
Compare
FlorianNachtigall
force-pushed
the
bump-gems
branch
from
44f1975 to
3414bce
Compare
FlorianNachtigall
changed the title
rkoster
requested review from
a team,
jpalermo and
bgandon
and removed request for
a team
| expect(subnet.netmask).to eq('ffff:ffff:ffff:ffff:0000:0000:0000:0000') | ||
| expect(subnet.gateway).to eq('fdab:d85c:118d:8a46:0000:0000:0000:0001') | ||
| expect(subnet.range.network.to_s).to eq('fdab:d85c:118d:8a46::') | ||
| # subnet.range.ip.size == 2**64 # TODO NETADDR: bug? / what was tested here? |
There was a problem hiding this comment.
That CIDR Prefix is parsed into a range size. Should probably be updated to network.prefix_len
|
I do like the idea of moving to IPAddr, but since most of the work for bumping |
|
I'm not opposed to merging it, but I feel like it would be easier if we just move to IPAddr. Either change is probably going to have some rough patches and pipeline breakages. Feels like less work to just fix things once, rather than bumping the netaddr gem, fixing things, then replacing netaddr and fixing things again. I was looking over the use cases and it seems like IPAddr should work for everything we're using netaddr for. This way we have one fewer external dependency too. I'm happy to work on an IPAddr PR, but also happy to defer to the folks who put this PR together if they want to do the work. Again, also happy to merge it and work on IPAddr later if that's what the consensus is. |
|
Thanks for the feedback. I'm happy with any approach. Though, the work already put into bumping netaddr shouldn't influence the decision and if we believe IPAddr is the better way forward, I have no hard feelings about discarding all changes. |
|
Also asked for a netaddr 1.5.3 RubyGems release: dspinhirne/netaddr-rb#29 |
|
In terms of fixing the CVE quickly, what are your thoughts on bumping to netaddr 1.5.3 until we have migrated to IPAddr? |
|
We could also install netaddr 1.5.3 from github (we also do this for eventmachine here), and then migrate to IPAddr. |
Consume netaddr release from github since it hasn't been published on rubygems yet. For more context see: - dspinhirne/netaddr-rb#29 - #2369 Co-authored-by: Shilpa Chandrashekara <[email protected]>
Consume netaddr release from github since it hasn't been published on rubygems yet. For more context see: - dspinhirne/netaddr-rb#29 - #2369 Co-authored-by: Shilpa Chandrashekara <[email protected]>
|
Closing in favor of #2373 |
Consume netaddr release from github since it hasn't been published on rubygems yet. For more context see: - dspinhirne/netaddr-rb#29 - #2369 Co-authored-by: Shilpa Chandrashekara <[email protected]>
tldr
netaddr 1.5.0 is vulnerable. Upgrading to netaddr v2 required a lot of changes (see d40d9b7). Let's discuss if this is reasonable and we should finalize the PR or whether other options should be considered (see #Alternatives).
What is this change about?
The currently used version of netaddr is vulnerable:
netaddr 1.5.0->CVE-2019-17383This change updates the gem to the latest version with no known vulnerabilities.
bundle update netaddrwas used to ensure indirect dependencies are updated as well.Breaking changes netaddr v1 -> v2
netaddr was completely rewritten from v1 to v2 and the interface changed significantly. Most importantly,
NetAddr::CIDRwas removed and replaced withNetAddr::IPv4Net&NetAddr::IPv6NetandNetAddr::IPv4&NetAddr::IPv6, which provide similar functionality.Our approach
Due to the broad usage of
NetAddr::CIDRin the code base the PR introduces many changes, however, we tried to rebuild the old functionality with the new API as much as possible to keep the complexity manageable. We created a wrapper forNetAddr::IPv{4,6}Net->IpUtil::CIDRandNetAddr::IPv{4,6}->IpUtil::CIDRIPrespectively to maintain the old behavior and differentiate the IP version in one central place.All netaddr v2 changes have now been incorporated and all bosh-director unit tests are green. Some smaller todos (indicated by
TODO NETADDR) and refactorings are still open.Yet, before we finalize the PR, let's discuss if bumping netaddr to v2 is reasonable considering the size of the change or whether other options should be considered (see #Alternatives).
Open issues with netaddr v2
/64and larger IPv6 subnets (see IPv6 CIDR prefixes dspinhirne/netaddr-rb#28 for more details)Alternatives
CVE-2019-17383was backported to 1.5.3, however, the version has not yet been released on rubygems.org. We could ask for it to be made available.IPAddrgem which provides similar functionality and is potentially better maintained.What tests have you run against this PR?
How should this change be described in bosh release notes?
Does this PR introduce a breaking change?
Tag your pair, your PM, and/or team!
@friegger @cloudfoundry/cf-bosh-europe