Skip to content

Commit 8059cf1

Browse files
committed
errors due to updates are fixed now
1 parent edce2f3 commit 8059cf1

2 files changed

Lines changed: 30 additions & 15 deletions

File tree

community/detectors/kubeflow_exposed_ui_rce/build.gradle

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,7 @@ dependencies {
2929
testImplementation "junit:junit:4.13"
3030
testImplementation "com.google.inject:guice:4.2.3"
3131
testImplementation "com.google.inject.extensions:guice-testlib:4.2.3"
32+
testImplementation "com.squareup.okhttp3:mockwebserver:3.12.0"
3233
testImplementation "org.mockito:mockito-core:2.28.2"
3334
testImplementation "com.google.truth:truth:1.0.1"
3435
testImplementation "com.google.truth.extensions:truth-java8-extension:1.0.1"

community/detectors/kubeflow_exposed_ui_rce/src/main/java/com/google/tsunami/plugins/detectors/rce/KubeflowRceDetector.java

Lines changed: 29 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -65,7 +65,6 @@
6565
import okhttp3.MultipartBody;
6666
import okhttp3.RequestBody;
6767
import okio.Buffer;
68-
import org.apache.commons.lang3.RandomStringUtils;
6968

7069
/** A {@link VulnDetector} that detects publicly exposed kubeflow instances. */
7170
@PluginInfo(
@@ -259,8 +258,7 @@ private boolean isServiceVulnerable(NetworkService networkService) {
259258
post(rootUrl
260259
+ String.format(
261260
"pipeline/apis/v2beta1/pipelines/upload?name=%s&description=&namespace=%s",
262-
"TsunamiPipeline-" + RandomStringUtils.randomAlphanumeric(10),
263-
nameSpace))
261+
"TsunamiPipeline-" + generateRandomAlphanumeric(), nameSpace))
264262
.setHeaders(
265263
HttpHeaders.builder()
266264
.addHeader(
@@ -421,7 +419,7 @@ private static String getFirstPipelineVersionId(String response) {
421419
try {
422420
JsonObject jsonObject = JsonParser.parseString(response).getAsJsonObject();
423421
JsonArray pipelineVersions = jsonObject.getAsJsonArray("pipeline_versions");
424-
if (!pipelineVersions.isEmpty()) {
422+
if (pipelineVersions.size() > 0) {
425423
JsonObject firstPipelineVersion = pipelineVersions.get(0).getAsJsonObject();
426424
return firstPipelineVersion.get("pipeline_version_id").getAsString();
427425
}
@@ -431,24 +429,40 @@ private static String getFirstPipelineVersionId(String response) {
431429
return "";
432430
}
433431

432+
private static String generateRandomAlphanumeric() {
433+
String characters = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
434+
StringBuilder result = new StringBuilder();
435+
java.util.Random random = new java.util.Random();
436+
for (int i = 0; i < 10; i++) {
437+
result.append(characters.charAt(random.nextInt(characters.length())));
438+
}
439+
return result.toString();
440+
}
441+
442+
@Override
443+
public ImmutableList<Vulnerability> getAdvisories() {
444+
return ImmutableList.of(
445+
Vulnerability.newBuilder()
446+
.setMainId(
447+
VulnerabilityId.newBuilder()
448+
.setPublisher("TSUNAMI_COMMUNITY")
449+
.setValue("KUBEFLOW_EXPOSED_API_RCE"))
450+
.setSeverity(Severity.CRITICAL)
451+
.setTitle("Exposed kubeflow API")
452+
.setDescription(
453+
"This vulnerability check exposed Kubeflow API by executing a OS command in a"
454+
+ " kubeflow pipeline.")
455+
.build());
456+
}
457+
434458
private DetectionReport buildDetectionReport(
435459
TargetInfo targetInfo, NetworkService vulnerableNetworkService) {
436460
return DetectionReport.newBuilder()
437461
.setTargetInfo(targetInfo)
438462
.setNetworkService(vulnerableNetworkService)
439463
.setDetectionTimestamp(Timestamps.fromMillis(Instant.now(utcClock).toEpochMilli()))
440464
.setDetectionStatus(DetectionStatus.VULNERABILITY_VERIFIED)
441-
.setVulnerability(
442-
Vulnerability.newBuilder()
443-
.setMainId(
444-
VulnerabilityId.newBuilder()
445-
.setPublisher("TSUNAMI_COMMUNITY")
446-
.setValue("KUBEFLOW_EXPOSED_API_RCE"))
447-
.setSeverity(Severity.CRITICAL)
448-
.setTitle("Exposed kubeflow API")
449-
.setDescription(
450-
"This vulnerability check exposed Kubeflow API by executing a OS command in a"
451-
+ " kubeflow pipeline."))
465+
.setVulnerability(this.getAdvisories().get(0))
452466
.build();
453467
}
454468
}

0 commit comments

Comments
 (0)