Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Bump io.swagger.codegen.version from 2.4.11 to 2.4.20 #129

Closed
wants to merge 1 commit into from
Closed

[Security] Bump io.swagger.codegen.version from 2.4.11 to 2.4.20 #129

wants to merge 1 commit into from

Conversation

dependabot-preview[bot]
Copy link

Bumps io.swagger.codegen.version from 2.4.11 to 2.4.20.
Updates swagger-codegen from 2.4.11 to 2.4.20 This update includes security fixes.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Generator Web Application: Local Privilege Escalation Vulnerability via System Temp Directory

Impact

On Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory.

This vulnerability is local privilege escalation because the contents of the outputFolder can be appended to by an attacker. As such, code written to this directory, when executed can be attacker controlled.

Java Code

The method File.createTempFile from the JDK is vulnerable to this local information disclosure vulnerability.

https://github.com/swagger-api/swagger-codegen/blob/068b1ebcb7b04a48ad38f1cadd24bb3810c9f1ab/modules/swagger-generator/src/main/java/io/swagger/generator/online/Generator.java#L174-L185

Patches

Fix has been applied to the master branch with:

included in release: 2.4.19

... (truncated)

Affected versions: < 2.4.19

Sourced from The GitHub Security Advisory Database.

Generated Code Contains Local Information Disclosure Vulnerability

Impact

This vulnerability impacts generated code. If this code was generated as a one-off occasion, not as a part of an automated CI/CD process, this code will remain vulnerable until fixed manually!

On Unix-Like systems, the system temporary directory is shared between all local users. When files/directories are created, the default umask settings for the process are respected. As a result, by default, most processes/apis will create files/directories with the permissions -rw-r--r-- and drwxr-xr-x respectively, unless an API that explicitly sets safe file permissions is used.

Java Code

The method File.createTempFile from the JDK is vulnerable to this local information disclosure vulnerability.

Patches

Fix has been applied to the master branch with:

... (truncated)

Affected versions: < 2.4.19

Release notes

Sourced from swagger-codegen's releases.

Swagger Codegen 2.4.20 has been released!

[JavaSpring] Fixed Issue 9250 - Codegen for file datatype (#9490)

  • ref CVE-2020-25649 - jackson 2.11.4 (#10926)
  • added option to write a throwing exception for unknown enums values. (#10356)
  • Add new additional-property ignoreUnknownJacksonAnnotation to add a class level annotation @​JsonIgnoreProperties(ignoreUnknown = true) (#10953)
  • [Python] Fix #10948 wrong mode opened file fixed (#10949)
  • Go deni issue 10948 (#10957)
  • [go] object to interface code generator should never generate an interface pointer (#10932)
  • Fix code generation for Angular 10 (#10464)
  • Write mustache template to generate Protocol Oriented class file from swagger for Swift5 (#10868)
  • Update README.md (#10923)

Swagger Codegen 2.4.19 has been released!

  • ref CVE-2020-25649 - jackson 2.11.4 (#10926)
  • [csharp] masked EnumMember value in modelEnum (#8129)
  • Generator updates: sample updates and fixes (#10924)
  • Add option modelPropertyNaming to javascript generator (#8086)
  • #10125 fix DefaultCodegen parsing to handle 'uniqueItems' flag (#10154)
  • Fix code generation for Angular 10 (#10464)
  • added actions for dotnet, java and js generators (#10869)
  • added docker file for go-server generator (#10863)
  • added missed validated annotation. (#10856)
  • added option to skip client validaton (#10847)
  • Deprecate InlineModelResolver (#10841)

Swagger Codegen 2.4.18 has been released!

  • #9808 - Dart double cast (#9809)
  • Update dependencies and samples (#10044)
  • Configure WhiteSource for GitHub.com (#10593)
  • Issue 10516 (#10576)
  • fix CVE-2020-27216 - bump jetty version (#10568)
  • updated model inner enum template for java generator (#10567)
  • Enum values issue (#10563)
  • add info object extensions to additional property map (#10557)
  • updated parser version and required porperty from composed model (#10549)

Swagger Codegen 2.4.17 has been released!

  • added option to check duplicated model names. (#10529)
  • [Issue 9178] Handle multiple formats when decoding dates (#9730)
  • added @​Valid annotation on bean validation template for java jaxrs (#10519)
  • Bump master junit deps (#10512)
  • removed commented typescript-fetch module (#10511)
  • Fix code generation for Angular 10 (#10464)
  • fix(go): return decoding errors (#10429)
  • Use same spaces style for json snippets in readme (#10487)
  • Update README.md: typo fixed, version 3.X vs 2.X (#10503)
  • Issue 10125 DefaultCodegen doesn't handle "uniqueItems" flag (#10490)

Swagger Codegen 2.4.16 has been released!

  • updated typescript-fetch sample in order to fix issue (#10481)

... (truncated)

Commits

Updates swagger-codegen-maven-plugin from 2.4.11 to 2.4.20

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
  • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

  • Update frequency (including time of day and day of week)
  • Pull request limits (per update run and/or open at any time)
  • Automerge options (never/patch/minor, and dev/runtime dependencies)
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)

@dependabot-preview
[Security] Bump io.swagger.codegen.version from 2.4.11 to 2.4.20
be8be8b 
Bumps `io.swagger.codegen.version` from 2.4.11 to 2.4.20.

Updates `swagger-codegen` from 2.4.11 to 2.4.20
- [Release notes](https://github.com/swagger-api/swagger-codegen/releases)
- [Commits](swagger-api/swagger-codegen@v2.4.11...v2.4.20)

Updates `swagger-codegen-maven-plugin` from 2.4.11 to 2.4.20

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
@dependabot-preview dependabot-preview bot added dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability labels May 31, 2021
@dependabot-preview
Copy link
Author

Superseded by #131.

@dependabot-preview dependabot-preview bot deleted the dependabot/maven/io.swagger.codegen.version-2.4.20 branch June 29, 2021 23:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants