From 8bc07951f4eb7bf7827de267d1be1a593c1fe35b Mon Sep 17 00:00:00 2001 From: Sanyam Jain Date: Mon, 26 Aug 2024 17:45:01 +0530 Subject: [PATCH 1/8] Update celery-entrypoint.sh Removing HttpCore which was causing issue. --- web/celery-entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web/celery-entrypoint.sh b/web/celery-entrypoint.sh index 70f6ab74e..6d7968fff 100755 --- a/web/celery-entrypoint.sh +++ b/web/celery-entrypoint.sh @@ -157,7 +157,7 @@ exec "$@" echo 'alias httpx="/go/bin/httpx"' >> ~/.bashrc # TEMPORARY FIX, httpcore is causing issues with celery, removing it as temp fix -python3 -m pip uninstall -y httpcore +#python3 -m pip uninstall -y httpcore # TEMPORARY FIX FOR langchain pip install tenacity==8.2.2 From b38268599b526004f220af8b3bc2128d6039ef77 Mon Sep 17 00:00:00 2001 From: Shelby Cunningham Date: Fri, 30 Aug 2024 14:18:57 -0400 Subject: [PATCH 2/8] Replace CVE-2024-41661 with CVE-2023-50094 On 29 August 2024, MITRE informed GitHub that CVE-2024-41661, which was issued August 2024 is a duplicate of CVE-2023-50094, which was issued December 2023 or January 2024. We rejected CVE-2024-41661 as a duplicate CVE because CVE-2023-50094 was published first and suggest that the maintainers of reNgine replace all instances of CVE-2024-41661 with CVE-2023-50094, including in the changelog and repository security advisory. --- CHANGELOG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b24f1555d..e0836811a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,7 +8,7 @@ ### Security Update -* (Security) CVE-2024-41661 Stored Cross-Site Scripting (XSS) via DNS Record Poisoning reported by @touhidshaikh Advisory https://github.com/yogeshojha/rengine/security/advisories/GHSA-96q4-fj2m-jqf7 +* (Security) CVE-2023-50094 Stored Cross-Site Scripting (XSS) via DNS Record Poisoning reported by @touhidshaikh Advisory https://github.com/yogeshojha/rengine/security/advisories/GHSA-96q4-fj2m-jqf7 ### Bug Fixes @@ -31,7 +31,7 @@ ## What's Changed ### Security update -* (Security) CVE-2024-41661 Fix Authenticated command injection in WAF detection tool reported by @n-thumann Advisory https://github.com/yogeshojha/rengine/security/advisories/GHSA-fx7f-f735-vgh4 +* (Security) CVE-2023-50094 Fix Authenticated command injection in WAF detection tool reported by @n-thumann Advisory https://github.com/yogeshojha/rengine/security/advisories/GHSA-fx7f-f735-vgh4 ### Bug Fixes From cbe32a32852477803abe0037f82fe51fec5f864b Mon Sep 17 00:00:00 2001 From: Yogesh Ojha Date: Sat, 31 Aug 2024 13:13:16 +0530 Subject: [PATCH 3/8] fix autocomment --- .github/workflows/auto-comment.yml | 102 +++++++++++++++++++---------- 1 file changed, 68 insertions(+), 34 deletions(-) diff --git a/.github/workflows/auto-comment.yml b/.github/workflows/auto-comment.yml index 7230c4dbb..98cb3c02a 100644 --- a/.github/workflows/auto-comment.yml +++ b/.github/workflows/auto-comment.yml @@ -6,6 +6,10 @@ on: pull_request: types: [opened, closed] +permissions: + issues: write + pull-requests: write + jobs: auto_comment: runs-on: ubuntu-latest @@ -18,39 +22,69 @@ jobs: const { owner, repo } = context.repo; const author = context.payload.sender.login; - if (context.eventName === 'issues' && context.payload.action === 'opened') { - github.rest.issues.createComment({ - issue_number: context.issue.number, - owner, - repo, - body: `Hey @${author}! πŸ‘‹ Thanks for flagging this! πŸ›πŸž - - Before we dig in, Let's make sure you have - - πŸ” Gone through the documentation: https://rengine.wiki - πŸ•΅οΈ Make sure it's not a known issue - πŸ“ Provided us all the details related to this bug` - }); - } else if (context.eventName === 'pull_request' && context.payload.action === 'opened') { - github.rest.issues.createComment({ - issue_number: context.issue.number, - owner, - repo, - body: `Woohoo @${author}! πŸŽ‰ You've just dropped some hot new code! πŸ”₯ - - Hang tight while we review this! You rock! 🀘` - }); - } else if (context.eventName === 'pull_request' && context.payload.action === 'closed') { - github.rest.issues.createComment({ - issue_number: context.issue.number, - owner, - repo, - body: `Holy smokes, @${author}! 🀯 You've just made reNgine even more awesome! - - Your code is now part of the reNgine hall of fame. πŸ† - - Keep the cool ideas coming - maybe next time you'll break the internet! πŸ’»πŸ’₯ + try { + if (context.eventName === 'issues' && context.payload.action === 'opened') { + const issue = await github.rest.issues.get({ + owner, + repo, + issue_number: context.issue.number + }); + + const isFeatureRequest = issue.data.title.toLowerCase().includes('feat'); + + let commentBody; + if (isFeatureRequest) { + commentBody = `Hey @${author}! πŸ‘‹ Thanks for your feature request! πŸ’‘ + + We love hearing new ideas from our community. Here's what happens next: + + 1. πŸ“‹ Our team will review your suggestion + 2. πŸ’¬ We might reach out for more details if needed + 3. πŸ” We'll evaluate how it fits with our roadmap + 4. πŸ“’ We'll update you on the status + + Thanks for helping make reNgine even better! πŸš€`; + } else { + commentBody = `Hey @${author}! πŸ‘‹ Thanks for flagging this! πŸ›πŸž + + Before we dig in, Let's make sure you have: + + πŸ” Gone through the documentation: https://rengine.wiki + πŸ•΅οΈ Make sure it's not a known issue + πŸ“ Provided us all the details related to this bug`; + } + + await github.rest.issues.createComment({ + issue_number: context.issue.number, + owner, + repo, + body: commentBody + }); + } else if (context.eventName === 'pull_request' && context.payload.action === 'opened') { + await github.rest.issues.createComment({ + issue_number: context.issue.number, + owner, + repo, + body: `Woohoo @${author}! πŸŽ‰ You've just dropped some hot new code! πŸ”₯ + + Hang tight while we review this! You rock! 🀘` + }); + } else if (context.eventName === 'pull_request' && context.payload.action === 'closed') { + await github.rest.issues.createComment({ + issue_number: context.issue.number, + owner, + repo, + body: `Holy smokes, @${author}! 🀯 You've just made reNgine even more awesome! + + Your code is now part of the reNgine hall of fame. πŸ† + + Keep the cool ideas coming - maybe next time you'll break the internet! πŸ’»πŸ’₯ - Virtual high fives all around! πŸ™Œ` - }); + Virtual high fives all around! πŸ™Œ` + }); + } + console.log('Comment created successfully'); + } catch (error) { + console.error('Error creating comment:', error); + core.setFailed(`Action failed with error: ${error}`); } \ No newline at end of file From 184a4bf4c62be2fb21b6f571415d65a06eef055a Mon Sep 17 00:00:00 2001 From: Yogesh Ojha Date: Sat, 31 Aug 2024 13:34:53 +0530 Subject: [PATCH 4/8] use pat token for workflow comment --- .github/workflows/auto-comment.yml | 78 +++++++++++++++++------------- 1 file changed, 44 insertions(+), 34 deletions(-) diff --git a/.github/workflows/auto-comment.yml b/.github/workflows/auto-comment.yml index 98cb3c02a..b2fc49f4f 100644 --- a/.github/workflows/auto-comment.yml +++ b/.github/workflows/auto-comment.yml @@ -6,10 +6,6 @@ on: pull_request: types: [opened, closed] -permissions: - issues: write - pull-requests: write - jobs: auto_comment: runs-on: ubuntu-latest @@ -17,12 +13,29 @@ jobs: - name: πŸ€– Auto Comment on Issues and PRs uses: actions/github-script@v7 with: - github-token: ${{secrets.GITHUB_TOKEN}} + github-token: ${{ secrets.PAT_TOKEN }} script: | const { owner, repo } = context.repo; const author = context.payload.sender.login; + async function createComment(issueNumber, body) { + try { + await github.rest.issues.createComment({ + owner, + repo, + issue_number: issueNumber, + body: body + }); + console.log(`Comment created successfully for ${context.eventName} #${issueNumber}`); + } catch (error) { + console.error(`Error creating comment for ${context.eventName} #${issueNumber}:`, error); + core.setFailed(`Failed to create comment: ${error.message}`); + } + } + try { + console.log('Event details:', JSON.stringify(context.payload, null, 2)); + if (context.eventName === 'issues' && context.payload.action === 'opened') { const issue = await github.rest.issues.get({ owner, @@ -30,7 +43,8 @@ jobs: issue_number: context.issue.number }); - const isFeatureRequest = issue.data.title.toLowerCase().includes('feat'); + const isFeatureRequest = issue.data.title.toLowerCase().includes('feature request') || + issue.data.body.toLowerCase().includes('feature request'); let commentBody; if (isFeatureRequest) { @@ -54,37 +68,33 @@ jobs: πŸ“ Provided us all the details related to this bug`; } - await github.rest.issues.createComment({ - issue_number: context.issue.number, - owner, - repo, - body: commentBody - }); - } else if (context.eventName === 'pull_request' && context.payload.action === 'opened') { - await github.rest.issues.createComment({ - issue_number: context.issue.number, - owner, - repo, - body: `Woohoo @${author}! πŸŽ‰ You've just dropped some hot new code! πŸ”₯ + await createComment(context.issue.number, commentBody); + } else if (context.eventName === 'pull_request') { + console.log('Processing pull request event'); + const prNumber = context.payload.pull_request.number; + let commentBody; + + if (context.payload.action === 'opened') { + commentBody = `Woohoo @${author}! πŸŽ‰ You've just dropped some hot new code!!! πŸ”₯ - Hang tight while we review this! You rock! 🀘` - }); - } else if (context.eventName === 'pull_request' && context.payload.action === 'closed') { - await github.rest.issues.createComment({ - issue_number: context.issue.number, - owner, - repo, - body: `Holy smokes, @${author}! 🀯 You've just made reNgine even more awesome! + Hang tight while we review this! You rock! 🀘`; + } else if (context.payload.action === 'closed') { + commentBody = `Holy smokes, @${author}! 🀯 You've just made reNgine even more awesome! - Your code is now part of the reNgine hall of fame. πŸ† - - Keep the cool ideas coming - maybe next time you'll break the internet! πŸ’»πŸ’₯ + Your code is now part of the reNgine hall of fame. πŸ† + + Keep the cool ideas coming - maybe next time you'll break the internet! πŸ’»πŸ’₯ - Virtual high fives all around! πŸ™Œ` - }); + Virtual high fives all around! πŸ™Œ`; + } + + if (commentBody) { + await createComment(prNumber, commentBody); + } else { + console.log(`No action taken for pull request ${context.payload.action} event`); + } } - console.log('Comment created successfully'); } catch (error) { - console.error('Error creating comment:', error); - core.setFailed(`Action failed with error: ${error}`); + console.error('Error in workflow:', error); + core.setFailed(`Workflow failed with error: ${error.message}`); } \ No newline at end of file From bdf3e0a28d0e808c7f4556e3262c5b2ede8997c2 Mon Sep 17 00:00:00 2001 From: Yogesh Ojha Date: Sat, 31 Aug 2024 13:38:12 +0530 Subject: [PATCH 5/8] remove personal account comment --- .github/workflows/auto-comment.yml | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/.github/workflows/auto-comment.yml b/.github/workflows/auto-comment.yml index b2fc49f4f..fe9c54a3d 100644 --- a/.github/workflows/auto-comment.yml +++ b/.github/workflows/auto-comment.yml @@ -6,26 +6,40 @@ on: pull_request: types: [opened, closed] +permissions: + issues: write + pull-requests: write + jobs: auto_comment: runs-on: ubuntu-latest steps: + - name: Dump GitHub context + env: + GITHUB_CONTEXT: ${{ toJson(github) }} + run: echo "$GITHUB_CONTEXT" + - name: πŸ€– Auto Comment on Issues and PRs uses: actions/github-script@v7 with: - github-token: ${{ secrets.PAT_TOKEN }} + github-token: ${{ secrets.GITHUB_TOKEN }} script: | const { owner, repo } = context.repo; const author = context.payload.sender.login; + console.log('Current actor:', context.actor); + console.log('Event name:', context.eventName); + console.log('Action:', context.payload.action); + async function createComment(issueNumber, body) { try { - await github.rest.issues.createComment({ + const response = await github.rest.issues.createComment({ owner, repo, issue_number: issueNumber, body: body }); + console.log('Comment created by:', response.data.user.login); console.log(`Comment created successfully for ${context.eventName} #${issueNumber}`); } catch (error) { console.error(`Error creating comment for ${context.eventName} #${issueNumber}:`, error); @@ -34,8 +48,6 @@ jobs: } try { - console.log('Event details:', JSON.stringify(context.payload, null, 2)); - if (context.eventName === 'issues' && context.payload.action === 'opened') { const issue = await github.rest.issues.get({ owner, @@ -70,12 +82,11 @@ jobs: await createComment(context.issue.number, commentBody); } else if (context.eventName === 'pull_request') { - console.log('Processing pull request event'); const prNumber = context.payload.pull_request.number; let commentBody; if (context.payload.action === 'opened') { - commentBody = `Woohoo @${author}! πŸŽ‰ You've just dropped some hot new code!!! πŸ”₯ + commentBody = `Woohoo @${author}! πŸŽ‰ You've just dropped some hot new code! πŸ”₯ Hang tight while we review this! You rock! 🀘`; } else if (context.payload.action === 'closed') { From eb0fbc0ba96bda18e4ac23042958f6e5984f9f71 Mon Sep 17 00:00:00 2001 From: Yogesh Ojha Date: Sat, 31 Aug 2024 13:49:43 +0530 Subject: [PATCH 6/8] fix comment on fork --- .github/workflows/auto-comment.yml | 143 +++++++++++++---------------- 1 file changed, 64 insertions(+), 79 deletions(-) diff --git a/.github/workflows/auto-comment.yml b/.github/workflows/auto-comment.yml index fe9c54a3d..d2a44a24d 100644 --- a/.github/workflows/auto-comment.yml +++ b/.github/workflows/auto-comment.yml @@ -3,7 +3,7 @@ name: πŸ’¬ Auto Comment on: issues: types: [opened] - pull_request: + pull_request_target: types: [opened, closed] permissions: @@ -14,98 +14,83 @@ jobs: auto_comment: runs-on: ubuntu-latest steps: - - name: Dump GitHub context - env: - GITHUB_CONTEXT: ${{ toJson(github) }} - run: echo "$GITHUB_CONTEXT" - - name: πŸ€– Auto Comment on Issues and PRs uses: actions/github-script@v7 with: - github-token: ${{ secrets.GITHUB_TOKEN }} + github-token: ${{secrets.GITHUB_TOKEN}} script: | const { owner, repo } = context.repo; const author = context.payload.sender.login; - console.log('Current actor:', context.actor); - console.log('Event name:', context.eventName); - console.log('Action:', context.payload.action); + if (context.eventName === 'issues' && context.payload.action === 'opened') { + const issueTitle = context.payload.issue.title.toLowerCase(); + let commentBody; + + if (issueTitle.includes('feat')) { + commentBody = `Hey @${author}! πŸš€ Thanks for this exciting feature idea! + + We love seeing fresh concepts that could take reNgine to the next level. 🌟 - async function createComment(issueNumber, body) { - try { - const response = await github.rest.issues.createComment({ - owner, - repo, - issue_number: issueNumber, - body: body - }); - console.log('Comment created by:', response.data.user.login); - console.log(`Comment created successfully for ${context.eventName} #${issueNumber}`); - } catch (error) { - console.error(`Error creating comment for ${context.eventName} #${issueNumber}:`, error); - core.setFailed(`Failed to create comment: ${error.message}`); - } - } + To help us understand your vision better, could you: - try { - if (context.eventName === 'issues' && context.payload.action === 'opened') { - const issue = await github.rest.issues.get({ - owner, - repo, - issue_number: context.issue.number - }); - - const isFeatureRequest = issue.data.title.toLowerCase().includes('feature request') || - issue.data.body.toLowerCase().includes('feature request'); - - let commentBody; - if (isFeatureRequest) { - commentBody = `Hey @${author}! πŸ‘‹ Thanks for your feature request! πŸ’‘ - - We love hearing new ideas from our community. Here's what happens next: - - 1. πŸ“‹ Our team will review your suggestion - 2. πŸ’¬ We might reach out for more details if needed - 3. πŸ” We'll evaluate how it fits with our roadmap - 4. πŸ“’ We'll update you on the status + πŸ“ Provide a detailed description of the feature + 🎯 Explain the problem it solves or the value it adds + πŸ’‘ Share any implementation ideas you might have + + Your input is invaluable in shaping the future of reNgine. Let's innovate together! πŸ’ͺ`; + } else { + commentBody = `Hey @${author}! πŸ‘‹ Thanks for flagging this bug! πŸ›πŸ” - Thanks for helping make reNgine even better! πŸš€`; - } else { - commentBody = `Hey @${author}! πŸ‘‹ Thanks for flagging this! πŸ›πŸž + You're our superhero bug hunter! πŸ¦Έβ€β™‚οΈπŸ¦Έβ€β™€οΈ Before we suit up to squash this bug, could you please: + + πŸ“š Double-check our documentation: https://rengine.wiki + πŸ•΅οΈ Make sure it's not a known issue + πŸ“ Provide all the juicy details about this sneaky bug + + Together, we'll make reNgine bulletproof! πŸ’ͺ`; + } + + github.rest.issues.createComment({ + issue_number: context.issue.number, + owner, + repo, + body: commentBody + }); + } else if (context.eventName === 'pull_request_target' && context.payload.action === 'opened') { + github.rest.issues.createComment({ + issue_number: context.issue.number, + owner, + repo, + body: `Woohoo @${author}! πŸŽ‰ You've just dropped some hot new code! πŸ”₯ - Before we dig in, Let's make sure you have: + Hang tight while we review this! You rock! 🀘` + }); + } else if (context.eventName === 'pull_request_target' && context.payload.action === 'closed') { + const isPRMerged = context.payload.pull_request.merged; + let commentBody; - πŸ” Gone through the documentation: https://rengine.wiki - πŸ•΅οΈ Make sure it's not a known issue - πŸ“ Provided us all the details related to this bug`; - } - - await createComment(context.issue.number, commentBody); - } else if (context.eventName === 'pull_request') { - const prNumber = context.payload.pull_request.number; - let commentBody; - - if (context.payload.action === 'opened') { - commentBody = `Woohoo @${author}! πŸŽ‰ You've just dropped some hot new code! πŸ”₯ + if (isPRMerged) { + commentBody = `Holy smokes, @${author}! 🀯 You've just made reNgine even more awesome! - Hang tight while we review this! You rock! 🀘`; - } else if (context.payload.action === 'closed') { - commentBody = `Holy smokes, @${author}! 🀯 You've just made reNgine even more awesome! + Your code is now part of the reNgine hall of fame. πŸ† + + Keep the cool ideas coming - maybe next time you'll break the internet! πŸ’»πŸ’₯ - Your code is now part of the reNgine hall of fame. πŸ† - - Keep the cool ideas coming - maybe next time you'll break the internet! πŸ’»πŸ’₯ + Virtual high fives all around! πŸ™Œ`; + } else { + commentBody = `Hey @${author}, thanks for your contribution! πŸ™ - Virtual high fives all around! πŸ™Œ`; - } - - if (commentBody) { - await createComment(prNumber, commentBody); - } else { - console.log(`No action taken for pull request ${context.payload.action} event`); - } + We appreciate the time and effort you put into this PR. + + While we couldn't merge it this time, we value your interest in improving reNgine. + + Feel free to reach out if you have any questions. Thanks again! πŸ‘`; } - } catch (error) { - console.error('Error in workflow:', error); - core.setFailed(`Workflow failed with error: ${error.message}`); + + github.rest.issues.createComment({ + issue_number: context.issue.number, + owner, + repo, + body: commentBody + }); } \ No newline at end of file From 12fd79b716904d25a8c8acef35fe79ab3263c2df Mon Sep 17 00:00:00 2001 From: Yogesh Ojha Date: Sat, 31 Aug 2024 13:53:29 +0530 Subject: [PATCH 7/8] update workflow for including PR --- .github/workflows/auto-comment.yml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/.github/workflows/auto-comment.yml b/.github/workflows/auto-comment.yml index d2a44a24d..be0ccdfdf 100644 --- a/.github/workflows/auto-comment.yml +++ b/.github/workflows/auto-comment.yml @@ -3,6 +3,8 @@ name: πŸ’¬ Auto Comment on: issues: types: [opened] + pull_request: + types: [opened, closed] pull_request_target: types: [opened, closed] @@ -47,7 +49,7 @@ jobs: πŸ•΅οΈ Make sure it's not a known issue πŸ“ Provide all the juicy details about this sneaky bug - Together, we'll make reNgine bulletproof! πŸ’ͺ`; + Once again - thanks for your vigilance! πŸ› οΈπŸš€`; } github.rest.issues.createComment({ @@ -56,7 +58,7 @@ jobs: repo, body: commentBody }); - } else if (context.eventName === 'pull_request_target' && context.payload.action === 'opened') { + } else if ((context.eventName === 'pull_request' || context.eventName === 'pull_request_target') && context.payload.action === 'opened') { github.rest.issues.createComment({ issue_number: context.issue.number, owner, @@ -65,7 +67,7 @@ jobs: Hang tight while we review this! You rock! 🀘` }); - } else if (context.eventName === 'pull_request_target' && context.payload.action === 'closed') { + } else if ((context.eventName === 'pull_request' || context.eventName === 'pull_request_target') && context.payload.action === 'closed') { const isPRMerged = context.payload.pull_request.merged; let commentBody; @@ -80,11 +82,11 @@ jobs: } else { commentBody = `Hey @${author}, thanks for your contribution! πŸ™ - We appreciate the time and effort you put into this PR. + We appreciate the time and effort you put into this PR. Sadly this is not the right fit for reNgine at the moment. While we couldn't merge it this time, we value your interest in improving reNgine. - Feel free to reach out if you have any questions. Thanks again! πŸ‘`; + Feel free to reach out if you have any questions. Thanks again!`; } github.rest.issues.createComment({ From 1411982cd9d4f52ed1ffa672768d5d491e0d2a94 Mon Sep 17 00:00:00 2001 From: Yogesh Ojha Date: Sat, 31 Aug 2024 14:04:15 +0530 Subject: [PATCH 8/8] fix author name --- .github/workflows/auto-comment.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/auto-comment.yml b/.github/workflows/auto-comment.yml index be0ccdfdf..e5fa9e7c8 100644 --- a/.github/workflows/auto-comment.yml +++ b/.github/workflows/auto-comment.yml @@ -72,7 +72,7 @@ jobs: let commentBody; if (isPRMerged) { - commentBody = `Holy smokes, @${author}! 🀯 You've just made reNgine even more awesome! + commentBody = `Holy smokes! 🀯 You've just made reNgine even more awesome! Your code is now part of the reNgine hall of fame. πŸ† @@ -80,7 +80,7 @@ jobs: Virtual high fives all around! πŸ™Œ`; } else { - commentBody = `Hey @${author}, thanks for your contribution! πŸ™ + commentBody = `Hey, thanks for your contribution! πŸ™ We appreciate the time and effort you put into this PR. Sadly this is not the right fit for reNgine at the moment.