RDKB-65595 JST (Generic) Security Fuzzing Report Fixes#22
Open
pavankumar464 wants to merge 12 commits into
Open
RDKB-65595 JST (Generic) Security Fuzzing Report Fixes#22pavankumar464 wants to merge 12 commits into
pavankumar464 wants to merge 12 commits into
Conversation
There was a problem hiding this comment.
Pull request overview
This PR addresses issues surfaced by generic security fuzzing in the JST (JavaScript Templates) native code, focusing on safer file handling and input validation.
Changes:
- Add error handling for
fseek()/ftell()failures inread_file()to avoid using invalid file sizes. - Harden
file://URI prefix validation inopenssl_verify_with_certto prevent out-of-bounds reads on short strings.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| source/jst_internal.c | Improves robustness of file-size discovery by checking fseek()/ftell() error conditions before allocating/reading. |
| source/jst_functions.c | Strengthens file:// prefix validation in certificate loading logic used by OpenSSL verification. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Ensured `session_id` is freed on **all** exit paths (including success). Allocated the new identifier into a temporary pointer (`new_session_identifier`) first. Freed old `session_identifier` (if present) before replacing it. Assigned `session_identifier = new_session_identifier` only after successful construction.
…safe process flow. No shell is used to execute user input. Shell metacharacter injection (`;`, `&&`, `|`, etc.) no longer gets interpreted as command chaining. Output is still captured line-by-line and returned as the same JS array structure.
This avoids modifying memory returned from `getenv()`.
…ypass/hijack paths: - Require cookie token length to be **exactly** `SESSION_ID_LENGTH` (not just `>=`). - Copy the token safely into a local buffer and validate there. - Enforce required prefix: token must start with `SESSION_PREFIX` (`"jst_sess"`). - Validate the random suffix chars with `isalnum` on `unsigned char`. - Only if all checks pass, check for the corresponding session file and load `session_identifier`.
Optimize file:// prefix validation: replace strlen+memcmp with fixed-length strncmp
…ge and guard size+1 overflow
…ith `wordfree(&args)`
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.