Skip to content

RDKB-65595 JST (Generic) Security Fuzzing Report Fixes#22

Open
pavankumar464 wants to merge 12 commits into
developfrom
bug/securityFixes
Open

RDKB-65595 JST (Generic) Security Fuzzing Report Fixes#22
pavankumar464 wants to merge 12 commits into
developfrom
bug/securityFixes

Conversation

@pavankumar464

Copy link
Copy Markdown
Contributor

No description provided.

Copilot AI review requested due to automatic review settings June 15, 2026 16:14
@pavankumar464 pavankumar464 requested a review from a team as a code owner June 15, 2026 16:14

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses issues surfaced by generic security fuzzing in the JST (JavaScript Templates) native code, focusing on safer file handling and input validation.

Changes:

  • Add error handling for fseek()/ftell() failures in read_file() to avoid using invalid file sizes.
  • Harden file:// URI prefix validation in openssl_verify_with_cert to prevent out-of-bounds reads on short strings.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
source/jst_internal.c Improves robustness of file-size discovery by checking fseek()/ftell() error conditions before allocating/reading.
source/jst_functions.c Strengthens file:// prefix validation in certificate loading logic used by OpenSSL verification.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread source/jst_internal.c
Comment thread source/jst_functions.c Outdated
Ensured `session_id` is freed on **all** exit paths (including success).
Allocated the new identifier into a temporary pointer (`new_session_identifier`) first.
Freed old `session_identifier` (if present) before replacing it.
Assigned `session_identifier = new_session_identifier` only after successful construction.
…safe process flow.

No shell is used to execute user input.
Shell metacharacter injection (`;`, `&&`, `|`, etc.) no longer gets interpreted as command chaining.
Output is still captured line-by-line and returned as the same JS array structure.
This avoids modifying memory returned from `getenv()`.
…ypass/hijack paths:

- Require cookie token length to be **exactly** `SESSION_ID_LENGTH` (not just `>=`).
- Copy the token safely into a local buffer and validate there.
- Enforce required prefix: token must start with `SESSION_PREFIX` (`"jst_sess"`).
- Validate the random suffix chars with `isalnum` on `unsigned char`.
- Only if all checks pass, check for the corresponding session file and load `session_identifier`.
Optimize file:// prefix validation: replace strlen+memcmp with fixed-length strncmp
Copilot AI review requested due to automatic review settings June 15, 2026 17:18

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

Comment thread source/jst_session.c
Comment thread source/jst_functions.c
Comment thread source/jst_functions.c Dismissed
Comment thread source/jst_internal.c Fixed
Comment thread source/jst_internal.c Fixed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants