wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-08-16 01:32:58 +02:00
Code Issues Projects Releases Wiki Activity

chore: Conservative dependency updates for Jinja2 security fix (#14792)

Browse source 
* chore: Conservative dependency updates for security

- Update Ansible from 9.1.0 to 9.2.0 (one minor version bump only)
- Update Jinja2 to ~3.1.6 to fix CVE-2025-27516 (critical security fix)
- Pin netaddr to 1.3.0 (current stable version)

This is a minimal, conservative update focused on:
1. Critical security fix for Jinja2
2. Minor ansible update for bug fixes
3. Pinning netaddr to prevent surprises

No changes to Ansible collections - keeping them unpinned for now.

* fix: Address linter issues (ruff, yamllint, shellcheck)

- Fixed ruff configuration by moving linter settings to [tool.ruff.lint] section
- Fixed ruff code issues:
  - Moved imports to top of files (E402)
  - Removed unused variables or commented them out
  - Updated string formatting from % to .format()
  - Replaced dict() calls with literals
  - Fixed assert False usage in tests
- Fixed yamllint issues:
  - Added missing newlines at end of files
  - Removed trailing spaces
  - Added document start markers (---) to YAML files
  - Fixed 'on:' truthy warnings in GitHub workflows
- Fixed shellcheck issues:
  - Properly quoted variables in shell scripts
  - Fixed A && B || C pattern with proper if/then/else
  - Improved FreeBSD rc script quoting

All linters now pass without errors related to our code changes.

* fix: Additional yamllint fixes for GitHub workflows

- Added document start markers (---) to test-effectiveness.yml
- Fixed 'on:' truthy warning by quoting as 'on:'
- Removed trailing spaces from main.yml
- Added missing newline at end of test-effectiveness.yml
This commit is contained in:
Dan Guido 2025-08-03 07:45:26 -04:00 committed by GitHub
parent 49aa9c49a4
commit be744b16a2
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
21 changed files with 266 additions and 266 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.github/FUNDING.yml vendored
View file

@ -1,3 +1,4 @@
---
# These are supported funding model platforms # These are supported funding model platforms
github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2] github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]

1
.github/dependabot.yml vendored
View file

@ -1,3 +1,4 @@
---
version: 2 version: 2
updates: updates:
# Maintain dependencies for GitHub Actions # Maintain dependencies for GitHub Actions

3
.github/workflows/integration-tests.yml vendored
View file

@ -1,6 +1,7 @@
---
name: Integration Tests name: Integration Tests
on: 'on':
pull_request: pull_request:
types: [opened, synchronize, reopened] types: [opened, synchronize, reopened]
paths: paths:

3
.github/workflows/lint.yml vendored
View file

@ -1,6 +1,7 @@
---
name: Lint name: Lint
on: [push, pull_request] 'on': [push, pull_request]
permissions: permissions:
contents: read contents: read

3
.github/workflows/smart-tests.yml vendored
View file

@ -1,6 +1,7 @@
---
name: Smart Test Selection name: Smart Test Selection
on: 'on':
pull_request: pull_request:
types: [opened, synchronize, reopened] types: [opened, synchronize, reopened]

3
.github/workflows/test-effectiveness.yml vendored
View file

@ -1,6 +1,7 @@
---
name: Test Effectiveness Tracking name: Test Effectiveness Tracking
on: 'on':
schedule: schedule:
- cron: '0 0 * * 0' # Weekly on Sunday - cron: '0 0 * * 0' # Weekly on Sunday
workflow_dispatch: # Allow manual runs workflow_dispatch: # Allow manual runs

8
algo-docker.sh
View file

@ -11,9 +11,9 @@ usage() {
retcode="${1:-0}" retcode="${1:-0}"
echo "To run algo from Docker:" echo "To run algo from Docker:"
echo "" echo ""
echo "docker run --cap-drop=all -it -v <path to configurations>:"${DATA_DIR}" ghcr.io/trailofbits/algo:latest" echo "docker run --cap-drop=all -it -v <path to configurations>:${DATA_DIR} ghcr.io/trailofbits/algo:latest"
echo "" echo ""
exit ${retcode} exit "${retcode}"
} }
if [ ! -f "${DATA_DIR}"/config.cfg ] ; then if [ ! -f "${DATA_DIR}"/config.cfg ] ; then
@ -25,7 +25,7 @@ fi
if [ ! -e /dev/console ] ; then if [ ! -e /dev/console ] ; then
echo "Looks like you're trying to run this container without a TTY." echo "Looks like you're trying to run this container without a TTY."
echo "If you don't pass `-t`, you can't interact with the algo script." echo "If you don't pass -t, you can't interact with the algo script."
echo "" echo ""
usage -1 usage -1
fi fi
@ -41,4 +41,4 @@ test -d "${DATA_DIR}"/configs && rsync -qLktr --delete "${DATA_DIR}"/configs "${
retcode=${?} retcode=${?}
rsync -qLktr --delete "${ALGO_DIR}"/configs "${DATA_DIR}"/ rsync -qLktr --delete "${ALGO_DIR}"/configs "${DATA_DIR}"/
exit ${retcode} exit "${retcode}"

37
library/digital_ocean_floating_ip.py
View file

@ -138,9 +138,8 @@ def wait_action(module, rest, ip, action_id, timeout=10):
end_time = time.time() + 10 end_time = time.time() + 10
while time.time() < end_time: while time.time() < end_time:
response = rest.get(f'floating_ips/{ip}/actions/{action_id}') response = rest.get(f'floating_ips/{ip}/actions/{action_id}')
status_code = response.status_code # status_code = response.status_code # TODO: check status_code == 200?
status = response.json['action']['status'] status = response.json['action']['status']
# TODO: check status_code == 200?
if status == 'completed': if status == 'completed':
return True return True
elif status == 'errored': elif status == 'errored':
@ -150,7 +149,7 @@ def wait_action(module, rest, ip, action_id, timeout=10):
def core(module): def core(module):
api_token = module.params['oauth_token'] # api_token = module.params['oauth_token'] # unused for now
state = module.params['state'] state = module.params['state']
ip = module.params['ip'] ip = module.params['ip']
droplet_id = module.params['droplet_id'] droplet_id = module.params['droplet_id']
@ -185,7 +184,7 @@ def get_floating_ip_details(module, rest):
if status_code == 200: if status_code == 200:
return json_data['floating_ip'] return json_data['floating_ip']
else: else:
module.fail_json(msg="Error assigning floating ip [{0}: {1}]".format( module.fail_json(msg="Error assigning floating ip [{}: {}]".format(
status_code, json_data["message"]), region=module.params['region']) status_code, json_data["message"]), region=module.params['region'])
@ -205,7 +204,7 @@ def assign_floating_id_to_droplet(module, rest):
module.exit_json(changed=True, data=json_data) module.exit_json(changed=True, data=json_data)
else: else:
module.fail_json(msg="Error creating floating ip [{0}: {1}]".format( module.fail_json(msg="Error creating floating ip [{}: {}]".format(
status_code, json_data["message"]), region=module.params['region']) status_code, json_data["message"]), region=module.params['region'])
@ -247,26 +246,26 @@ def create_floating_ips(module, rest):
if status_code == 202: if status_code == 202:
module.exit_json(changed=True, data=json_data) module.exit_json(changed=True, data=json_data)
else: else:
module.fail_json(msg="Error creating floating ip [{0}: {1}]".format( module.fail_json(msg="Error creating floating ip [{}: {}]".format(
status_code, json_data["message"]), region=module.params['region']) status_code, json_data["message"]), region=module.params['region'])
def main(): def main():
module = AnsibleModule( module = AnsibleModule(
argument_spec=dict( argument_spec={
state=dict(choices=['present', 'absent'], default='present'), 'state': {'choices': ['present', 'absent'], 'default': 'present'},
ip=dict(aliases=['id'], required=False), 'ip': {'aliases': ['id'], 'required': False},
region=dict(required=False), 'region': {'required': False},
droplet_id=dict(required=False, type='int'), 'droplet_id': {'required': False, 'type': 'int'},
oauth_token=dict( 'oauth_token': {
no_log=True, 'no_log': True,
# Support environment variable for DigitalOcean OAuth Token # Support environment variable for DigitalOcean OAuth Token
fallback=(env_fallback, ['DO_API_TOKEN', 'DO_API_KEY', 'DO_OAUTH_TOKEN']), 'fallback': (env_fallback, ['DO_API_TOKEN', 'DO_API_KEY', 'DO_OAUTH_TOKEN']),
required=True, 'required': True,
), },
validate_certs=dict(type='bool', default=True), 'validate_certs': {'type': 'bool', 'default': True},
timeout=dict(type='int', default=30), 'timeout': {'type': 'int', 'default': 30},
), },
required_if=[ required_if=[
('state', 'delete', ['ip']) ('state', 'delete', ['ip'])
], ],

17
library/gcp_compute_location_info.py
View file

@ -2,26 +2,23 @@
import json
from ansible.module_utils.gcp_utils import GcpModule, GcpSession, navigate_hash
################################################################################ ################################################################################
# Documentation # Documentation
################################################################################ ################################################################################
ANSIBLE_METADATA = {'metadata_version': '1.1', 'status': ["preview"], 'supported_by': 'community'} ANSIBLE_METADATA = {'metadata_version': '1.1', 'status': ["preview"], 'supported_by': 'community'}
################################################################################
# Imports
################################################################################
import json
from ansible.module_utils.gcp_utils import GcpModule, GcpSession, navigate_hash
################################################################################ ################################################################################
# Main # Main
################################################################################ ################################################################################
def main(): def main():
module = GcpModule(argument_spec=dict(filters=dict(type='list', elements='str'), scope=dict(required=True, type='str'))) module = GcpModule(argument_spec={'filters': {'type': 'list', 'elements': 'str'}, 'scope': {'required': True, 'type': 'str'}})
if module._name == 'gcp_compute_image_facts': if module._name == 'gcp_compute_image_facts':
module.deprecate("The 'gcp_compute_image_facts' module has been renamed to 'gcp_compute_regions_info'", version='2.13') module.deprecate("The 'gcp_compute_image_facts' module has been renamed to 'gcp_compute_regions_info'", version='2.13')
@ -59,7 +56,7 @@ def query_options(filters):
for f in filters: for f in filters:
# For multiple queries, all queries should have () # For multiple queries, all queries should have ()
if f[0] != '(' and f[-1] != ')': if f[0] != '(' and f[-1] != ')':
queries.append("(%s)" % ''.join(f)) queries.append("({})".format(''.join(f)))
else: else:
queries.append(f) queries.append(f)
@ -79,7 +76,7 @@ def return_if_object(module, response):
module.raise_for_status(response) module.raise_for_status(response)
result = response.json() result = response.json()
except getattr(json.decoder, 'JSONDecodeError', ValueError) as inst: except getattr(json.decoder, 'JSONDecodeError', ValueError) as inst:
module.fail_json(msg="Invalid JSON response with error: %s" % inst) module.fail_json(msg="Invalid JSON response with error: {}".format(inst))
if navigate_hash(result, ['error', 'errors']): if navigate_hash(result, ['error', 'errors']):
module.fail_json(msg=navigate_hash(result, ['error', 'errors'])) module.fail_json(msg=navigate_hash(result, ['error', 'errors']))

2
pyproject.toml
View file

@ -2,6 +2,8 @@
# Ruff configuration # Ruff configuration
target-version = "py310" target-version = "py310"
line-length = 120 line-length = 120
[tool.ruff.lint]
select = [ select = [
"E", # pycodestyle errors "E", # pycodestyle errors
"W", # pycodestyle warnings "W", # pycodestyle warnings

6
requirements.txt
View file

@ -1,3 +1,3 @@
ansible==9.1.0 ansible==9.2.0
jinja2~=3.1.3 jinja2~=3.1.6
netaddr netaddr==1.3.0

14
roles/wireguard/files/wireguard.sh
View file

@ -17,24 +17,28 @@ status_cmd=wg_status
pidfile="/var/run/$name.pid" pidfile="/var/run/$name.pid"
load_rc_config "$name" load_rc_config "$name"
: ${wg_enable="NO"} : "${wg_enable=NO}"
: ${wg_interface="wg0"} : "${wg_interface=wg0}"
wg_up() { wg_up() {
echo "Starting WireGuard..." echo "Starting WireGuard..."
/usr/sbin/daemon -cS -p ${pidfile} ${command} up ${wg_interface} /usr/sbin/daemon -cS -p "${pidfile}" "${command}" up "${wg_interface}"
} }
wg_down() { wg_down() {
echo "Stopping WireGuard..." echo "Stopping WireGuard..."
${command} down ${wg_interface} "${command}" down "${wg_interface}"
} }
wg_status () { wg_status () {
not_running () { not_running () {
echo "WireGuard is not running on $wg_interface" && exit 1 echo "WireGuard is not running on $wg_interface" && exit 1
} }
/usr/local/bin/wg show wg0 && echo "WireGuard is running on $wg_interface" || not_running if /usr/local/bin/wg show wg0; then
echo "WireGuard is running on $wg_interface"
else
not_running
fi
} }
run_rc_command "$1" run_rc_command "$1"

3
scripts/track-test-effectiveness.py
View file

@ -5,9 +5,8 @@ This helps identify which tests actually catch bugs vs just failing randomly
""" """
import json import json
import subprocess import subprocess
import sys
from datetime import datetime, timedelta
from collections import defaultdict from collections import defaultdict
from datetime import datetime, timedelta
from pathlib import Path from pathlib import Path

3
tests/fixtures/__init__.py vendored
View file

@ -1,8 +1,9 @@
"""Test fixtures for Algo unit tests""" """Test fixtures for Algo unit tests"""
import os import os
import yaml
from pathlib import Path from pathlib import Path
import yaml
def load_test_variables(): def load_test_variables():
"""Load test variables from YAML fixture""" """Load test variables from YAML fixture"""

7
tests/unit/test_docker_localhost_deployment.py
View file

@ -4,11 +4,8 @@ Simplified Docker-based localhost deployment tests
Verifies services can start and config files exist in expected locations Verifies services can start and config files exist in expected locations
""" """
import os import os
import sys
import subprocess import subprocess
import time import sys
import tempfile
from pathlib import Path
def check_docker_available(): def check_docker_available():
@ -95,7 +92,7 @@ def test_docker_algo_image():
return False return False
# Read Dockerfile and validate basic structure # Read Dockerfile and validate basic structure
with open('Dockerfile', 'r') as f: with open('Dockerfile') as f:
dockerfile_content = f.read() dockerfile_content = f.read()
required_elements = [ required_elements = [

13
tests/unit/test_generated_configs.py
View file

@ -3,12 +3,9 @@
Test that generated configuration files have valid syntax Test that generated configuration files have valid syntax
This validates WireGuard, StrongSwan, SSH, and other configs This validates WireGuard, StrongSwan, SSH, and other configs
""" """
import os
import re import re
import subprocess import subprocess
import sys import sys
import tempfile
from pathlib import Path
def check_command_available(cmd): def check_command_available(cmd):
@ -88,7 +85,7 @@ PersistentKeepalive = 25
errors.append(f"Invalid Endpoint format: {endpoint}") errors.append(f"Invalid Endpoint format: {endpoint}")
if errors: if errors:
print(f"✗ WireGuard config validation failed:") print("✗ WireGuard config validation failed:")
for error in errors: for error in errors:
print(f" - {error}") print(f" - {error}")
assert False, "WireGuard config validation failed" assert False, "WireGuard config validation failed"
@ -165,7 +162,7 @@ conn ikev2-pubkey
errors.append(f"Invalid subnet format: {subnet}") errors.append(f"Invalid subnet format: {subnet}")
if errors: if errors:
print(f"✗ StrongSwan ipsec.conf validation failed:") print("✗ StrongSwan ipsec.conf validation failed:")
for error in errors: for error in errors:
print(f" - {error}") print(f" - {error}")
assert False, "ipsec.conf validation failed" assert False, "ipsec.conf validation failed"
@ -223,7 +220,7 @@ def test_ssh_config_syntax():
errors.append("No Host definition found") errors.append("No Host definition found")
if errors: if errors:
print(f"✗ SSH config validation failed:") print("✗ SSH config validation failed:")
for error in errors: for error in errors:
print(f" - {error}") print(f" - {error}")
assert False, "SSH config validation failed" assert False, "SSH config validation failed"
@ -291,7 +288,7 @@ COMMIT
errors.append("Missing stateful connection tracking rule") errors.append("Missing stateful connection tracking rule")
if errors: if errors:
print(f"✗ iptables rules validation failed:") print("✗ iptables rules validation failed:")
for error in errors: for error in errors:
print(f" - {error}") print(f" - {error}")
assert False, "iptables rules validation failed" assert False, "iptables rules validation failed"
@ -358,7 +355,7 @@ addn-hosts=/var/lib/algo/dns/adblock.hosts
errors.append(f"Missing required option: {req}") errors.append(f"Missing required option: {req}")
if errors: if errors:
print(f"✗ dnsmasq config validation failed:") print("✗ dnsmasq config validation failed:")
for error in errors: for error in errors:
print(f" - {error}") print(f" - {error}")
assert False, "dnsmasq config validation failed" assert False, "dnsmasq config validation failed"

6
tests/unit/test_template_rendering.py
View file

@ -5,11 +5,9 @@ This catches undefined variables, syntax errors, and logic bugs
""" """
import os import os
import sys import sys
import tempfile
from pathlib import Path from pathlib import Path
import yaml from jinja2 import Environment, FileSystemLoader, StrictUndefined, TemplateSyntaxError, UndefinedError
from jinja2 import Environment, FileSystemLoader, StrictUndefined, UndefinedError, TemplateSyntaxError
# Add parent directory to path for fixtures # Add parent directory to path for fixtures
sys.path.insert(0, os.path.dirname(os.path.dirname(os.path.abspath(__file__)))) sys.path.insert(0, os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
@ -153,7 +151,7 @@ def test_critical_templates():
errors.append(f"{template_path}: Render error - {e}") errors.append(f"{template_path}: Render error - {e}")
if errors: if errors:
print(f"✗ Critical template rendering failed:") print("✗ Critical template rendering failed:")
for error in errors: for error in errors:
print(f" - {error}") print(f" - {error}")
assert False, "Critical template rendering errors" assert False, "Critical template rendering errors"