AIT-Core issues

Drop Python 3.7 / pycparser and python 3.7

1

Any plans to update the minimum required Python version to 3.8? It seems there are a number of dependencies that rely on Python 3.8 or greater with pycparser being among...

cjjacks

Issue #530 - Use SafeLoader for YAML load calls

The primary changes address using safer version of YAML loads: 1) swapping `yaml.load(source,Loader=yaml.Loader)` to `yaml.safe_load(source)`. (similar for `load_all`) 2) swap Yaml object constructors from `yaml.add_constructor()` to `yaml.SafeLoader.add_constructor()` 3) update pyyaml...

nttoole

Multiple Local Code Executions (using YAML)

1

Multiple Local Code Executions (using YAML) AIT-Core uses the YAML Python library (pyyaml) in version 5.3.1, which is vulnerable to Command Execution vulnerabilities. By crafting a malicious YAML file, the...

nttoole

Remote Code Execution

1

AIT-Core comes with a server that enables the ZMQ topic/streams to make telemetry and telecommands packets available remotely, i.e., via API script. To start a simple server, importing an Instrument...

nttoole

SQL injection concerns

**SQL Injection** AIT-Core has a functionality that provides an interface to a back-end database containing the AIT Telemetry, AIT Commands, and AIT Event Records. By default, AIT-Core provides the implementation...

nttoole

Multiple Local Code Executions (using eval)

**Multiple Local Code Executions (using eval)** AIT-Core is a highly customisable framework that allows its users to employ Python expressions in some regions of its functionality. However, in some cases,...

nttoole

Multiple Local Code Executions (using Pickle)

2

AIT-Core extensively uses Pickle. As per Python documentation, this library is insecure and allows bad actors to achieve Command Execution. One example is loading a leap seconds configuration file, part...

nttoole

Issue #531 - Add Security notes to the server documentation

2

Addresses: 1) network security, 2) configuration file security. Fixes #531

nttoole

Free the dependencies!

There are a number of dependencies locked in the projects dependency specification. Are there any known incompatibilities with newer versions? This constraint prevents any downstream projects from receiving security or...

eguzman-jpl

`ait-seq-encode` and `ait-seq-decode` are broken as they reference old method names

See https://github.com/NASA-AMMOS/AIT-Core/blob/70d6ed4f07107253d9a36ad799a05b1f5df7d42f/ait/core/bin/ait_seq_decode.py#L82 and https://github.com/NASA-AMMOS/AIT-Core/blob/70d6ed4f07107253d9a36ad799a05b1f5df7d42f/ait/core/bin/ait_seq_encode.py#L88 which should be https://github.com/NASA-AMMOS/AIT-Core/blob/70d6ed4f07107253d9a36ad799a05b1f5df7d42f/ait/core/seq.py#L284 and https://github.com/NASA-AMMOS/AIT-Core/blob/70d6ed4f07107253d9a36ad799a05b1f5df7d42f/ait/core/seq.py#L250

vatsal-j

AIT-Core
AIT-Core copied to clipboard

Metadata

Drop Python 3.7 / pycparser and python 3.7

Issue #530 - Use SafeLoader for YAML load calls

Multiple Local Code Executions (using YAML)

Remote Code Execution

SQL injection concerns

Multiple Local Code Executions (using eval)

Multiple Local Code Executions (using Pickle)

Issue #531 - Add Security notes to the server documentation

Free the dependencies!

`ait-seq-encode` and `ait-seq-decode` are broken as they reference old method names

← Metadata

Owner

Metadata

AIT-Core AIT-Core copied to clipboard

Metadata

← Metadata

Owner

Metadata

AIT-Core
AIT-Core copied to clipboard