Merge remote-tracking branch 'origin/release/v11.2.6' into backlog/compliance-evaluation

Author: elmilan06

agent-manager/agent/agent_imp.go

@@ -29,13 +29,20 @@ type AgentService struct {
 	AgentStreamMap        map[uint]AgentService_AgentStreamServer
 	AgentStreamMutex      sync.Mutex
 	CacheAgentKey         map[uint]string
-	CacheAgentKeyMutex    sync.Mutex
+	CacheAgentKeyMutex    sync.RWMutex
 	CommandResultChannel  map[string]chan *CommandResult
 	CommandResultChannelM sync.Mutex
 
 	DBConnection *database.DB
 }
 
+func (s *AgentService) ValidateAgentKey(key string, id uint) bool {
+	s.CacheAgentKeyMutex.RLock()
+	defer s.CacheAgentKeyMutex.RUnlock()
+	_, valid := utils.IsKeyPairValid(key, id, s.CacheAgentKey)
+	return valid
+}
+
 func InitAgentService() error {
 	var err error
 	agentServOnce.Do(func() {
@@ -338,20 +345,35 @@ func (s *AgentService) ProcessCommand(stream PanelService_ProcessCommandServer)
 			return status.Errorf(codes.Internal, "failed to send command to agent: %v", err)
 		}
 
-		result := <-s.CommandResultChannel[cmdID]
-		err = s.DBConnection.Upsert(
-			&models.AgentCommand{},
-			"agent_id = ? AND cmd_id = ?",
-			map[string]interface{}{"command_status": models.Executed, "result": result.Result},
-			cmd.AgentId, cmdID,
-		)
-		if err != nil {
-			catcher.Error("failed to update command status", err, map[string]any{"process": "agent-manager"})
-		}
+		select {
+		case result := <-s.CommandResultChannel[cmdID]:
+			err = s.DBConnection.Upsert(
+				&models.AgentCommand{},
+				"agent_id = ? AND cmd_id = ?",
+				map[string]interface{}{"command_status": models.Executed, "result": result.Result},
+				cmd.AgentId, cmdID,
+			)
+			if err != nil {
+				catcher.Error("failed to update command status", err, map[string]any{"process": "agent-manager"})
+			}
 
-		err = stream.Send(result)
-		if err != nil {
-			return err
+			err = stream.Send(result)
+			if err != nil {
+				return err
+			}
+		case <-time.After(5 * time.Minute):
+			s.CommandResultChannelM.Lock()
+			delete(s.CommandResultChannel, cmdID)
+			s.CommandResultChannelM.Unlock()
+
+			_ = s.DBConnection.Upsert(
+				&models.AgentCommand{},
+				"agent_id = ? AND cmd_id = ?",
+				map[string]interface{}{"command_status": models.Error, "result": "command timed out after 5 minutes"},
+				cmd.AgentId, cmdID,
+			)
+
+			return status.Errorf(codes.DeadlineExceeded, "agent did not respond within 5 minutes")
 		}
 
 		s.CommandResultChannelM.Lock()

agent-manager/agent/collector_imp.go

@@ -43,13 +43,20 @@ type CollectorService struct {
 	CollectorConfigsCache     map[uint][]*CollectorConfigGroup
 	CollectorConfigsCacheM    sync.Mutex
 	CacheCollectorKey         map[uint]string
-	CacheCollectorKeyMutex    sync.Mutex
+	CacheCollectorKeyMutex    sync.RWMutex
 	CollectorPendigConfigChan chan *CollectorConfig
 	CollectorTypes            []enum.UTMModule
 
 	DBConnection *database.DB
 }
 
+func (s *CollectorService) ValidateCollectorKey(key string, id uint) bool {
+	s.CacheCollectorKeyMutex.RLock()
+	defer s.CacheCollectorKeyMutex.RUnlock()
+	_, valid := utils.IsKeyPairValid(key, id, s.CacheCollectorKey)
+	return valid
+}
+
 func InitCollectorService() {
 	collectorServOnce.Do(func() {
 		CollectorServ = &CollectorService{

agent-manager/agent/interceptor.go

@@ -2,7 +2,7 @@ package agent
 
 import (
 	"context"
-	_ "errors"
+	"crypto/subtle"
 	"fmt"
 	"strconv"
 	"strings"
@@ -79,11 +79,11 @@ func authHeaders(md metadata.MD, fullMethod string) error {
 		typ := strings.ToLower(connectorType[0])
 		switch typ {
 		case "agent":
-			if _, isValid := utils.IsKeyPairValid(key, uint(id), AgentServ.CacheAgentKey); !isValid {
+			if !AgentServ.ValidateAgentKey(key, uint(id)) {
 				return status.Error(codes.PermissionDenied, "invalid key")
 			}
 		case "collector":
-			if _, isValid := utils.IsKeyPairValid(key, uint(id), CollectorServ.CacheCollectorKey); !isValid {
+			if !CollectorServ.ValidateCollectorKey(key, uint(id)) {
 				return status.Error(codes.PermissionDenied, "invalid key")
 			}
 		default:
@@ -102,7 +102,7 @@ func authHeaders(md metadata.MD, fullMethod string) error {
 }
 
 func isInternalKeyValid(token string) bool {
-	return token == config.InternalKey
+	return subtle.ConstantTimeCompare([]byte(token), []byte(config.InternalKey)) == 1
 }
 
 func isInRoute(route string, list []string) bool {

agent-manager/agent/parser.go

@@ -100,7 +100,11 @@ func replaceSecretValues(input string) string {
 			return match
 		}
 		encryptedValue := matches[2]
-		decryptedValue, _ := utils.DecryptValue(config.EncryptionKey, encryptedValue)
+		decryptedValue, err := utils.DecryptValue(config.EncryptionKey, encryptedValue)
+		if err != nil {
+			catcher.Error("failed to decrypt secret value in command", err, map[string]any{"process": "agent-manager"})
+			return match
+		}
 		return decryptedValue
 	})
 }

agent-manager/utils/auth.go

@@ -1,6 +1,7 @@
 package utils
 
 import (
+	"crypto/subtle"
 	"crypto/tls"
 	"net/http"
 	"strings"
@@ -19,10 +20,12 @@ func IsConnectionKeyValid(panelUrl string, token string) bool {
 }
 
 func IsKeyPairValid(key string, id uint, cache map[uint]string) (string, bool) {
-	for agentId, agentKey := range cache {
-		if key == agentKey && id == agentId {
-			return agentKey, true
-		}
+	agentKey, ok := cache[id]
+	if !ok {
+		return "", false
+	}
+	if subtle.ConstantTimeCompare([]byte(key), []byte(agentKey)) == 1 {
+		return agentKey, true
 	}
 	return "", false
 }

agent-manager/utils/filter.go

@@ -2,6 +2,7 @@ package utils
 
 import (
 	"fmt"
+	"regexp"
 	"strings"
 
 	"gorm.io/gorm"
@@ -24,14 +25,14 @@ type Filter struct {
 	Value interface{}
 }
 
-func NewFilter(searchQuery string) []Filter {
-	defer func() {
-		if r := recover(); r != nil {
-			// Handle the panic here
-			fmt.Println("Panic occurred:", r)
-		}
-	}()
+// validFieldName ensures the field name only contains safe characters (letters, digits, underscores)
+var validFieldName = regexp.MustCompile(`^[a-zA-Z_][a-zA-Z0-9_]*$`)
 
+func IsValidFieldName(field string) bool {
+	return validFieldName.MatchString(field)
+}
+
+func NewFilter(searchQuery string) []Filter {
 	filters := make([]Filter, 0)
 	if searchQuery == "" {
 		return filters
@@ -42,11 +43,27 @@ func NewFilter(searchQuery string) []Filter {
 	}
 	for _, v := range query {
 		filter := strings.Split(v, "=")
+		if len(filter) != 2 {
+			continue
+		}
 		filerQuery := strings.Split(filter[0], ".")
+		if len(filerQuery) != 2 {
+			continue
+		}
+		field := filerQuery[0]
+		if !IsValidFieldName(field) {
+			fmt.Printf("Rejected invalid filter field: %s\n", field)
+			continue
+		}
+		op := resolveOperator(filerQuery[1])
+		if op == "" {
+			continue
+		}
 		filters = append(filters, Filter{
-			Field: filerQuery[0],
-			Op:    resolveOperator(filerQuery[1]),
-			Value: filter[1]})
+			Field: field,
+			Op:    op,
+			Value: filter[1],
+		})
 	}
 	return filters
 }

agent-manager/utils/paginator.go

@@ -28,7 +28,19 @@ func NewPaginator(limit int, page int, sort string) Pagination {
 	if len(sort) > 0 {
 		srt := make([]string, 0)
 		for _, s := range strings.Split(sort, "&") {
-			srt = append(srt, strings.Replace(s, ",", " ", 1))
+			parts := strings.SplitN(s, ",", 2)
+			field := parts[0]
+			if !IsValidFieldName(field) {
+				continue
+			}
+			direction := "asc"
+			if len(parts) == 2 {
+				d := strings.ToLower(strings.TrimSpace(parts[1]))
+				if d == "desc" {
+					direction = "desc"
+				}
+			}
+			srt = append(srt, field+" "+direction)
 		}
 		p.Sort = strings.Join(srt, ",")
 	}

backend/src/main/java/com/park/utmstack/config/Constants.java

@@ -161,6 +161,7 @@ public final class Constants {
 
     public static final String CONF_TYPE_PASSWORD = "password";
     public static final String CONF_TYPE_FILE = "file";
+    public static final String MASKED_VALUE = "*****";
 
     public static final String API_KEY_HEADER = "Utm-Api-Key";
     public static final List<String> API_ENDPOINT_IGNORE = Collections.emptyList();

backend/src/main/java/com/park/utmstack/domain/UtmServerModule.java

@@ -1,15 +1,18 @@
 package com.park.utmstack.domain;
 
 
+import com.park.utmstack.service.dto.auditable.AuditableDTO;
+
 import javax.persistence.*;
 import java.io.Serializable;
+import java.util.Map;
 
 /**
  * A UtmServerModule.
  */
 @Entity
 @Table(name = "utm_server_module")
-public class UtmServerModule implements Serializable {
+public class UtmServerModule implements Serializable, AuditableDTO {
 
     private static final long serialVersionUID = 1L;
 
@@ -100,4 +103,12 @@ public UtmServer getServer() {
     public void setServer(UtmServer server) {
         this.server = server;
     }
+
+    @Override
+    public Map<String, Object> toAuditMap() {
+        return Map.of(
+            "moduleName", moduleName != null ? moduleName : "",
+            "prettyName", prettyName != null ? prettyName : ""
+        );
+    }
 }

backend/src/main/java/com/park/utmstack/domain/alert_response_rule/UtmAlertResponseRule.java

@@ -64,6 +64,10 @@ public class UtmAlertResponseRule implements Serializable {
     @Column(name = "last_modified_date")
     private Instant lastModifiedDate;
 
+    @Size(max = 20)
+    @Column(name = "rule_shell", length = 20)
+    private String ruleShell;
+
     @Column(name = "system_owner", nullable = false)
     private Boolean systemOwner;
 
@@ -92,6 +96,7 @@ public UtmAlertResponseRule(UtmAlertResponseRuleDTO dto) {
         this.ruleActive = dto.getActive();
         this.agentPlatform = dto.getAgentPlatform();
         this.defaultAgent = dto.getDefaultAgent();
+        this.ruleShell = dto.getShell();
         this.systemOwner = dto.getSystemOwner();
         if (!CollectionUtils.isEmpty(dto.getExcludedAgents()))
             this.excludedAgents = String.join(",", dto.getExcludedAgents());