knightjoel / zpark Goto Github PK

The primary use case is so that "*@domain.com" can be specified which would make it convenient to trust all users in an org or belonging to a specific domain. Intention is to allow any manner of regex to be specified, however.

Should provide:

• An introduction to what the bot is/does
• Version information
• Information about the owner/contact (?)
• A list of supported commands (or should this be a separate command?)

urllib: CVE-2018-20060 affecting < v1.23
flask: CVE-2018-1000656 affecting < v0.12.3

https://nvd.nist.gov/vuln/detail/CVE-2019-10906

Zpark unconditionally shows issues that have not been acknowledged (withLastEventUnacknowledged=1 in the trigger filter). That's fine, but has some drawbacks.

1. It's not clear from a user's perspective that that's what's happening
2. If a user desired to query for issues that have been acknowledged, they can't
3. If a user desired to be notified when an issue is ack'd, they cannot

Want to enhance Zpark to account for ack'd issues in these ways (and more?)

• When sending to a room, log room name instead of roomId
• Should be logging the task id that it's being executed under in the case where it's not called with .async(). Needed to make tracing through the logs possible.

• Proper place for release notes
• How to upgrade between releases
• Breaking changes/flag das

https://nvd.nist.gov/vuln/detail/CVE-2019-11324

Need to account for:

• Automatic rate limiting will cause tasks to block; the rate limit delay should cause the task to be requeued with a "start time" set appropriately
• The SparkApiError constructor now only accepts a requests.Response object as an argument; can no longer simply pass an http status code. This breaks a number of unit tests.

Use case is in a group room, being able to type something like @bot, show issues. Right now, the syntax is very strict and must be @bot show issues.

Maybe it's just me, but my muscle memory is to type a comma after the @name of someone (thanks, IRC).

The pyzabbix module uses the requests module to contact the Zabbix API. The requests module by default, has SSL certificate verification enabled. In the case where the Zabbix server has HTTPS enabled and has been issued with a self-signed or private CA issued certificate, the requests module will throw an exception because it won't be able to verify such a certificate.

This exception will be thrown during startup of the Celery worker processes resulting in the workers failing to start.

Thanks to @egnirra for bringing this to my attention.

When first getting Zpark up and running, it would be very useful if Zpark would log a message when it drops a command from an untrusted user (ie, a user that isn't part of the SPARK_TRUSTED_USERS list) to aid in troubleshooting and just getting the bot up and running the first time.

Once troubleshooting is complete, want a way to ensure logs are not spammed by random users issuing commands to the bot.

Thanks to @egnirra for the suggestion!

• It can't handle bot names with > 1 word
• It can't handle bot names with non-alphanum characters

Thanks to @egnirra for pointing this out.

"Number of items" and "Number of triggers" counts are off.

Tracking issue for anything that crops up related to the rebranding of Cisco Spark to Webex Teams

https://nvd.nist.gov/vuln/detail/CVE-2018-18074

Vulnerable versions: <= 2.19.1
Patched version: 2.20.0

The Requests package through 2.19.1 before 2018-09-14 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.