Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix/migl/162 #178

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Fix/migl/162 #178

wants to merge 2 commits into from

Conversation

linkjumper
Copy link

see #162

@linkjumper
Connection.cpp: Fix directory traversal bug mattgodbolt#162
b31732c 
Forbid URLs with ".." see mattgodbolt#162
for further information.

Signed-off-by: Michael Glembotzki <[email protected]>
@linkjumper
Connection.cpp: Forbid empty static root path
5e7d92c 
Without this fix, "/" is used as the default location for the root path!

Signed-off-by: Michael Glembotzki <[email protected]>
@offa offa requested a review from mattgodbolt September 21, 2022 14:39
offa
offa reviewed Sep 21, 2022
View reviewed changes
src/main/c/Connection.cpp
@@ -867,6 +867,9 @@ bool Connection::processHeaders(uint8_t* first, uint8_t* last) {
if (requestUri == nullptr) {
return sendBadRequest("Malformed request line");
}
if (std::string(requestUri).find("..") != std::string::npos) {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it safe to assume an URL shouldn't contain any ..? Eg. a/b/c/../d seems ok to me.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you mean something like that?

std::string merge_uri(std::string & uri) {
    std::istringstream is_uri {uri};
    std::vector<std::string> v;
    std::string parsed_uri;

    for (std::string line; std::getline(is_uri, line, '/'); ) {
        if(line == ".") {
            continue;    
        } if(line == "..") {
            if(!v.empty()) {
                v.pop_back();
            }
        } else if(line != "") {
            line = "/" + line;
            v.push_back(line);
        }
    }

    for (auto const & dir : v){
        parsed_uri += dir;
    }

    return parsed_uri.empty() ? "/" : parsed_uri;
}

For comparison, nginx has your described behavior. e.g. a/b/c/../d becomes a/b/d . But one must also say, nginx has a complex state machine that not only protects against directory triversal, but can also handle all other special characters. If that's what we want, I'd at least like to take commit 5e7d92c and drop the other one.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indeed, the empty root path fix is fine to merge 👍

I'd say the path traversal needs some more work. Maybe std filesystem / path could get handy here?

@codecov
Copy link

codecov bot commented Sep 21, 2022
edited
Loading

Codecov Report

Merging #178 (5e7d92c) into master (025ff68) will decrease coverage by 0.05%.
The diff coverage is 0.00%.

@@            Coverage Diff             @@
##           master     #178      +/-   ##
==========================================
- Coverage   34.65%   34.59%   -0.06%     
==========================================
  Files          53       53              
  Lines        2323     2327       +4     
  Branches      354      356       +2     
==========================================
  Hits          805      805              
- Misses       1429     1432       +3     
- Partials       89       90       +1
Impacted Files Coverage Δ
src/main/c/Connection.cpp 17.85% <0.00%> (-0.10%) ⬇️

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@madebr
Copy link
Collaborator

madebr commented Sep 21, 2022
edited
Loading

Does this pr also block using %2e%2e instead of ..?

@linkjumper
Copy link
Author

Does this pr also block using %2e%2e instead of ..?

URL decoding is not implemented: /%2E%2E%/etc/passwd would be caught on line 1230 and returned as 404.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@offa offa offa left review comments

@mattgodbolt mattgodbolt Awaiting requested review from mattgodbolt

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@linkjumper @madebr @offa