From 25b77c7feefc7225e69558248c350506d089a04a Mon Sep 17 00:00:00 2001 From: Evan Simkowitz Date: Fri, 26 Apr 2024 12:00:11 -0700 Subject: [PATCH] Attempt 2 to resolve security warning (#612) * replace path with filepath * remove configPath from error * remove unnecessary printf * replace more paths with filepath * remove unnecessary abs path call * bad commit --- wavesrv/cmd/main-server.go | 35 +++++++++++++++-------------------- wavesrv/pkg/scbase/scbase.go | 28 ++++++++++++++-------------- 2 files changed, 29 insertions(+), 34 deletions(-) diff --git a/wavesrv/cmd/main-server.go b/wavesrv/cmd/main-server.go index d1b608154..17f27aa9d 100644 --- a/wavesrv/cmd/main-server.go +++ b/wavesrv/cmd/main-server.go @@ -17,7 +17,6 @@ import ( "net/http" "os" "os/signal" - "path" "path/filepath" "regexp" "runtime" @@ -798,26 +797,21 @@ func HandleRunEphemeralCommand(w http.ResponseWriter, r *http.Request) { } } -func CheckIsDir(dirHandler http.Handler, fileHandler http.Handler) http.Handler { +// Checks if the /config request is for a specific file or a directory. Passes the request to the appropriate handler. +func ConfigHandlerCheckIsDir(dirHandler http.Handler, fileHandler http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { configPath := r.URL.Path - configAbsPath, err := filepath.Abs(configPath) - if err != nil { + configBaseDir := filepath.Join(scbase.GetWaveHomeDir(), "config") + configFullPath, err := filepath.Abs(filepath.Join(scbase.GetWaveHomeDir(), configPath)) + if err != nil || !strings.HasPrefix(configFullPath, configBaseDir) { w.WriteHeader(http.StatusInternalServerError) - w.Write([]byte(fmt.Sprintf("error getting absolute path: %v", err))) - return - } - configBaseDir := path.Join(scbase.GetWaveHomeDir(), "config") - configFullPath := path.Join(scbase.GetWaveHomeDir(), configAbsPath) - if !strings.HasPrefix(configFullPath, configBaseDir) { - w.WriteHeader(http.StatusInternalServerError) - w.Write([]byte(fmt.Sprintf("error: path is not in config folder"))) + w.Write([]byte("error: path is not in config folder")) return } fstat, err := os.Stat(configFullPath) if errors.Is(err, fs.ErrNotExist) { w.WriteHeader(http.StatusNotFound) - w.Write([]byte(fmt.Sprintf("file not found: %v", configAbsPath))) + w.Write([]byte(fmt.Sprintf("file not found: %v", err))) return } else if err != nil { w.WriteHeader(http.StatusInternalServerError) @@ -864,7 +858,7 @@ func AuthKeyWrapAllowHmac(fn WebFnType) WebFnType { hmacOk, err := waveenc.ValidateUrlHmac([]byte(scbase.WaveAuthKey), r.URL.Path, qvals) if err != nil || !hmacOk { w.WriteHeader(http.StatusInternalServerError) - w.Write([]byte(fmt.Sprintf("error validating hmac"))) + w.Write([]byte("error validating hmac")) return } // fallthrough (hmac is valid) @@ -1018,12 +1012,13 @@ func doShutdown(reason string) { func configDirHandler(w http.ResponseWriter, r *http.Request) { configPath := r.URL.Path - if !fs.ValidPath(configPath) && !strings.Contains(configPath, "..") { + homeDir := scbase.GetWaveHomeDir() + configFullPath, err := filepath.Abs(filepath.Join(homeDir, configPath)) + if err != nil || !strings.HasPrefix(configFullPath, homeDir) { w.WriteHeader(http.StatusInternalServerError) - w.Write([]byte(fmt.Sprintf("invalid path: %s", configPath))) + w.Write([]byte(fmt.Sprintf("Invalid path: %v", err))) return } - configFullPath := path.Join(scbase.GetWaveHomeDir(), configPath) dirFile, err := os.Open(configFullPath) if err != nil { w.WriteHeader(http.StatusInternalServerError) @@ -1185,11 +1180,11 @@ func main() { gr.HandleFunc("/api/log-active-state", AuthKeyWrap(HandleLogActiveState)) gr.HandleFunc("/api/read-file", AuthKeyWrapAllowHmac(HandleReadFile)) gr.HandleFunc("/api/write-file", AuthKeyWrap(HandleWriteFile)).Methods("POST") - configPath := path.Join(scbase.GetWaveHomeDir(), "config") + "/" + configPath := filepath.Join(scbase.GetWaveHomeDir(), "config") log.Printf("[wave] config path: %q\n", configPath) - isFileHandler := http.StripPrefix("/config/", http.FileServer(http.Dir(configPath))) + isFileHandler := http.StripPrefix("/config/", http.FileServer(http.Dir(configPath)+"/")) isDirHandler := http.HandlerFunc(configDirHandler) - gr.PathPrefix("/config/").Handler(CheckIsDir(isDirHandler, isFileHandler)) + gr.PathPrefix("/config/").Handler(ConfigHandlerCheckIsDir(isDirHandler, isFileHandler)) serverAddr := MainServerAddr if scbase.IsDevMode() { diff --git a/wavesrv/pkg/scbase/scbase.go b/wavesrv/pkg/scbase/scbase.go index 60daad85e..8e52fb453 100644 --- a/wavesrv/pkg/scbase/scbase.go +++ b/wavesrv/pkg/scbase/scbase.go @@ -12,7 +12,7 @@ import ( "log" "os" "os/exec" - "path" + "path/filepath" "regexp" "runtime" "strconv" @@ -64,9 +64,9 @@ func GetWaveHomeDir() string { } pdev := os.Getenv(WaveDevVarName) if pdev != "" { - scHome = path.Join(homeVar, WaveDevDirName) + scHome = filepath.Join(homeVar, WaveDevDirName) } else { - scHome = path.Join(homeVar, WaveDirName) + scHome = filepath.Join(homeVar, WaveDirName) } } @@ -78,7 +78,7 @@ func MShellBinaryDir() string { if appPath == "" { appPath = "." } - return path.Join(appPath, "bin", "mshell") + return filepath.Join(appPath, "bin", "mshell") } func MShellBinaryPath(version string, goos string, goarch string) (string, error) { @@ -91,7 +91,7 @@ func MShellBinaryPath(version string, goos string, goarch string) (string, error return "", fmt.Errorf("invalid mshell version: %q", version) } fileName := fmt.Sprintf("mshell-%s-%s.%s", versionStr, goos, goarch) - fullFileName := path.Join(binaryDir, fileName) + fullFileName := filepath.Join(binaryDir, fileName) return fullFileName, nil } @@ -134,7 +134,7 @@ func InitializeWaveAuthKey() error { if err != nil { return fmt.Errorf("cannot find/create WAVETERM_HOME directory %q", homeDir) } - fileName := path.Join(homeDir, WaveAuthKeyFileName) + fileName := filepath.Join(homeDir, WaveAuthKeyFileName) fd, err := os.Open(fileName) if err != nil && errors.Is(err, fs.ErrNotExist) { return createWaveAuthKeyFile(fileName) @@ -162,7 +162,7 @@ func AcquireWaveLock() (*os.File, error) { if err != nil { return nil, fmt.Errorf("cannot find/create WAVETERM_HOME directory %q", homeDir) } - lockFileName := path.Join(homeDir, WaveLockFile) + lockFileName := filepath.Join(homeDir, WaveLockFile) log.Printf("[base] acquiring lock on %s\n", lockFileName) fd, err := os.OpenFile(lockFileName, os.O_RDWR|os.O_CREATE, 0600) if err != nil { @@ -188,7 +188,7 @@ func EnsureSessionDir(sessionId string) (string, error) { return sdir, nil } scHome := GetWaveHomeDir() - sdir = path.Join(scHome, SessionsDirBaseName, sessionId) + sdir = filepath.Join(scHome, SessionsDirBaseName, sessionId) err := ensureDir(sdir) if err != nil { return "", err @@ -202,7 +202,7 @@ func EnsureSessionDir(sessionId string) (string, error) { // deprecated (v0.1.8) func GetSessionsDir() string { waveHome := GetWaveHomeDir() - sdir := path.Join(waveHome, SessionsDirBaseName) + sdir := filepath.Join(waveHome, SessionsDirBaseName) return sdir } @@ -217,7 +217,7 @@ func EnsureScreenDir(screenId string) (string, error) { return sdir, nil } scHome := GetWaveHomeDir() - sdir = path.Join(scHome, ScreensDirBaseName, screenId) + sdir = filepath.Join(scHome, ScreensDirBaseName, screenId) err := ensureDir(sdir) if err != nil { return "", err @@ -230,18 +230,18 @@ func EnsureScreenDir(screenId string) (string, error) { func GetScreensDir() string { waveHome := GetWaveHomeDir() - sdir := path.Join(waveHome, ScreensDirBaseName) + sdir := filepath.Join(waveHome, ScreensDirBaseName) return sdir } func EnsureConfigDirs() (string, error) { scHome := GetWaveHomeDir() - configDir := path.Join(scHome, "config") + configDir := filepath.Join(scHome, "config") err := ensureDir(configDir) if err != nil { return "", err } - keybindingsFile := path.Join(configDir, "keybindings.json") + keybindingsFile := filepath.Join(configDir, "keybindings.json") keybindingsFileObj, err := ensureFile(keybindingsFile) if err != nil { return "", err @@ -250,7 +250,7 @@ func EnsureConfigDirs() (string, error) { keybindingsFileObj.WriteString("[]\n") keybindingsFileObj.Close() } - terminalThemesDir := path.Join(configDir, "terminal-themes") + terminalThemesDir := filepath.Join(configDir, "terminal-themes") err = ensureDir(terminalThemesDir) if err != nil { return "", err