Upstream/waveterm
1
0
Fork 0
mirror of https://github.com/wavetermdev/waveterm.git synced 2024-12-21 16:38:23 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix path traversal vulnerabilities (#817)

Browse Source 
Properly validate expanded paths to ensure they are not attempting path
traversal attacks
This commit is contained in:
Evan Simkowitz 2024-09-24 18:24:39 -07:00 committed by GitHub
parent 9ede998eab
commit ccf344d107
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
8 changed files with 100 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
cmd/wsh/cmd/wshcmd-term.go
View File

@ -4,6 +4,7 @@
package cmd package cmd
import ( import (
"log"
"os" "os"
"path/filepath" "path/filepath"
@ -33,7 +34,12 @@ func termRun(cmd *cobra.Command, args []string) {
var cwd string var cwd string
if len(args) > 0 { if len(args) > 0 {
cwd = args[0] cwd = args[0]
cwd = wavebase.ExpandHomeDir(cwd) cwdExpanded, err := wavebase.ExpandHomeDir(cwd)
if err != nil {
log.Fatal(err)
return
}
cwd = cwdExpanded
} else { } else {
var err error var err error
cwd, err = os.Getwd() cwd, err = os.Getwd()

12
pkg/blockcontroller/blockcontroller.go
View File

@ -224,7 +224,11 @@ func (bc *BlockController) DoRunShellCommand(rc *RunShellOpts, blockMeta waveobj
cmdOpts.Login = true cmdOpts.Login = true
cmdOpts.Cwd = blockMeta.GetString(waveobj.MetaKey_CmdCwd, "") cmdOpts.Cwd = blockMeta.GetString(waveobj.MetaKey_CmdCwd, "")
if cmdOpts.Cwd != "" { if cmdOpts.Cwd != "" {
cmdOpts.Cwd = wavebase.ExpandHomeDir(cmdOpts.Cwd) cwdPath, err := wavebase.ExpandHomeDir(cmdOpts.Cwd)
if err != nil {
return err
}
cmdOpts.Cwd = cwdPath
} }
} else if bc.ControllerType == BlockController_Cmd { } else if bc.ControllerType == BlockController_Cmd {
cmdStr = blockMeta.GetString(waveobj.MetaKey_Cmd, "") cmdStr = blockMeta.GetString(waveobj.MetaKey_Cmd, "")
@ -233,7 +237,11 @@ func (bc *BlockController) DoRunShellCommand(rc *RunShellOpts, blockMeta waveobj
} }
cmdOpts.Cwd = blockMeta.GetString(waveobj.MetaKey_CmdCwd, "") cmdOpts.Cwd = blockMeta.GetString(waveobj.MetaKey_CmdCwd, "")
if cmdOpts.Cwd != "" { if cmdOpts.Cwd != "" {
cmdOpts.Cwd = wavebase.ExpandHomeDir(cmdOpts.Cwd) cwdPath, err := wavebase.ExpandHomeDir(cmdOpts.Cwd)
if err != nil {
return err
}
cmdOpts.Cwd = cwdPath
} }
cmdOpts.Interactive = blockMeta.GetBool(waveobj.MetaKey_CmdInteractive, false) cmdOpts.Interactive = blockMeta.GetBool(waveobj.MetaKey_CmdInteractive, false)
cmdOpts.Login = blockMeta.GetBool(waveobj.MetaKey_CmdLogin, false) cmdOpts.Login = blockMeta.GetBool(waveobj.MetaKey_CmdLogin, false)

24
pkg/remote/sshclient.go
View File

@ -75,7 +75,11 @@ func createPublicKeyCallback(connCtx context.Context, sshKeywords *SshKeywords,
// checking the file early prevents us from needing to send a // checking the file early prevents us from needing to send a
// dummy signer if there's a problem with the signer // dummy signer if there's a problem with the signer
for _, identityFile := range sshKeywords.IdentityFile { for _, identityFile := range sshKeywords.IdentityFile {
privateKey, err := os.ReadFile(wavebase.ExpandHomeDir(identityFile)) filePath, err := wavebase.ExpandHomeDir(identityFile)
if err != nil {
continue
}
privateKey, err := os.ReadFile(filePath)
if err != nil { if err != nil {
// skip this key and try with the next // skip this key and try with the next
continue continue
@ -352,7 +356,11 @@ func createHostKeyCallback(opts *SSHOpts) (ssh.HostKeyCallback, HostKeyAlgorithm
var knownHostsFiles []string var knownHostsFiles []string
for _, filename := range unexpandedKnownHostsFiles { for _, filename := range unexpandedKnownHostsFiles {
knownHostsFiles = append(knownHostsFiles, wavebase.ExpandHomeDir(filename)) filePath, err := wavebase.ExpandHomeDir(filename)
if err != nil {
continue
}
knownHostsFiles = append(knownHostsFiles, filePath)
} }
// there are no good known hosts files // there are no good known hosts files
@ -715,12 +723,20 @@ func findSshConfigKeywords(hostPattern string) (*SshKeywords, error) {
authSockCommand := exec.Command(shellPath, "-c", "echo ${SSH_AUTH_SOCK}") authSockCommand := exec.Command(shellPath, "-c", "echo ${SSH_AUTH_SOCK}")
sshAuthSock, err := authSockCommand.Output() sshAuthSock, err := authSockCommand.Output()
if err == nil { if err == nil {
sshKeywords.IdentityAgent = wavebase.ExpandHomeDir(trimquotes.TryTrimQuotes(strings.TrimSpace(string(sshAuthSock)))) agentPath, err := wavebase.ExpandHomeDir(trimquotes.TryTrimQuotes(strings.TrimSpace(string(sshAuthSock))))
if err != nil {
return nil, err
}
sshKeywords.IdentityAgent = agentPath
} else { } else {
log.Printf("unable to find SSH_AUTH_SOCK: %v\n", err) log.Printf("unable to find SSH_AUTH_SOCK: %v\n", err)
} }
} else { } else {
sshKeywords.IdentityAgent = wavebase.ExpandHomeDir(trimquotes.TryTrimQuotes(identityAgentRaw)) agentPath, err := wavebase.ExpandHomeDir(trimquotes.TryTrimQuotes(identityAgentRaw))
if err != nil {
return nil, err
}
sshKeywords.IdentityAgent = agentPath
} }
return sshKeywords, nil return sshKeywords, nil

24
pkg/wavebase/wavebase.go
View File

@ -51,15 +51,25 @@ func GetHomeDir() string {
return homeVar return homeVar
} }
func ExpandHomeDir(pathStr string) string { func ExpandHomeDir(pathStr string) (string, error) {
if pathStr != "~" && !strings.HasPrefix(pathStr, "~/") { if pathStr != "~" && !strings.HasPrefix(pathStr, "~/") {
return pathStr return pathStr, nil
} }
homeDir := GetHomeDir() homeDir := GetHomeDir()
if pathStr == "~" { if pathStr == "~" {
return homeDir return homeDir, nil
} }
return filepath.Clean(filepath.Join(homeDir, pathStr[2:])) expandedPath := filepath.Join(homeDir, pathStr[2:])
absPath, err := filepath.Abs(filepath.Join(homeDir, expandedPath))
if err != nil || !strings.HasPrefix(absPath, homeDir) {
return "", fmt.Errorf("Potential path traversal detected for path %s", pathStr)
}
return expandedPath, nil
}
func ExpandHomeDirSafe(pathStr string) string {
path, _ := ExpandHomeDir(pathStr)
return path
} }
func ReplaceHomeDir(pathStr string) string { func ReplaceHomeDir(pathStr string) string {
@ -80,12 +90,12 @@ func GetDomainSocketName() string {
func GetWaveHomeDir() string { func GetWaveHomeDir() string {
homeVar := os.Getenv(WaveHomeVarName) homeVar := os.Getenv(WaveHomeVarName)
if homeVar != "" { if homeVar != "" {
return ExpandHomeDir(homeVar) return ExpandHomeDirSafe(homeVar)
} }
if IsDevMode() { if IsDevMode() {
return ExpandHomeDir(DevWaveHome) return ExpandHomeDirSafe(DevWaveHome)
} }
return ExpandHomeDir(DefaultWaveHome) return ExpandHomeDirSafe(DefaultWaveHome)
} }
func EnsureWaveHomeDir() error { func EnsureWaveHomeDir() error {

5
pkg/web/web.go
View File

@ -231,7 +231,10 @@ func handleLocalStreamFile(w http.ResponseWriter, r *http.Request, fileName stri
serveTransparentGIF(w) serveTransparentGIF(w)
} }
} else { } else {
fileName = wavebase.ExpandHomeDir(fileName) fileName, err := wavebase.ExpandHomeDir(fileName)
if err != nil {
http.Error(w, err.Error(), http.StatusBadRequest)
}
http.ServeFile(w, r, fileName) http.ServeFile(w, r, fileName)
} }
} }

29
pkg/wshrpc/wshremote/wshremote.go
View File

@ -163,8 +163,10 @@ func (impl *ServerImpl) remoteStreamFileInternal(ctx context.Context, data wshrp
if err != nil { if err != nil {
return err return err
} }
path := data.Path path, err := wavebase.ExpandHomeDir(data.Path)
path = wavebase.ExpandHomeDir(path) if err != nil {
return err
}
finfo, err := impl.fileInfoInternal(path, true) finfo, err := impl.fileInfoInternal(path, true)
if err != nil { if err != nil {
return fmt.Errorf("cannot stat file %q: %w", path, err) return fmt.Errorf("cannot stat file %q: %w", path, err)
@ -246,7 +248,7 @@ func checkIsReadOnly(path string, fileInfo fs.FileInfo, exists bool) bool {
} }
func computeDirPart(path string, isDir bool) string { func computeDirPart(path string, isDir bool) string {
path = filepath.Clean(wavebase.ExpandHomeDir(path)) path = filepath.Clean(wavebase.ExpandHomeDirSafe(path))
path = filepath.ToSlash(path) path = filepath.ToSlash(path)
if path == "/" { if path == "/" {
return "/" return "/"
@ -259,7 +261,7 @@ func computeDirPart(path string, isDir bool) string {
} }
func (*ServerImpl) fileInfoInternal(path string, extended bool) (*wshrpc.FileInfo, error) { func (*ServerImpl) fileInfoInternal(path string, extended bool) (*wshrpc.FileInfo, error) {
cleanedPath := filepath.Clean(wavebase.ExpandHomeDir(path)) cleanedPath := filepath.Clean(wavebase.ExpandHomeDirSafe(path))
finfo, err := os.Stat(cleanedPath) finfo, err := os.Stat(cleanedPath)
if os.IsNotExist(err) { if os.IsNotExist(err) {
return &wshrpc.FileInfo{ return &wshrpc.FileInfo{
@ -281,11 +283,11 @@ func (*ServerImpl) fileInfoInternal(path string, extended bool) (*wshrpc.FileInf
func resolvePaths(paths []string) string { func resolvePaths(paths []string) string {
if len(paths) == 0 { if len(paths) == 0 {
return wavebase.ExpandHomeDir("~") return wavebase.ExpandHomeDirSafe("~")
} }
var rtnPath = wavebase.ExpandHomeDir(paths[0]) rtnPath := wavebase.ExpandHomeDirSafe(paths[0])
for _, path := range paths[1:] { for _, path := range paths[1:] {
path = wavebase.ExpandHomeDir(path) path = wavebase.ExpandHomeDirSafe(path)
if filepath.IsAbs(path) { if filepath.IsAbs(path) {
rtnPath = path rtnPath = path
continue continue
@ -305,7 +307,10 @@ func (impl *ServerImpl) RemoteFileInfoCommand(ctx context.Context, path string)
} }
func (*ServerImpl) RemoteWriteFileCommand(ctx context.Context, data wshrpc.CommandRemoteWriteFileData) error { func (*ServerImpl) RemoteWriteFileCommand(ctx context.Context, data wshrpc.CommandRemoteWriteFileData) error {
path := wavebase.ExpandHomeDir(data.Path) path, err := wavebase.ExpandHomeDir(data.Path)
if err != nil {
return err
}
createMode := data.CreateMode createMode := data.CreateMode
if createMode == 0 { if createMode == 0 {
createMode = 0644 createMode = 0644
@ -324,8 +329,12 @@ func (*ServerImpl) RemoteWriteFileCommand(ctx context.Context, data wshrpc.Comma
} }
func (*ServerImpl) RemoteFileDeleteCommand(ctx context.Context, path string) error { func (*ServerImpl) RemoteFileDeleteCommand(ctx context.Context, path string) error {
cleanedPath := filepath.Clean(wavebase.ExpandHomeDir(path)) expandedPath, err := wavebase.ExpandHomeDir(path)
err := os.Remove(cleanedPath) if err != nil {
return fmt.Errorf("cannot delete file %q: %w", path, err)
}
cleanedPath := filepath.Clean(expandedPath)
err = os.Remove(cleanedPath)
if err != nil { if err != nil {
return fmt.Errorf("cannot delete file %q: %w", path, err) return fmt.Errorf("cannot delete file %q: %w", path, err)
} }

2
pkg/wstore/wstore_dboldmigration.go
View File

@ -17,7 +17,7 @@ import (
const OldDBName = "~/.waveterm/waveterm.db" const OldDBName = "~/.waveterm/waveterm.db"
func GetOldDBName() string { func GetOldDBName() string {
return wavebase.ExpandHomeDir(OldDBName) return wavebase.ExpandHomeDirSafe(OldDBName)
} }
func MakeOldDB(ctx context.Context) (*sqlx.DB, error) { func MakeOldDB(ctx context.Context) (*sqlx.DB, error) {

23
yarn.lock
View File

@ -9737,6 +9737,27 @@ __metadata:
languageName: node languageName: node
linkType: hard linkType: hard
"send@npm:0.18.0":
version: 0.18.0
resolution: "send@npm:0.18.0"
dependencies:
debug: "npm:2.6.9"
depd: "npm:2.0.0"
destroy: "npm:1.2.0"
encodeurl: "npm:~1.0.2"
escape-html: "npm:~1.0.3"
etag: "npm:~1.8.1"
fresh: "npm:0.5.2"
http-errors: "npm:2.0.0"
mime: "npm:1.6.0"
ms: "npm:2.1.3"
on-finished: "npm:2.4.1"
range-parser: "npm:~1.2.1"
statuses: "npm:2.0.1"
checksum: 10c0/0eb134d6a51fc13bbcb976a1f4214ea1e33f242fae046efc311e80aff66c7a43603e26a79d9d06670283a13000e51be6e0a2cb80ff0942eaf9f1cd30b7ae736a
languageName: node
linkType: hard
"send@npm:0.19.0": "send@npm:0.19.0":
version: 0.19.0 version: 0.19.0
resolution: "send@npm:0.19.0" resolution: "send@npm:0.19.0"
@ -9774,7 +9795,7 @@ __metadata:
encodeurl: "npm:~1.0.2" encodeurl: "npm:~1.0.2"
escape-html: "npm:~1.0.3" escape-html: "npm:~1.0.3"
parseurl: "npm:~1.3.3" parseurl: "npm:~1.3.3"
send: "npm:0.19.0" send: "npm:0.18.0"
checksum: 10c0/d7a5beca08cc55f92998d8b87c111dd842d642404231c90c11f504f9650935da4599c13256747b0a988442a59851343271fe8e1946e03e92cd79c447b5f3ae01 checksum: 10c0/d7a5beca08cc55f92998d8b87c111dd842d642404231c90c11f504f9650935da4599c13256747b0a988442a59851343271fe8e1946e03e92cd79c447b5f3ae01
languageName: node languageName: node
linkType: hard linkType: hard