enhanced path validation in Windows #1379
Conversation
lib/sinatra/base.rb
Outdated
| @@ -1061,6 +1061,7 @@ def route_missing | |||
| def static!(options = {}) | |||
| return if (public_dir = settings.public_folder).nil? | |||
| path = File.expand_path("#{public_dir}#{URI_INSTANCE.unescape(request.path_info)}" ) | |||
| return unless path.start_with?(public_dir) | |||
There was a problem hiding this comment.
Can you add a comment about when this might be true/false?
There was a problem hiding this comment.
Oh, sorry I misunderstood your question :(
This line check the user-supplied path must under public_dir, or it will return nil to prevent user from path traversal attack.
There was a problem hiding this comment.
@kgrz Did you mean "Can you add a Ruby code comment near this line about ..."?
There was a problem hiding this comment.
Hehe, yes yes. I meant a comment in the code. Didn’t notice my question was ambiguous until you pointed it out.
There was a problem hiding this comment.
I agree a code comment about when path.start_with?(public_dir) would evaluate to false would be helpful. I'm actually not sure I understand when that would happen 😬
There was a problem hiding this comment.
I think this is not necessary actually because . and .. have been reduced by rack-protection.
Even in the case of invalidating the :path_traversal setting on rack-protection, you should still add comment in the code if you think that it is meaningful to activate this restriction.
@orangetw Could you add the comment in the code?
There was a problem hiding this comment.
The major enhancement I already commit to rack-protections (added back-slash check to the path_traversal.rb), this line(in base.rb) is just double check and ensure that there is no unknown(unexpected) attack vector.
I am not a ruby developer, so if you think that line is unnecessary, maybe only merge the changes on path_traversal.rb?
There was a problem hiding this comment.
As a personal opinion, I prefer a simple structure.
Double check increases software complexity.
And yes, the essence of the problem is certainly fixed with your commit to rack-protection.
If you agree with my opinion, please drop this line.
There was a problem hiding this comment.
OK, I have done that!
There was a problem hiding this comment.
Great, I'm going to check the behavior on Windows and merge this in a few days.
Thank you!
|
cc #1339 |
|
Btw, thank you for sending the patch and your report! |
Removed the double check line!
|
I've confirmed the issue, and it has been fixed correctly by this patch. |
This commit has been backported from sinatra/sinatra#1379 Fixes CVE-2018-7212
|
Hi folks, does this affect versions < 2.0? |
|
@peterkeen: I was just looking into the same thing myself. I believe it effects all versions of rack-protection before 2.0.1. I think it would be possible to backport the fix here and cut a 1.5.4 release from the separate rack-protection repo: |
|
Ah, actually this was already backported: So this really is fixed on rack-protection ~>1.5.4 / >2.0.0 I think |
|
If bundle-audit told you to come here and you don't want to update to Sinatra 2.x right now, subscribe to rubysec/ruby-advisory-db#331 |
|
Yeah, rack-protection v1.5.x has not been maintained, I had backported security fix exceptionally into the 1.5-stable branch. |
nokogiri 1.8.2 fixes security issue https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15412 rack-protection 2.0.1 fixes security issue sinatra/sinatra#1379
update Sinatra due to security advisory: Name: rack-protection Version: 1.5.3 Advisory: CVE-2018-7212 Criticality: Unknown URL: sinatra/sinatra#1379 Title: Path traversal is possible via backslash characters on Windows. Solution: upgrade to >= 2.0.1, ~> 1.5.4
nokogiri 1.8.2 fixes security issue https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15412 rack-protection 2.0.1 fixes security issue sinatra/sinatra#1379
Addresses CVE-2018-7212 reported in rack-protection.[1] CVE does not affect Supermarket because the vulnerability is only on Windows platforms. [1] sinatra/sinatra#1379 Signed-off-by: Robb Kidd <rkidd@chef.io>
* update padrino dependencies (see rack-protection vuln)[sinatra/sinatra#1379] * update actionview dependencies (action-html-sanitizer and loofah)
Name: rack-protection Version: 2.0.0 Advisory: CVE-2018-7212 Criticality: Unknown URL: sinatra/sinatra#1379 Title: Path traversal is possible via backslash characters on Windows.
Because in the previous version of the gemspec we had an open reference to Sinatra it meant we were essentially saying any version would do. Hakiri was flagging this with [CVE-2018-7212](sinatra/sinatra#1379), the resolution of which was to specify a version equal to or greater than 2.0.1
Because in the previous version of the gemspec we had an open reference to Sinatra it meant we were essentially saying any version would do. Hakiri was flagging this with [CVE-2018-7212](sinatra/sinatra#1379), the resolution of which was to specify a version equal to or greater than 2.0.1 It was then flagging this project with [CVE-2018-11627](sinatra/sinatra#1428), and again the resolution was to specify a version, this time equal to or greater than 2.0.2
Because in the previous version of the gemspec we had an open reference to Sinatra it meant we were essentially saying any version would do. Hakiri was flagging this with [CVE-2018-7212](sinatra/sinatra#1379), the resolution of which was to specify a version equal to or greater than 2.0.1 It was then flagging this project with [CVE-2018-11627](sinatra/sinatra#1428), and again the resolution was to specify a version, this time equal to or greater than 2.0.2
Due to the Windows environment, more check backslashes in
static!method and enhanced thepath_traversalvalidation inrack-protection