mirror of
https://github.com/GNS3/gns3-server
synced 2025-01-13 17:40:54 +00:00
Change method to prevent forbidden directory traversal. Ref #1894
This commit is contained in:
parent
f3d81fa450
commit
2bf16f1e5f
@ -19,6 +19,7 @@ API routes for projects.
|
|||||||
"""
|
"""
|
||||||
|
|
||||||
import os
|
import os
|
||||||
|
import urllib.parse
|
||||||
|
|
||||||
import logging
|
import logging
|
||||||
|
|
||||||
@ -198,6 +199,7 @@ async def get_compute_project_file(file_path: str, project: Project = Depends(de
|
|||||||
Get a file from a project.
|
Get a file from a project.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
file_path = urllib.parse.unquote(file_path)
|
||||||
path = os.path.normpath(file_path)
|
path = os.path.normpath(file_path)
|
||||||
|
|
||||||
# Raise error if user try to escape
|
# Raise error if user try to escape
|
||||||
@ -214,6 +216,7 @@ async def get_compute_project_file(file_path: str, project: Project = Depends(de
|
|||||||
@router.post("/projects/{project_id}/files/{file_path:path}", status_code=status.HTTP_204_NO_CONTENT)
|
@router.post("/projects/{project_id}/files/{file_path:path}", status_code=status.HTTP_204_NO_CONTENT)
|
||||||
async def write_compute_project_file(file_path: str, request: Request, project: Project = Depends(dep_project)) -> None:
|
async def write_compute_project_file(file_path: str, request: Request, project: Project = Depends(dep_project)) -> None:
|
||||||
|
|
||||||
|
file_path = urllib.parse.unquote(file_path)
|
||||||
path = os.path.normpath(file_path)
|
path = os.path.normpath(file_path)
|
||||||
|
|
||||||
# Raise error if user try to escape
|
# Raise error if user try to escape
|
||||||
|
@ -24,6 +24,7 @@ import tempfile
|
|||||||
import zipfile
|
import zipfile
|
||||||
import aiofiles
|
import aiofiles
|
||||||
import time
|
import time
|
||||||
|
import urllib.parse
|
||||||
|
|
||||||
import logging
|
import logging
|
||||||
|
|
||||||
@ -369,7 +370,8 @@ async def get_file(file_path: str, project: Project = Depends(dep_project)) -> F
|
|||||||
Return a file from a project.
|
Return a file from a project.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
path = os.path.normpath(file_path).strip("/")
|
file_path = urllib.parse.unquote(file_path)
|
||||||
|
path = os.path.normpath(file_path)
|
||||||
|
|
||||||
# Raise error if user try to escape
|
# Raise error if user try to escape
|
||||||
if not is_safe_path(path, project.path):
|
if not is_safe_path(path, project.path):
|
||||||
@ -388,7 +390,8 @@ async def write_file(file_path: str, request: Request, project: Project = Depend
|
|||||||
Write a file from a project.
|
Write a file from a project.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
path = os.path.normpath(file_path).strip("/")
|
file_path = urllib.parse.unquote(file_path)
|
||||||
|
path = os.path.normpath(file_path)
|
||||||
|
|
||||||
# Raise error if user try to escape
|
# Raise error if user try to escape
|
||||||
if not is_safe_path(path, project.path):
|
if not is_safe_path(path, project.path):
|
||||||
|
@ -17,6 +17,7 @@
|
|||||||
|
|
||||||
import os
|
import os
|
||||||
|
|
||||||
|
from pathlib import Path
|
||||||
from fastapi import HTTPException, status
|
from fastapi import HTTPException, status
|
||||||
from ..config import Config
|
from ..config import Config
|
||||||
|
|
||||||
@ -37,15 +38,14 @@ def get_default_project_directory():
|
|||||||
return path
|
return path
|
||||||
|
|
||||||
|
|
||||||
def is_safe_path(file_path, directory):
|
def is_safe_path(file_path: str, basedir: str) -> bool:
|
||||||
"""
|
"""
|
||||||
Check that file path is safe.
|
Check that file path is safe.
|
||||||
(the file is stored inside directory or one of its sub-directory)
|
(the file is stored inside directory or one of its sub-directory)
|
||||||
"""
|
"""
|
||||||
|
|
||||||
requested_path = os.path.abspath(file_path)
|
test_path = (Path(basedir) / file_path).resolve()
|
||||||
common_prefix = os.path.commonprefix([requested_path, directory])
|
return Path(basedir).resolve() in test_path.resolve().parents
|
||||||
return common_prefix != directory
|
|
||||||
|
|
||||||
|
|
||||||
def check_path_allowed(path):
|
def check_path_allowed(path):
|
||||||
|
@ -186,7 +186,23 @@ async def test_upload_image(app: FastAPI, client: AsyncClient, images_dir: str)
|
|||||||
assert checksum == "033bd94b1168d7e4f0d644c3c95e35bf"
|
assert checksum == "033bd94b1168d7e4f0d644c3c95e35bf"
|
||||||
|
|
||||||
|
|
||||||
async def test_download_image_escape(app: FastAPI, client: AsyncClient, tmpdir) -> None:
|
async def test_upload_image_forbidden_location(app: FastAPI, client: AsyncClient) -> None:
|
||||||
|
|
||||||
|
file_path = "%2e%2e/hello"
|
||||||
|
response = await client.post(app.url_path_for("upload_dynamips_image", filename=file_path), content=b"TEST")
|
||||||
|
assert response.status_code == status.HTTP_403_FORBIDDEN
|
||||||
|
|
||||||
|
|
||||||
|
async def test_download_image(app: FastAPI, client: AsyncClient, images_dir: str) -> None:
|
||||||
|
|
||||||
|
response = await client.post(app.url_path_for("upload_dynamips_image", filename="test3"), content=b"TEST")
|
||||||
|
assert response.status_code == status.HTTP_204_NO_CONTENT
|
||||||
|
|
||||||
|
response = await client.get(app.url_path_for("download_dynamips_image", filename="test3"))
|
||||||
|
assert response.status_code == status.HTTP_200_OK
|
||||||
|
|
||||||
|
|
||||||
|
async def test_download_image_forbidden(app: FastAPI, client: AsyncClient, tmpdir) -> None:
|
||||||
|
|
||||||
file_path = "foo/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"
|
file_path = "foo/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"
|
||||||
response = await client.get(app.url_path_for("download_dynamips_image", filename=file_path))
|
response = await client.get(app.url_path_for("download_dynamips_image", filename=file_path))
|
||||||
|
@ -415,7 +415,23 @@ async def test_upload_image(app: FastAPI, client: AsyncClient, tmpdir) -> None:
|
|||||||
assert checksum == "033bd94b1168d7e4f0d644c3c95e35bf"
|
assert checksum == "033bd94b1168d7e4f0d644c3c95e35bf"
|
||||||
|
|
||||||
|
|
||||||
async def test_download_image_escape(app: FastAPI, client: AsyncClient, tmpdir) -> None:
|
async def test_upload_image_forbidden_location(app: FastAPI, client: AsyncClient) -> None:
|
||||||
|
|
||||||
|
file_path = "%2e%2e/hello"
|
||||||
|
response = await client.post(app.url_path_for("upload_dynamips_image", filename=file_path), content=b"TEST")
|
||||||
|
assert response.status_code == status.HTTP_403_FORBIDDEN
|
||||||
|
|
||||||
|
|
||||||
|
async def test_download_image(app: FastAPI, client: AsyncClient, images_dir: str) -> None:
|
||||||
|
|
||||||
|
response = await client.post(app.url_path_for("upload_dynamips_image", filename="test3"), content=b"TEST")
|
||||||
|
assert response.status_code == status.HTTP_204_NO_CONTENT
|
||||||
|
|
||||||
|
response = await client.get(app.url_path_for("download_dynamips_image", filename="test3"))
|
||||||
|
assert response.status_code == status.HTTP_200_OK
|
||||||
|
|
||||||
|
|
||||||
|
async def test_download_image_forbidden(app: FastAPI, client: AsyncClient, tmpdir) -> None:
|
||||||
|
|
||||||
file_path = "foo/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"
|
file_path = "foo/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"
|
||||||
response = await client.get(app.url_path_for("download_iou_image", filename=file_path))
|
response = await client.get(app.url_path_for("download_iou_image", filename=file_path))
|
||||||
|
@ -179,6 +179,21 @@ async def test_get_file(app: FastAPI, client: AsyncClient, config, tmpdir) -> No
|
|||||||
assert response.status_code == status.HTTP_404_NOT_FOUND
|
assert response.status_code == status.HTTP_404_NOT_FOUND
|
||||||
|
|
||||||
|
|
||||||
|
async def test_get_file_forbidden_location(app: FastAPI, client: AsyncClient, config, tmpdir) -> None:
|
||||||
|
|
||||||
|
config.settings.Server.projects_path = str(tmpdir)
|
||||||
|
project = ProjectManager.instance().create_project(project_id="01010203-0405-0607-0809-0a0b0c0d0e0b")
|
||||||
|
file_path = "foo/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"
|
||||||
|
response = await client.get(
|
||||||
|
app.url_path_for(
|
||||||
|
"get_compute_project_file",
|
||||||
|
project_id=project.id,
|
||||||
|
file_path=file_path
|
||||||
|
)
|
||||||
|
)
|
||||||
|
assert response.status_code == status.HTTP_403_FORBIDDEN
|
||||||
|
|
||||||
|
|
||||||
async def test_write_file(app: FastAPI, client: AsyncClient, config, tmpdir) -> None:
|
async def test_write_file(app: FastAPI, client: AsyncClient, config, tmpdir) -> None:
|
||||||
|
|
||||||
config.settings.Server.projects_path = str(tmpdir)
|
config.settings.Server.projects_path = str(tmpdir)
|
||||||
@ -196,3 +211,15 @@ async def test_write_file(app: FastAPI, client: AsyncClient, config, tmpdir) ->
|
|||||||
project_id=project.id,
|
project_id=project.id,
|
||||||
file_path="../hello"))
|
file_path="../hello"))
|
||||||
assert response.status_code == status.HTTP_404_NOT_FOUND
|
assert response.status_code == status.HTTP_404_NOT_FOUND
|
||||||
|
|
||||||
|
|
||||||
|
async def test_write_file_forbidden_location(app: FastAPI, client: AsyncClient, config, tmpdir) -> None:
|
||||||
|
|
||||||
|
config.settings.Server.projects_path = str(tmpdir)
|
||||||
|
project = ProjectManager.instance().create_project(project_id="01010203-0405-0607-0809-0a0b0c0d0e0b")
|
||||||
|
|
||||||
|
file_path = "%2e%2e/hello"
|
||||||
|
response = await client.post(app.url_path_for("write_compute_project_file",
|
||||||
|
project_id=project.id,
|
||||||
|
file_path=file_path), content=b"world")
|
||||||
|
assert response.status_code == status.HTTP_403_FORBIDDEN
|
||||||
|
@ -388,15 +388,23 @@ async def test_upload_image_ova(app: FastAPI, client: AsyncClient, tmpdir:str) -
|
|||||||
assert checksum == "033bd94b1168d7e4f0d644c3c95e35bf"
|
assert checksum == "033bd94b1168d7e4f0d644c3c95e35bf"
|
||||||
|
|
||||||
|
|
||||||
async def test_upload_image_forbiden_location(app: FastAPI, client: AsyncClient, tmpdir: str) -> None:
|
async def test_upload_image_forbidden_location(app: FastAPI, client: AsyncClient, tmpdir: str) -> None:
|
||||||
|
|
||||||
with patch("gns3server.compute.Qemu.get_images_directory", return_value=str(tmpdir)):
|
|
||||||
response = await client.post(app.url_path_for("upload_qemu_image",
|
response = await client.post(app.url_path_for("upload_qemu_image",
|
||||||
filename="/qemu/images/../../test2"), content=b"TEST")
|
filename="/qemu/images/../../test2"), content=b"TEST")
|
||||||
assert response.status_code == status.HTTP_403_FORBIDDEN
|
assert response.status_code == status.HTTP_403_FORBIDDEN
|
||||||
|
|
||||||
|
|
||||||
async def test_download_image_escape(app: FastAPI, client: AsyncClient, tmpdir) -> None:
|
async def test_download_image(app: FastAPI, client: AsyncClient, images_dir: str) -> None:
|
||||||
|
|
||||||
|
response = await client.post(app.url_path_for("upload_qemu_image", filename="test3"), content=b"TEST")
|
||||||
|
assert response.status_code == status.HTTP_204_NO_CONTENT
|
||||||
|
|
||||||
|
response = await client.get(app.url_path_for("download_qemu_image", filename="test3"))
|
||||||
|
assert response.status_code == status.HTTP_200_OK
|
||||||
|
|
||||||
|
|
||||||
|
async def test_download_image_forbidden_location(app: FastAPI, client: AsyncClient, tmpdir) -> None:
|
||||||
|
|
||||||
file_path = "foo/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"
|
file_path = "foo/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"
|
||||||
response = await client.get(app.url_path_for("download_qemu_image", filename=file_path))
|
response = await client.get(app.url_path_for("download_qemu_image", filename=file_path))
|
||||||
|
@ -330,6 +330,13 @@ async def test_get_file(app: FastAPI, client: AsyncClient, project: Project) ->
|
|||||||
assert response.status_code == status.HTTP_404_NOT_FOUND
|
assert response.status_code == status.HTTP_404_NOT_FOUND
|
||||||
|
|
||||||
|
|
||||||
|
async def test_get_file_forbidden_location(app: FastAPI, client: AsyncClient, project: Project) -> None:
|
||||||
|
|
||||||
|
file_path = "foo/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"
|
||||||
|
response = await client.get(app.url_path_for("get_file", project_id=project.id, file_path=file_path))
|
||||||
|
assert response.status_code == status.HTTP_403_FORBIDDEN
|
||||||
|
|
||||||
|
|
||||||
async def test_write_file(app: FastAPI, client: AsyncClient, project: Project) -> None:
|
async def test_write_file(app: FastAPI, client: AsyncClient, project: Project) -> None:
|
||||||
|
|
||||||
response = await client.post(app.url_path_for("write_file", project_id=project.id, file_path="hello"),
|
response = await client.post(app.url_path_for("write_file", project_id=project.id, file_path="hello"),
|
||||||
@ -343,6 +350,14 @@ async def test_write_file(app: FastAPI, client: AsyncClient, project: Project) -
|
|||||||
assert response.status_code == status.HTTP_404_NOT_FOUND
|
assert response.status_code == status.HTTP_404_NOT_FOUND
|
||||||
|
|
||||||
|
|
||||||
|
async def test_write_file_forbidden_location(app: FastAPI, client: AsyncClient, project: Project) -> None:
|
||||||
|
|
||||||
|
file_path = "%2e%2e/hello"
|
||||||
|
response = await client.post(app.url_path_for("write_file", project_id=project.id, file_path=file_path),
|
||||||
|
content=b"world")
|
||||||
|
assert response.status_code == status.HTTP_403_FORBIDDEN
|
||||||
|
|
||||||
|
|
||||||
async def test_write_and_get_file_with_leading_slashes_in_filename(
|
async def test_write_and_get_file_with_leading_slashes_in_filename(
|
||||||
app: FastAPI,
|
app: FastAPI,
|
||||||
client: AsyncClient,
|
client: AsyncClient,
|
||||||
@ -350,11 +365,10 @@ async def test_write_and_get_file_with_leading_slashes_in_filename(
|
|||||||
|
|
||||||
response = await client.post(app.url_path_for("write_file", project_id=project.id, file_path="//hello"),
|
response = await client.post(app.url_path_for("write_file", project_id=project.id, file_path="//hello"),
|
||||||
content=b"world")
|
content=b"world")
|
||||||
assert response.status_code == status.HTTP_204_NO_CONTENT
|
assert response.status_code == status.HTTP_403_FORBIDDEN
|
||||||
|
|
||||||
response = await client.get(app.url_path_for("get_file", project_id=project.id, file_path="//hello"))
|
response = await client.get(app.url_path_for("get_file", project_id=project.id, file_path="//hello"))
|
||||||
assert response.status_code == status.HTTP_200_OK
|
assert response.status_code == status.HTTP_403_FORBIDDEN
|
||||||
assert response.content == b"world"
|
|
||||||
|
|
||||||
|
|
||||||
async def test_import(app: FastAPI, client: AsyncClient, tmpdir, controller: Controller) -> None:
|
async def test_import(app: FastAPI, client: AsyncClient, tmpdir, controller: Controller) -> None:
|
||||||
|
Loading…
Reference in New Issue
Block a user