-
Notifications
You must be signed in to change notification settings - Fork 347
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix a possible security risk presented by path traversal.
- Loading branch information
Showing
1 changed file
with
11 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
d64475c
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After this commit the bot (bitfinex) will not operate. Will end up only with the 404 mentioned above.
I am not able to pintpoint what exactly it is breaking but reverting to a commit before this one fixes it.
d64475c
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this change really needed? It makes webserver stop working. Please review again.
d64475c
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This change is needed, without it the webserver allows you to access the Exchange secret and keys. This has nothing to do with which exchange you are using it on.
can you provide information regarding your environment to try and reproduce the issue you are facing?
d64475c
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you explain the exploit? I just tried accessing my default.cfg and it says 404.
d64475c
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please review the code again, many people including me suffer from webserver error which this PR merge.
Ubuntu16.04, running 2 docker images for bitfinex and poloniex.
With this code set, webserver returns "These aren't the droids you're looking for".
d64475c
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe a better explanation what this was intended to fix would be needed. I personally run just one docker image with the bot on local lan without ngnix in front.
d64475c
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess it's due to symbolic link lost in
os.path.realpath
on multi market setting. I'm not quite sure this os import is appropriate.d64475c
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have made PR to fix the problem.
abspath
should be fine to resolve the path in this security patch context. Tested in multi market config file and separate docker images, and it works good.d64475c
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mazhead @utdrmac could you check the PR to see if it resolves the issue you are facing?
#615
d64475c
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rnevet I'm not experiencing any issues. You said this change is needed but I don't see a use case where the exploit is an issue. How are you viewing API keys under the current code base?
d64475c
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Latest version works.
Thank you both @rnevet and @M-Igashi !
d64475c
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@utdrmac I reviewed the code during making PR, and found the original .py code referred the template path by wildcard relative path finder to www directory, which may potentially face exploitation. Then I was convinced that this patch was necessary.
d64475c
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@utdrmac basically by using relative path inside the url you could reach parent directories, I managed to reproduce this before patching it. If you wish to have further details ping me on chat.
@M-Igashi Thanks for the PR!