nautilus: mgr/dashboard: fix improper URL checking #32744

epuertat · 2020-01-21T10:28:59Z

backport tracker: https://tracker.ceph.com/issues/43725

backport of #32652
parent tracker: https://tracker.ceph.com/issues/43607

This change disables up-level references beyond the HTTP base directory.
[CVE-2020-1699]

Fixes: https://tracker.ceph.com/issues/43607
Signed-off-by: Ernesto Puerta epuertat@redhat.com

(cherry picked from commit 0443e40)

Conflicts:

src/pybind/mgr/dashboard/tests/test_home.py (refactored tests)

Checklist

References tracker ticket
Updates documentation if necessary
Includes tests for new functionality or reproducer for bug

Show available Jenkins commands

jenkins retest this please
jenkins test crimson perf
jenkins test signed
jenkins test make check
jenkins test make check arm64
jenkins test submodules
jenkins test dashboard
jenkins test dashboard backend
jenkins test docs
jenkins render docs
jenkins test ceph-volume all
jenkins test ceph-volume tox

This change disables up-level references beyond the HTTP base directory. [CVE-2020-1699] Fixes: https://tracker.ceph.com/issues/43607 Signed-off-by: Ernesto Puerta <epuertat@redhat.com> (cherry picked from commit 0443e40) Conflicts: - src/pybind/mgr/dashboard/tests/test_home.py (refactored tests)

epuertat · 2020-01-21T11:33:38Z

jenkins test dashboard

epuertat · 2020-01-21T11:33:56Z

jenkins test make check

epuertat · 2020-01-21T11:34:21Z

jenkins test dashboard backend

alfonsomthd · 2020-01-21T14:22:08Z

jenkins test make check

epuertat · 2020-01-21T15:05:03Z

Both make checkand dashboard backend tests seem unrelated to this change (it failed on Bionic due to Python pip issue: ImportError: cannot import name SourceDistribution).

epuertat · 2020-01-21T15:06:32Z

jenkins test dashboard backend

callithea · 2020-01-22T07:49:19Z

jenkins test dashboard backend

callithea · 2020-01-22T09:34:45Z

jenkins test dashboard backend

callithea · 2020-01-22T14:59:15Z

Re-started the pkg build (after a rebase): https://shaman.ceph.com/builds/ceph/wip-laura-testing-dashboard-nautilus-31792-32744/

LenzGr

LGTM!

epuertat · 2020-01-24T15:41:06Z

Launched QA from @callithea's packages.

epuertat · 2020-01-24T17:19:37Z

QA passed

callithea · 2020-02-04T17:15:20Z

rados/mgr [36/36 passed]
rados/dashboard [4/4 passed]

theanalyst · 2020-02-05T12:03:36Z

already a part of 14.2.7, the branch history is messed up when viewing in gh, but this is the commit 8392c2c

epuertat added bug-fix dashboard labels Jan 21, 2020

epuertat added this to the nautilus milestone Jan 21, 2020

epuertat self-assigned this Jan 21, 2020

epuertat added this to In progress in Dashboard via automation Jan 21, 2020

epuertat requested review from rjfd, smithfarm, tchaikov, callithea, LenzGr and alfonsomthd January 21, 2020 10:30

smithfarm requested review from a team and removed request for smithfarm January 21, 2020 10:39

tchaikov approved these changes Jan 21, 2020

View reviewed changes

Dashboard automation moved this from In progress to Reviewer approved Jan 21, 2020

alfonsomthd approved these changes Jan 21, 2020

View reviewed changes

yuriw added the needs-qa label Jan 21, 2020

callithea added the wip-laura-testing label Jan 22, 2020

LenzGr approved these changes Jan 24, 2020

View reviewed changes

LenzGr removed the wip-laura-testing label Jan 24, 2020

smithfarm added the nautilus-batch-1 nautilus point releases label Jan 24, 2020

epuertat removed the needs-qa label Jan 24, 2020

callithea approved these changes Jan 27, 2020

View reviewed changes

callithea removed the nautilus-batch-1 nautilus point releases label Jan 27, 2020

theanalyst force-pushed the nautilus branch from 3099d97 to 20fd89e Compare January 31, 2020 17:03

callithea added wip-laura-testing needs-qa and removed wip-laura-testing labels Feb 4, 2020

callithea added the needs-rebase label Feb 4, 2020

epuertat changed the base branch from nautilus to nautilus-saved February 5, 2020 12:00

epuertat changed the base branch from nautilus-saved to nautilus February 5, 2020 12:01

theanalyst closed this Feb 5, 2020

Dashboard automation moved this from Reviewer approved to Done Feb 5, 2020

epuertat deleted the fix-43725-nautilus branch February 5, 2020 12:05

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

nautilus: mgr/dashboard: fix improper URL checking #32744

nautilus: mgr/dashboard: fix improper URL checking #32744

epuertat commented Jan 21, 2020 •

edited

epuertat commented Jan 21, 2020

epuertat commented Jan 21, 2020

epuertat commented Jan 21, 2020

alfonsomthd commented Jan 21, 2020

epuertat commented Jan 21, 2020

epuertat commented Jan 21, 2020

callithea commented Jan 22, 2020

callithea commented Jan 22, 2020

callithea commented Jan 22, 2020

LenzGr left a comment

epuertat commented Jan 24, 2020

epuertat commented Jan 24, 2020

callithea commented Feb 4, 2020 •

edited

theanalyst commented Feb 5, 2020

nautilus: mgr/dashboard: fix improper URL checking #32744

nautilus: mgr/dashboard: fix improper URL checking #32744

Conversation

epuertat commented Jan 21, 2020 • edited

Checklist

epuertat commented Jan 21, 2020

epuertat commented Jan 21, 2020

epuertat commented Jan 21, 2020

alfonsomthd commented Jan 21, 2020

epuertat commented Jan 21, 2020

epuertat commented Jan 21, 2020

callithea commented Jan 22, 2020

callithea commented Jan 22, 2020

callithea commented Jan 22, 2020

LenzGr left a comment

Choose a reason for hiding this comment

epuertat commented Jan 24, 2020

epuertat commented Jan 24, 2020

callithea commented Feb 4, 2020 • edited

theanalyst commented Feb 5, 2020

epuertat commented Jan 21, 2020 •

edited

callithea commented Feb 4, 2020 •

edited