Skip to content
Permalink
Browse files Browse the repository at this point in the history
SECURITY: Fix path traversal on diagnostics route.
  • Loading branch information
tgxworld committed Dec 17, 2021
1 parent 0b21d19 commit 9b6deee
Show file tree
Hide file tree
Showing 3 changed files with 41 additions and 10 deletions.
1 change: 1 addition & 0 deletions CHANGELOG
@@ -1,6 +1,7 @@
Unreleased

- FIX: Prevent simple polling from clobbering the session
- SECURITY: Fix path traversal on diagnostics route.

31-05-2021

Expand Down
37 changes: 30 additions & 7 deletions lib/message_bus/rack/diagnostics.rb
Expand Up @@ -13,6 +13,15 @@ def initialize(app, config = {})
@bus = config[:message_bus] || MessageBus
end

JS_ASSETS = %w{
jquery-1.8.2.js
react.js
react-dom.js
babel.min.js
message-bus.js
application.jsx
}

# Process an HTTP request from a subscriber client
# @param [Rack::Request::Env] env the request environment
def call(env)
Expand All @@ -39,7 +48,8 @@ def call(env)
end

asset = route.split('/assets/')[1]
if asset && !asset !~ /\//

if asset && JS_ASSETS.include?(asset)
content = asset_contents(asset)
return [200, { 'Content-Type' => 'application/javascript;charset=UTF-8' }, [content]]
end
Expand Down Expand Up @@ -74,6 +84,23 @@ def asset_path(asset)
File.expand_path("../../../../assets/#{asset}", __FILE__)
end

def script_tags
tags = []

JS_ASSETS.each do |asset|
type =
if asset.end_with?('.js')
'text/javascript'
elsif asset.end_with?('.jsx')
'text/jsx'
end

tags << js_asset(asset, type)
end

tags.join("\n")
end

def index
html = <<~HTML
<!DOCTYPE html>
Expand All @@ -82,12 +109,8 @@ def index
</head>
<body>
<div id="app"></div>
#{js_asset "jquery-1.8.2.js"}
#{js_asset "react.js"}
#{js_asset "react-dom.js"}
#{js_asset "babel.min.js"}
#{js_asset "message-bus.js"}
#{js_asset "application.jsx", "text/jsx"}
#{script_tags}
</body>
</html>
HTML
Expand Down
13 changes: 10 additions & 3 deletions spec/lib/message_bus/rack/middleware_spec.rb
Expand Up @@ -142,13 +142,12 @@ module LongPolling
end

describe "diagnostics" do
it "should return a 403 if a user attempts to get at the _diagnostics path" do
it "should return a 403 if an unauthorized user attempts to get at the _diagnostics path" do
get "/message-bus/_diagnostics"
last_response.status.must_equal 403
end

it "should get a 200 with html for an authorized user" do

def @bus.is_admin_lookup
proc { |_| true }
end
Expand All @@ -171,7 +170,6 @@ def @bus.is_admin_lookup
end

it "should get the script it asks for" do

def @bus.is_admin_lookup
proc { |_| true }
end
Expand All @@ -180,6 +178,15 @@ def @bus.is_admin_lookup
last_response.status.must_equal 200
last_response.content_type.must_equal "application/javascript;charset=UTF-8"
end

it "should return 404 for invalid assets path" do
def @bus.is_admin_lookup
proc { |_| true }
end

get "/message-bus/_diagnostics/assets/../Gemfile"
last_response.status.must_equal 404
end
end

describe "polling" do
Expand Down

0 comments on commit 9b6deee

Please sign in to comment.