Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

window.ipfs.files.cp and files.mv scoping bypass #530

Closed
2 of 3 tasks
lidel opened this issue Jul 15, 2018 · 3 comments
Closed
2 of 3 tasks

window.ipfs.files.cp and files.mv scoping bypass #530

lidel opened this issue Jul 15, 2018 · 3 comments
Labels
area/window-ipfs Issues related to IPFS API exposed on every page kind/bug A bug in existing code (including security flaws) topic/security Work related to security
Projects
window.ipfs

Comments

@lidel
Copy link
Member

lidel commented Jul 15, 2018
edited
Loading

(Below A and B are reproducible with ipfs-companion v2.4.2)

Bugs related to createSrcDestPre hook in Companion

Bug A: passing source and destination without wrapping them in array bypasses scoping

window.ipfs.files.cp('/ipfs/QmWfVY9y3xjsixTgbd9AorQxH7VtMpzfx2HaWtsoUYecaX', '/destination.jpg')
// → No error, but file is created outside the sandbox, at real /destination.jpg

createSrcDestPre.args.before: ["/ipfs/QmWfVY9y3xjsixTgbd9AorQxH7VtMpzfx2HaWtsoUYecaX","/destination.jpg"] 
createSrcDestPre.appPath:     '/dapps/https/www.wikipedia.org/'
// no destination prefix:
createSrcDestPre.args.after:  ["/ipfs/QmWfVY9y3xjsixTgbd9AorQxH7VtMpzfx2HaWtsoUYecaX","/destination.jpg"]

How to fix?

  • A.a) Always require sources and destination wrapped in array (throw error if !Array.isArray(args[0]))
  • A.b) Add support for both versions?

Bug B: copying from /ipfs/ is broken due to unnecessary prefixing (passing source and destination in array)

window.ipfs.files.cp(['/ipfs/QmWfVY9y3xjsixTgbd9AorQxH7VtMpzfx2HaWtsoUYecaX', '/destination.jpg'])
// → Error: file does not exist

createSrcDestPre.args.before: [["/ipfs/QmWfVY9y3xjsixTgbd9AorQxH7VtMpzfx2HaWtsoUYecaX","/destination.jpg"]] 
createSrcDestPre.appPath:     '/dapps/https/www.wikipedia.org/'
// the /ipfs/ source got (unnecessarily) prefixed, which produced error above:
createSrcDestPre.args.after:  [["/dapps/https/www.wikipedia.org/ipfs/QmWfVY9y3xjsixTgbd9AorQxH7VtMpzfx2HaWtsoUYecaX","/dapps/https/www.wikipedia.org/destination.jpg"]]

How to fix?

  • Do not prefix if source is a valid /ipfs/ path (validate CID, if invalid, then prefix)?

Problem with tests/docs for files.cp and files.mv

I noticed we test different API calls to files.cp and files.mv than ones in docs.

Right now only array-wrapped version is being tested:

.. but we advertise unwrapped version it in the SPEC docs:

This means users probably run version that we don't have real tests for (at least that is the case for MFS exposed via window.ipfs). In most cases it does not matter, but there are edge cases such as window.ipfs where it makes a difference (see bug A vs B above)

@alanshaw I would appreciate some feedback and sanity check on how to proceed. Should we add tests to interface-ipfs-core for both versions (implies A.b), refuse non-wrapped version and change SPEC docs (A.a), or maybe I misunderstood a deeper problem entirely?
@lidel lidel added kind/bug A bug in existing code (including security flaws) topic/security Work related to security area/window-ipfs Issues related to IPFS API exposed on every page labels Jul 15, 2018
lidel added a commit that referenced this issue Jul 15, 2018
@lidel
fix: do not prefix /ipfs/ source paths in window.ipfs.files.cp
e16709c 
This fixes bug B from
#530
@lidel lidel mentioned this issue Jul 15, 2018
Merged
2 tasks
@alanshaw
Copy link
Member

@lidel

A) The syntax recently changed to remove passing an array. Array syntax is deprecated but currently will work in js-ipfs-api - we need to update the code in companion that does the prefixing to either allow for both versions, or just the non array syntax

B) Yes that's a bug

lidel added a commit that referenced this issue Jul 16, 2018
@lidel
fix: files.cp|mv scoping for new syntax
109565f 
Fixes scope bypass and adds deprecation warning for array-based args

More context:
#530 (comment)
@lidel
Copy link
Member Author

lidel commented Jul 16, 2018

@alanshaw ack, added fixes and deprecation warning in #531, please take a look in spare moment

@lidel
Copy link
Member Author

lidel commented Jul 23, 2018

Fixed in #531

@lidel lidel closed this as completed Jul 23, 2018
@lidel lidel added this to To do in window.ipfs Oct 1, 2019
@lidel lidel moved this from To do to Done in window.ipfs Oct 1, 2019
@lidel lidel mentioned this issue Oct 14, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/window-ipfs Issues related to IPFS API exposed on every page kind/bug A bug in existing code (including security flaws) topic/security Work related to security
Projects
No open projects
window.ipfs
  
Done
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alanshaw @lidel