Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix path traversal vulnerability
This change fixes a path traversal vulnerability that would allow
attackers to navigate through the filesystem of the server (provided
execute access to directories for the user running the web server).
Attackers could only list the contents of directories -- not download
files.

The vulnerability was caused by the lack of a check for the validity
requested paths when handling directories, notably when `..%2F' (`../`
URL-encoded) was present in requested paths.

Background:

awful-samonella-tar is implemented using awful [0].  Awful is
implemented on top of spiffy [1], and overrides the
`(handle-not-found)` parameter to map URL paths to procedures.  Spiffy
takes some precautions regarding dealing with malicious paths when it
handles static files.  Code that uses spiffy to implement generation
of dynamic content (like awful does), must take their own precautions.

awful-salmonella-tar uses a procedure (`safe-path?') with a relatively
strict policy to allow access to files, but it was not being used to
validate access to directories, and that was causing the
vulnerability.

This change applies `safe-path?` to all requested paths.

Thanks to Chris Brannon for responsibly reporting this issue.

[0] https://wiki.call-cc.org/eggref/5/awful
[1] https://wiki.call-cc.org/eggref/5/spiffy
  • Loading branch information
mario-goulart committed Feb 16, 2022
1 parent 6fb8e3c commit f705c88
Showing 1 changed file with 28 additions and 24 deletions.
52 changes: 28 additions & 24 deletions awful-salmonella-tar.scm
Expand Up @@ -231,30 +231,34 @@
(lambda (req-path)
(let ((fs-path (make-pathname (list (root-path)
(salmonella-reports-dir))
req-path)))
(if (directory? fs-path)
(render-dir req-path fs-path)
(lambda ()
(let ((not-found (lambda ()
(send-status 'not-found))))
(handle-exceptions exn
(not-found)
(cond ((equal? (pathname-strip-directory req-path)
(salmonella-report-dir))
(redirect-to (string-append req-path "/")))
((equal? (pathname-strip-directory (string-chomp req-path "/"))
(salmonella-report-dir))
(cond ((tar-get (make-pathname req-path (index-file)))
=> send-file-from-cache)
(else (not-found))))
((tar-get req-path) => send-file-from-cache)
(else
(if (file-exists? (make-pathname (list (root-path)
(salmonella-reports-dir))
req-path))
(parameterize ((root-path (salmonella-reports-dir)))
(send-file req-path))
(not-found)))))))))))
req-path))
(not-found (lambda ()
(send-status 'not-found))))
(cond ((not (safe-path? req-path))
(lambda ()
(not-found)))
((directory? fs-path)
(render-dir req-path fs-path))
(else
(lambda ()
(handle-exceptions exn
(not-found)
(cond ((equal? (pathname-strip-directory req-path)
(salmonella-report-dir))
(redirect-to (string-append req-path "/")))
((equal? (pathname-strip-directory (string-chomp req-path "/"))
(salmonella-report-dir))
(cond ((tar-get (make-pathname req-path (index-file)))
=> send-file-from-cache)
(else (not-found))))
((tar-get req-path) => send-file-from-cache)
(else
(if (file-exists? (make-pathname (list (root-path)
(salmonella-reports-dir))
req-path))
(parameterize ((root-path (salmonella-reports-dir)))
(send-file req-path))
(not-found)))))))))))
) ;; end define-app
) ;; end awful-salmonella-tar
) ;; end module

0 comments on commit f705c88

Please sign in to comment.