Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fixing payload load #3927

Merged
merged 6 commits into from Jul 14, 2023
Merged

fixing payload load #3927

merged 6 commits into from Jul 14, 2023

Conversation

Mzack9999
Copy link
Member

@Mzack9999 Mzack9999 commented Jul 13, 2023
edited by ehsandeep

Proposed changes

  • Removed -sandbox option, now divided into two new options shared below.
  • Added options to enable/disable file/network access.
   -lna, -restrict-local-network-access  blocks connections to the local / private network
   -lfa, -allow-local-file-access  allows file (payload) access anywhere on the system
  • Fixed issue with payloads feature in sandbox mode.

Checklist

  • Pull request is created against the dev branch
  • All checks passed (lint, unit/integration/regression tests etc.) with my changes
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation (if appropriate)

@Ice3man543 Ice3man543 marked this pull request as ready for review July 14, 2023 05:39
@ehsandeep ehsandeep mentioned this pull request Jul 14, 2023
Closed
4 tasks
tarunKoyalwar
tarunKoyalwar approved these changes Jul 14, 2023
View reviewed changes
Copy link
Member

@tarunKoyalwar tarunKoyalwar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm !

tarunKoyalwar
tarunKoyalwar reviewed Jul 14, 2023
View reviewed changes
Copy link
Member

@tarunKoyalwar tarunKoyalwar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

if !(templatePathDir != "/" && strings.HasPrefix(pt, templatePathDir)) && !strings.HasPrefix(pt, templateDirectory)

above code is used to restrict access

  • if payload file is not in template directory
  • if payload file is not in directory where template is present

@Mzack9999 i am not sure but i think we need to test this in windows enviornment to verify if this is working properly since the root path here is / but root path is different for windows distro and also https://pkg.go.dev/vuln/GO-2023-1568

@Mzack9999
Copy link
Member Author

@tarunKoyalwar I think we need to add a function in utils package that given a path, perform cross-platform check from a list of allowed directories. Will create a ticket for that, meanwhile we can temporary merge this upon @Ice3man543 confirmation.

@Mzack9999 Mzack9999 mentioned this pull request Jul 14, 2023
Closed
@ehsandeep ehsandeep linked an issue Jul 14, 2023 that may be closed by this pull request
enabling sandbox option as default #3784
Closed
@ehsandeep ehsandeep merged commit e5154d3 into dev Jul 14, 2023
9 of 10 checks passed
@ehsandeep ehsandeep deleted the bugfix-load branch July 14, 2023 14:09
@dogancanbakir dogancanbakir mentioned this pull request Jul 18, 2023
Closed
@GoVulnBot GoVulnBot mentioned this pull request Aug 4, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tarunKoyalwar tarunKoyalwar tarunKoyalwar approved these changes

@ehsandeep ehsandeep ehsandeep approved these changes

@Ice3man543 Ice3man543 Ice3man543 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

enabling sandbox option as default
4 participants
@Mzack9999 @ehsandeep @Ice3man543 @tarunKoyalwar