Prevent privilege escalation attacks via sourcefilename [issue #46](#46…

…). Thanks Marlon.
trampgeek · Jan 30, 2021 · 694da50 · 694da50
1 parent b9821cd
commit 694da50
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -1,6 +1,6 @@
 # JOBE
 
-Version: 1.6.4, 22 January 2021
+Version: 1.6.5, 31 January 2021
 
 
 Author: Richard Lobb, University of Canterbury, New Zealand
@@ -846,3 +846,8 @@ Thanks Tim Hunt for most of the work in this addition.
 
   1. Workaround for bug in py_compile (https://bugs.python.org/issue38731)
 that results in multiple error messages when a python syntax check fails.
+
+### 1.6.5 (31 January 2021)
+
+  1. Prevent privilege escalation attacks via sourcefilename [issue #46](https://github.com/trampgeek/jobe/issues/46).
+  1. Add a load tester (ad hoc, experimental), loadtester.py.
diff --git a/application/controllers/Restapi.php b/application/controllers/Restapi.php
@@ -149,10 +149,12 @@ public function runs_post() {
             $this->error('runs_post: missing or invalid run_spec parameter', 400);
         }
         if (!is_array($run) || !isset($run['sourcecode']) ||
-                !isset($run['language_id'])
-        ) {
+                !isset($run['language_id']) ) {
             $this->error('runs_post: invalid run specification', 400);
         }
+        if (isset($run->sourcefilename) && !self::is_valid_source_filename($run->sourcefilename)) {
+            $this->error('runs_post: invalid sourcefilename');
+        }
 
         // REST_Controller has called to_array on the JSON decoded
         // object, so we must first turn it back into an object.
@@ -273,6 +275,24 @@ public function languages_get()
     // **********************
     // Support functions
     // **********************
+
+    // Return true unless the given filename looks dangerous, e.g. has '/' or '..'
+    // substrings. Uses code from https://stackoverflow.com/questions/2021624/string-sanitizer-for-filename
+    private function is_valid_source_filename($filename) {
+        $sanitised = preg_replace(
+        '~
+        [<>:"/\\|?*]|            # file system reserved https://en.wikipedia.org/wiki/Filename#Reserved_characters_and_words
+        [\x00-\x1F]|             # control characters http://msdn.microsoft.com/en-us/library/windows/desktop/aa365247%28v=vs.85%29.aspx
+        [\x7F\xA0\xAD]|          # non-printing characters DEL, NO-BREAK SPACE, SOFT HYPHEN
+        [#\[\]@!$&\'()+,;=]|     # URI reserved https://tools.ietf.org/html/rfc3986#section-2.2
+        [{}^\~`]                 # URL unsafe characters https://www.ietf.org/rfc/rfc1738.txt
+        ~x',
+        '-', $filename);
+        // Avoid ".", ".." or ".hiddenFiles"
+        $sanitised = ltrim($sanitised, '.-');
+        return $sanitised === $filename;
+    }
+
     private function is_valid_filespec($file) {
         return (count($file) == 2 || count($file) == 3) &&
              is_string($file[0]) &&