Skip to content

Fix SimpleWeb arbitrary file read vulnurability #829

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ReenigneArcher merged 7 commits into from
Jan 25, 2023
Merged

Fix SimpleWeb arbitrary file read vulnurability #829

Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
1253eb7
Alternate PR for SimpleWeb arbitrary file read vulnurability
safijari Jan 24, 2023
713428b
PR comments
safijari Jan 24, 2023
8319bc2
Run clang-format
safijari Jan 24, 2023
a2c38ae
Merge branch 'nightly' into webui-vulnerability-fix-std-filesystem
safijari Jan 24, 2023
34e22b4
Fix issue with concatenation of flip fs::relative arguments
safijari Jan 24, 2023
1ef304b
Merge branch 'nightly' into webui-vulnerability-fix-std-filesystem
safijari Jan 25, 2023
49ede6a
Make it so that malformed paths always return a 400
safijari Jan 25, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 28 additions & 11 deletions src/confighttp.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -246,23 +246,40 @@ void getSunshineLogoImage(resp_https_t response, req_https_t request) {
response->write(SimpleWeb::StatusCode::success_ok, in, headers);
}

bool isChildPath(fs::path const &base, fs::path const &query) {
auto relPath = fs::relative(base, query);
return *(relPath.begin()) != fs::path("..");
}

void getNodeModules(resp_https_t response, req_https_t request) {
print_req(request);
fs::path webDirPath(WEB_DIR);
fs::path nodeModulesPath(webDirPath / "node_modules");

SimpleWeb::CaseInsensitiveMultimap headers;
if(boost::algorithm::iends_with(request->path, ".ttf") == 1) {
std::ifstream in((WEB_DIR + request->path).c_str(), std::ios::binary);
headers.emplace("Content-Type", "font/ttf");
response->write(SimpleWeb::StatusCode::success_ok, in, headers);
// .relative_path is needed to shed any leading slash that might exist in the request path
auto filePath = fs::weakly_canonical(webDirPath / fs::path(request->path).relative_path());

// Don't do anything if file does not exist or is outside the node_modules directory
if(!isChildPath(filePath, nodeModulesPath)) {
BOOST_LOG(warning) << "Someone requested a path " << filePath << " that is outside the node_modules folder";
response->write(SimpleWeb::StatusCode::client_error_bad_request, "Bad Request");
}
else if(boost::algorithm::iends_with(request->path, ".woff2") == 1) {
std::ifstream in((WEB_DIR + request->path).c_str(), std::ios::binary);
headers.emplace("Content-Type", "font/woff2");
response->write(SimpleWeb::StatusCode::success_ok, in, headers);
else if(!fs::exists(filePath)) {
response->write(SimpleWeb::StatusCode::client_error_not_found);
}
else {
std::string content = read_file((WEB_DIR + request->path).c_str());
response->write(content);
auto relPath = fs::relative(filePath, webDirPath);
if(relPath.extension() == ".ttf" or relPath.extension() == ".woff2") {
// Fonts are read differntly
SimpleWeb::CaseInsensitiveMultimap headers;
std::ifstream in((filePath).c_str(), std::ios::binary);
headers.emplace("Content-Type", "font/" + filePath.extension().string().substr(1));
response->write(SimpleWeb::StatusCode::success_ok, in, headers);
}
else {
std::string content = read_file((filePath.string()).c_str());
response->write(content);
}
}
}

Expand Down