Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(web-api): percent-decode before path-splitting #560

Merged
merged 1 commit into from
Aug 23, 2023
Merged

fix(web-api): percent-decode before path-splitting #560

merged 1 commit into from
Aug 23, 2023

Conversation

tsani
Copy link
Contributor

@tsani tsani commented Aug 23, 2023
edited
Loading

This PR patches a path traversal vulnerability.

I would like to thank the IT department at McGill's School of Computer Science for noticing this bug, and Max Kopinsky for working on the patch with me.

  • Kind: bugfix

I did not separately report the bug since the fix is quite simple.

Description

Without this patch, try visiting http://localhost:8080/css/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd assuming learn-ocaml is running on port 8080. Notice that this successfully downloads the file /etc/passwd. There is some code present in learn-ocaml that is supposed to prevent this, namely the function sanitise_path, but since the path-splitting operation is performed before the percent-decoding, it is possible to smuggle slashes deeper into the system by simply percent-encoding them as %2f.

Checklist

Note to maintainers

  • Read this wiki page.
  • Make sure the PR has a milestone.
  • Assign yourself before merging.
  • Either do a regular merge:
    • for PRs containing several commits following conventional-commits,
    • or for PRs containing 1 commit shared with a later PR (to preserve the SHA1)
  • Or do a squash-merge:
    • for PRs containing only 1 commit (not shared with a later PR),
    • or for PRs containing several commits that need not be kept in the history;
    • Update the commit message header with a conventional-commit type,
    • Add a footer Close #… if a related issue exists.

@tsani
fix(web-api): percent-decode before path-splitting
d0eb034 
This patches a path traversal vulnerability.
@erikmd erikmd self-assigned this Aug 23, 2023
@erikmd
Copy link
Member

erikmd commented Aug 23, 2023

Ouch; many thanks @tsani & all the people involved, for this critical fix.

I'll merge the PR as soon as the CI is green, then publish a stable release.

@erikmd erikmd merged commit 1a0c2ef into ocaml-sf:master Aug 23, 2023
11 checks passed
@erikmd
Copy link
Member

erikmd commented Aug 23, 2023

Cc @yurug @AltGr this makes me think we should probably setup a security policy (for vulnerability disclosures etc.) in the github repo (cf. https://github.com/ocaml-sf/learn-ocaml/community); let's discuss this point at our next maintainer telco!

@github-actions github-actions bot mentioned this pull request Aug 19, 2023
Merged
@erikmd erikmd mentioned this pull request Aug 23, 2023
Merged
@erikmd erikmd mentioned this pull request Oct 13, 2023
Merged
@erikmd erikmd added this to the learn-ocaml 0.15.0 milestone Oct 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@erikmd erikmd

Labels
kind: fix priority: high
Projects
None yet
Milestone
learn-ocaml 0.15.0
Development

Successfully merging this pull request may close these issues.
2 participants
@tsani @erikmd