-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
File write vulnerability if username contains ../
#32
Comments
Hi, My opinion is termchat is currently made with friendly network in mind, so no encryption and all features can be abused. I think remaining like this is a good option in-itself. If termchat wants to take the direction of secure software, I'm sure there are a lot of things that needs to be changed. With that in mind regarding this issue, I think sanitizing is too tricky to get right, maybe a more correct approach is to prompt the receiver if they want to receive the file (and I imagine also the same for all the other commands). Also we can maybe enforce normal usernames (by dropping requests from sender that don't match [0-9A-za-z_]* for example). For the last issue (creating the file, it should be checked that it doesn't exist ) , I think that should be a separate issue(To fix it, the Stream message needs to be able to express the start of the sending, so the receiver can react at that point if he has the file already). |
Even if you don't want to fully sanitise the path, simply checking for "../" will get you most of the way there (on Unix). A more complete option might be to disallow directories entirely and strip out only the final element of the inputted path ie folder/name/test.txt becomes text.txt |
To summarize, the complete workaround could consist in:
Regarding the possibility of allowing to receive a file before sending, it could be tricky to implement since a file can be sent to different users. What happens from the sender side if some users accept the file at different times? Would I need to reopen the file for each user? |
Personally, I would prefer usernames stay more open than that. It seems reasonable to expect users to want to put / in their name. So sanitizing on use seems a better idea. That does come at the cost of being harder to safely work with, but at the moment there is only one place that needs to use the name. (Maybe a newtype wrapper As for multiple people accepting at different times, I think opening the file once per receiver is the best bet (but you'd want to be careful about someone spamming receivers and trying to get you to open the file too many times and exausting your open files, so a limit of some value is a good idea there) |
I set my username on client A to
../../home/jess/.ssh
and used?send authorized_keys
.This then wrote the contents of
authorized_keys
to the actual authorized_keys on the target machine.I haven't tested it with a malicious filename, but I assume that has the same problem.
A mitigation would be to check that the path you're writing to is under the temp directory, and replace
/
with some other character when writing.Also, when creating the file, it should be checked that it doesn't exist (See https://doc.rust-lang.org/std/fs/struct.OpenOptions.html#method.create_new )
The text was updated successfully, but these errors were encountered: