mgr/dashboard: fix improper URL checking

This change disables up-level references beyond the HTTP base directory.
[CVE-2020-1699]

Fixes: https://tracker.ceph.com/issues/43607
Signed-off-by: Ernesto Puerta <epuertat@redhat.com>

diff --git a/src/pybind/mgr/dashboard/controllers/home.py b/src/pybind/mgr/dashboard/controllers/home.py
index 517245ee88d29dd944b3ddb329a855c4e9915b2e..90f976329c587db5144f486f0f642aee34ed9f21 100644 (file)
--- a/src/pybind/mgr/dashboard/controllers/home.py
+++ b/src/pybind/mgr/dashboard/controllers/home.py
@@ -115,6 +115,11 @@ class HomeController(BaseController, LanguageMixin):
 
         base_dir = self._language_dir(langs)
         full_path = os.path.join(base_dir, path)
+
+        # Block uplevel attacks
+        if not os.path.normpath(full_path).startswith(os.path.normpath(base_dir)):
+            raise cherrypy.HTTPError(403)  # Forbidden
+
         logger.debug("serving static content: %s", full_path)
         if 'Vary' in cherrypy.response.headers:
             cherrypy.response.headers['Vary'] = "{}, Accept-Language"

diff --git a/src/pybind/mgr/dashboard/tests/test_home.py b/src/pybind/mgr/dashboard/tests/test_home.py
index 1ed22c9c0fc1a1b449c61fe9cb1497702714e06c..2ec1b2ad764164a7188277caa153faff67d01758 100644 (file)
--- a/src/pybind/mgr/dashboard/tests/test_home.py
+++ b/src/pybind/mgr/dashboard/tests/test_home.py
@@ -42,6 +42,13 @@ class HomeTest(ControllerTestCase, FakeFsMixin):
         logger.info(self.body)
         self.assertIn('<html lang="en">', self.body.decode('utf-8'))
 
+    @mock.patch(FakeFsMixin.builtins_open, new=FakeFsMixin.f_open)
+    @mock.patch('os.stat', new=FakeFsMixin.f_os.stat)
+    @mock.patch('os.listdir', new=FakeFsMixin.f_os.listdir)
+    def test_home_uplevel_check(self):
+        self._get('/../../../../../../etc/shadow')
+        self.assertStatus(403)
+
     @mock.patch(FakeFsMixin.builtins_open, new=FakeFsMixin.f_open)
     @mock.patch('os.stat', new=FakeFsMixin.f_os.stat)
     @mock.patch('os.listdir', new=FakeFsMixin.f_os.listdir)