mgr/dashboard: fix improper URL checking

This change disables up-level references beyond the HTTP base directory.
[CVE-2020-1699]

Fixes: https://tracker.ceph.com/issues/43607
Signed-off-by: Ernesto Puerta <epuertat@redhat.com>
(cherry picked from commit 0443e40c11280ba3b7efcba61522afa70c4f8158)

Conflicts:
  - src/pybind/mgr/dashboard/tests/test_home.py (refactored tests)

diff --git a/src/pybind/mgr/dashboard/controllers/home.py b/src/pybind/mgr/dashboard/controllers/home.py
index df11340934c003f77edbc057e7411fedfc4d5092..82ad945d0b00c9e682cedfc3084d33e0d823f728 100644 (file)
--- a/src/pybind/mgr/dashboard/controllers/home.py
+++ b/src/pybind/mgr/dashboard/controllers/home.py
@@ -100,6 +100,11 @@ class HomeController(BaseController):
 
         base_dir = self._language_dir(langs)
         full_path = os.path.join(base_dir, path)
+
+        # Block uplevel attacks
+        if not os.path.normpath(full_path).startswith(os.path.normpath(base_dir)):
+            raise cherrypy.HTTPError(403)  # Forbidden
+
         logger.debug("serving static content: %s", full_path)
         if 'Vary' in cherrypy.response.headers:
             cherrypy.response.headers['Vary'] = "{}, Accept-Language"

diff --git a/src/pybind/mgr/dashboard/tests/test_home.py b/src/pybind/mgr/dashboard/tests/test_home.py
index 341762572aaa0f4f1f844d9a0c2a1ff6fb9d557b..a8054ea046940e446e582fb48a5deafb900e53ba 100644 (file)
--- a/src/pybind/mgr/dashboard/tests/test_home.py
+++ b/src/pybind/mgr/dashboard/tests/test_home.py
@@ -20,6 +20,10 @@ class HomeTest(ControllerTestCase):
         logger.info(self.body)
         self.assertIn('<html lang="en">', self.body.decode('utf-8'))
 
+    def test_home_uplevel_check(self):
+        self._get('/../../../../../../etc/shadow')
+        self.assertStatus(403)
+
     def test_home_en_us(self):
         self._get('/', headers=[('Accept-Language', 'en-US')])
         self.assertStatus(200)