fix: [showpaste] path transversal

pull/282/head
Terrtia 2018-09-17 15:42:22 +02:00
parent a414a84044
commit 094b211259
No known key found for this signature in database
GPG Key ID: 1E1B1F50D84613D0
2 changed files with 9 additions and 0 deletions

View File

@ -144,6 +144,8 @@ bootstrap_label = ['primary', 'success', 'danger', 'warning', 'info']
UPLOAD_FOLDER = os.path.join(os.environ['AIL_FLASK'], 'submitted') UPLOAD_FOLDER = os.path.join(os.environ['AIL_FLASK'], 'submitted')
PASTES_FOLDER = os.path.join(os.environ['AIL_HOME'], cfg.get("Directories", "pastes"))
max_dashboard_logs = int(cfg.get("Flask", "max_dashboard_logs")) max_dashboard_logs = int(cfg.get("Flask", "max_dashboard_logs"))
# VT # VT

View File

@ -31,12 +31,19 @@ bootstrap_label = Flask_config.bootstrap_label
misp_event_url = Flask_config.misp_event_url misp_event_url = Flask_config.misp_event_url
hive_case_url = Flask_config.hive_case_url hive_case_url = Flask_config.hive_case_url
vt_enabled = Flask_config.vt_enabled vt_enabled = Flask_config.vt_enabled
PASTES_FOLDER = Flask_config.PASTES_FOLDER
showsavedpastes = Blueprint('showsavedpastes', __name__, template_folder='templates') showsavedpastes = Blueprint('showsavedpastes', __name__, template_folder='templates')
# ============ FUNCTIONS ============ # ============ FUNCTIONS ============
def showpaste(content_range, requested_path): def showpaste(content_range, requested_path):
if PASTES_FOLDER not in requested_path:
requested_path = os.path.join(PASTES_FOLDER, requested_path)
# escape directory transversal
if os.path.commonprefix((os.path.realpath(requested_path),PASTES_FOLDER)) != PASTES_FOLDER:
return 'path transversal detected'
vt_enabled = Flask_config.vt_enabled vt_enabled = Flask_config.vt_enabled
paste = Paste.Paste(requested_path) paste = Paste.Paste(requested_path)