mirror of https://github.com/CIRCL/AIL-framework
fix: [Global: filename provided by all feeders] avoid path tranversal
parent
e19a3b3e63
commit
e808840f95
|
@ -45,8 +45,10 @@ if __name__ == '__main__':
|
|||
|
||||
p = Process(config_section)
|
||||
|
||||
# get and sanityze PASTE DIRECTORY
|
||||
PASTES_FOLDER = os.path.join(os.environ['AIL_HOME'], p.config.get("Directories", "pastes"))
|
||||
PASTES_FOLDERS = PASTES_FOLDER + '/'
|
||||
PASTES_FOLDERS = os.path.join(os.path.realpath(PASTES_FOLDERS), '')
|
||||
|
||||
# LOGGING #
|
||||
publisher.info("Feed Script started to receive & publish.")
|
||||
|
@ -75,6 +77,10 @@ if __name__ == '__main__':
|
|||
time.sleep(1)
|
||||
continue
|
||||
|
||||
# remove PASTES_FOLDER from item path (crawled item + submited)
|
||||
if PASTES_FOLDERS in paste:
|
||||
paste = paste.replace(PASTES_FOLDERS, '', 1)
|
||||
|
||||
file_name_paste = paste.split('/')[-1]
|
||||
if len(file_name_paste)>255:
|
||||
new_file_name_paste = '{}{}.gz'.format(file_name_paste[:215], str(uuid.uuid4()))
|
||||
|
@ -82,7 +88,13 @@ if __name__ == '__main__':
|
|||
|
||||
# Creating the full filepath
|
||||
filename = os.path.join(PASTES_FOLDER, paste)
|
||||
filename = os.path.realpath(filename)
|
||||
|
||||
# incorrect filename
|
||||
if not os.path.commonprefix([filename, PASTES_FOLDER]) == PASTES_FOLDER:
|
||||
print('Path traversal detected {}'.format(filename))
|
||||
publisher.warning('Global; Path traversal detected')
|
||||
else:
|
||||
dirname = os.path.dirname(filename)
|
||||
if not os.path.exists(dirname):
|
||||
os.makedirs(dirname)
|
||||
|
@ -106,9 +118,5 @@ if __name__ == '__main__':
|
|||
print('-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------')
|
||||
'''
|
||||
|
||||
# remove PASTES_FOLDER from item path (crawled item + submited)
|
||||
if PASTES_FOLDERS in paste:
|
||||
paste = paste.replace(PASTES_FOLDERS, '', 1)
|
||||
|
||||
p.populate_set_out(paste)
|
||||
processed_paste+=1
|
||||
|
|
Loading…
Reference in New Issue