fix: [security] Sanitise paths for several file interactions

- remove :// anywhere we don't expect a protocol to be supplied - remove phar:// in certauth plugin's fetcher - as reported by Dawid Czarnecki of Zigrin Security
2022-04-17 18:25:51 +02:00 · 2022-04-17 18:25:51 +02:00 · 93821c0de6
parent 0108f1bde2
commit 93821c0de6
3 changed files with 256 additions and 252 deletions
--- a/app/Model/AppModel.php
+++ b/app/Model/AppModel.php
@ -2588,6 +2588,7 @@ class AppModel extends Model
            App::uses('KafkaPubTool', 'Tools');
            $kafkaPubTool = new KafkaPubTool();
            $rdkafkaIni = Configure::read('Plugin.Kafka_rdkafka_config');
+            $rdkafkaIni = mb_ereg_replace("/\:\/\//", '', $rdkafkaIni);
            $kafkaConf = array();
            if (!empty($rdkafkaIni)) {
                $kafkaConf = parse_ini_file($rdkafkaIni);
--- a/app/Model/Feed.php
+++ b/app/Model/Feed.php
@ -126,12 +126,13 @@ class Feed extends AppModel
    public function urlOrExistingFilepath($fields)
    {
        if ($this->isFeedLocal($this->data)) {
+            $path = mb_ereg_replace("/\:\/\//", '', $this->data['Feed']['url']);
            if ($this->data['Feed']['source_format'] == 'misp') {
-                if (!is_dir($this->data['Feed']['url'])) {
+                if (!is_dir($path)) {
                    return 'For MISP type local feeds, please specify the containing directory.';
                }
            } else {
-                if (!file_exists($this->data['Feed']['url'])) {
+                if (!file_exists($path)) {
                    return 'Invalid path or file not found. Make sure that the path points to an existing file that is readable and watch out for typos.';
                }
            }
@ -1929,6 +1930,7 @@ class Feed extends AppModel
    private function feedGetUri($feed, $uri, HttpSocket $HttpSocket = null)
    {
        if ($this->isFeedLocal($feed)) {
+            $uri = mb_ereg_replace("/\:\/\//", '', $uri);
            if (file_exists($uri)) {
                return FileAccessTool::readFromFile($uri);
            } else {
--- a/app/Plugin/CertAuth/Controller/Component/Auth/CertificateAuthenticate.php
+++ b/app/Plugin/CertAuth/Controller/Component/Auth/CertificateAuthenticate.php
@ -259,6 +259,7 @@ class CertificateAuthenticate extends BaseAuthenticate
            }
        }
        $ctx = stream_context_create($req);
+        $url = mb_ereg_replace("/phar\:\/\//i", '', $url);
        $a   = file_get_contents($url, false, $ctx);
        if (!$a) return null;