mirror
/
changedetection.io
kopia lustrzana https://github.com/dgtlmoon/changedetection.io
1
0
Forkuj 0
Kod Zgłoszenia Packages Projekty Wydania Wiki Aktywność

CVE-2024-51998 - file:/ path traversal access should not be allowed to access a file without ALLOW_FILE_URI set

minor-queue-fix
dgtlmoon 2024-11-07 18:44:08 +01:00
rodzic e0abf0b505
commit 49bc982c69
2 zmienionych plików z 30 dodań i 3 usunięć
Pokaż statystyki Ściągnij plik aktualizacji Ściągnij plik porównania Expand all files Collapse all files

4
changedetectionio/processors/__init__.py
Wyświetl plik

@ -33,8 +33,8 @@ class difference_detection_processor():
url = self.watch.link url = self.watch.link
# Protect against file:// access, check the real "link" without any meta "source:" etc prepended. # Protect against file://, file:/ access, check the real "link" without any meta "source:" etc prepended.
if re.search(r'^file://', url, re.IGNORECASE): if re.search(r'^file:/', url.strip(), re.IGNORECASE):
if not strtobool(os.getenv('ALLOW_FILE_URI', 'false')): if not strtobool(os.getenv('ALLOW_FILE_URI', 'false')):
raise Exception( raise Exception(
"file:// type access is denied for security reasons." "file:// type access is denied for security reasons."

29
changedetectionio/tests/test_security.py
Wyświetl plik

@ -61,7 +61,7 @@ def test_bad_access(client, live_server, measure_memory_usage):
assert b'Watch protocol is not permitted by SAFE_PROTOCOL_REGEX' in res.data assert b'Watch protocol is not permitted by SAFE_PROTOCOL_REGEX' in res.data
def test_file_access(client, live_server, measure_memory_usage): def test_file_slashslash_access(client, live_server, measure_memory_usage):
#live_server_setup(live_server) #live_server_setup(live_server)
test_file_path = "/tmp/test-file.txt" test_file_path = "/tmp/test-file.txt"
@ -88,6 +88,33 @@ def test_file_access(client, live_server, measure_memory_usage):
# Default should be here # Default should be here
assert b'file:// type access is denied for security reasons.' in res.data assert b'file:// type access is denied for security reasons.' in res.data
def test_file_slash_access(client, live_server, measure_memory_usage):
#live_server_setup(live_server)
test_file_path = "/tmp/test-file.txt"
# file:// is permitted by default, but it will be caught by ALLOW_FILE_URI
client.post(
url_for("form_quick_watch_add"),
data={"url": f"file:/{test_file_path}", "tags": ''},
follow_redirects=True
)
wait_for_all_checks(client)
res = client.get(url_for("index"))
# If it is enabled at test time
if strtobool(os.getenv('ALLOW_FILE_URI', 'false')):
res = client.get(
url_for("preview_page", uuid="first"),
follow_redirects=True
)
# Should see something (this file added by run_basic_tests.sh)
assert b"Hello world" in res.data
else:
# Default should be here
assert b'file:// type access is denied for security reasons.' in res.data
def test_xss(client, live_server, measure_memory_usage): def test_xss(client, live_server, measure_memory_usage):
#live_server_setup(live_server) #live_server_setup(live_server)
from changedetectionio.notification import ( from changedetectionio.notification import (