- Add r.URL.Path protection

Signed-off-by: Valery Piashchynski <[email protected]>

3 files changed, 191 insertions, 0 deletions

diff --git a/plugins/http/plugin.go b/plugins/http/plugin.go
index 58336c17..2b1dec89 100644
--- a/plugins/http/plugin.go
+++ b/plugins/http/plugin.go
@@ -7,6 +7,7 @@ import (
 	"net/http"
 	"os"
 	"path/filepath"
+	"strings"
 	"sync"
 
 	"github.com/hashicorp/go-multierror"
@@ -186,6 +187,13 @@ func (s *Plugin) serve(errCh chan error) { //nolint:gocognit
 
 			// calculate etag for the resource
 			if s.cfg.Static.CalculateEtag {
+				// do not allow paths like ../../resource
+				// only specified folder and resources in it
+				// https://lgtm.com/rules/1510366186013/
+				if strings.Contains(r.URL.Path, "..") {
+					w.WriteHeader(http.StatusForbidden)
+					return
+				}
 				f, errS := os.Open(filepath.Join(s.cfg.Static.Dir, r.URL.Path))
 				if errS != nil {
 					s.log.Warn("error opening file to calculate the Etag", "provided path", r.URL.Path)
diff --git a/tests/plugins/http/configs/.rr-http-static-security.yaml b/tests/plugins/http/configs/.rr-http-static-security.yaml
new file mode 100644
index 00000000..bbec13f9
--- /dev/null
+++ b/tests/plugins/http/configs/.rr-http-static-security.yaml
@@ -0,0 +1,35 @@
+server:
+  command: "php ../../http/client.php pid pipes"
+  user: ""
+  group: ""
+  env:
+    "RR_HTTP": "true"
+  relay: "pipes"
+  relay_timeout: "20s"
+
+http:
+  address: 127.0.0.1:21603
+  max_request_size: 1024
+  middleware: [ "gzip" ]
+  trusted_subnets: [ "10.0.0.0/8", "127.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "::1/128", "fc00::/7", "fe80::/10" ]
+  uploads:
+    forbid: [ ".php", ".exe", ".bat" ]
+  static:
+    dir: "../../../"
+    pattern: "/tests/"
+    forbid: [ "" ]
+    allow: [ ".txt", ".php" ]
+    calculate_etag: true
+    weak: false
+    request:
+      "input": "custom-header"
+    response:
+      "output": "output-header"
+  pool:
+    num_workers: 2
+    max_jobs: 0
+    allocate_timeout: 60s
+    destroy_timeout: 60s
+logs:
+  mode: development
+  level: error
diff --git a/tests/plugins/http/http_plugin_test.go b/tests/plugins/http/http_plugin_test.go
index f48194c9..8f76e3ba 100644
--- a/tests/plugins/http/http_plugin_test.go
+++ b/tests/plugins/http/http_plugin_test.go
@@ -1660,6 +1660,154 @@ func serveStaticSampleEtag(t *testing.T) {
 	_ = resp.Body.Close()
 }
 
+func TestStaticPluginSecurity(t *testing.T) {
+	cont, err := endure.NewContainer(nil, endure.SetLogLevel(endure.ErrorLevel))
+	assert.NoError(t, err)
+
+	cfg := &config.Viper{
+		Path:   "configs/.rr-http-static-security.yaml",
+		Prefix: "rr",
+	}
+
+	err = cont.RegisterAll(
+		cfg,
+		&logger.ZapLogger{},
+		&server.Plugin{},
+		&httpPlugin.Plugin{},
+		&gzip.Plugin{},
+	)
+	assert.NoError(t, err)
+
+	err = cont.Init()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	ch, err := cont.Serve()
+	assert.NoError(t, err)
+
+	sig := make(chan os.Signal, 1)
+	signal.Notify(sig, os.Interrupt, syscall.SIGINT, syscall.SIGTERM)
+
+	wg := &sync.WaitGroup{}
+	wg.Add(1)
+
+	stopCh := make(chan struct{}, 1)
+
+	go func() {
+		defer wg.Done()
+		for {
+			select {
+			case e := <-ch:
+				assert.Fail(t, "error", e.Error.Error())
+				err = cont.Stop()
+				if err != nil {
+					assert.FailNow(t, "error", err.Error())
+				}
+			case <-sig:
+				err = cont.Stop()
+				if err != nil {
+					assert.FailNow(t, "error", err.Error())
+				}
+				return
+			case <-stopCh:
+				// timeout
+				err = cont.Stop()
+				if err != nil {
+					assert.FailNow(t, "error", err.Error())
+				}
+				return
+			}
+		}
+	}()
+
+	time.Sleep(time.Second)
+	t.Run("ServeSampleNotAllowedPath", serveStaticSampleNotAllowedPath)
+
+	stopCh <- struct{}{}
+	wg.Wait()
+}
+
+func serveStaticSampleNotAllowedPath(t *testing.T) {
+	// Should be 304 response with same etag
+	c := http.Client{
+		Timeout: time.Second * 5,
+	}
+
+	parsedURL := &url.URL{
+		Scheme: "http",
+		User:   nil,
+		Host:   "localhost:21603",
+		Path:   "%2e%2e%/tests/",
+	}
+
+	req := &http.Request{
+		Method: http.MethodGet,
+		URL:    parsedURL,
+	}
+
+	resp, err := c.Do(req)
+	assert.Nil(t, err)
+	assert.Equal(t, http.StatusBadRequest, resp.StatusCode)
+	_ = resp.Body.Close()
+
+	parsedURL = &url.URL{
+		Scheme: "http",
+		User:   nil,
+		Host:   "localhost:21603",
+		Path:   "%2e%2e%5ctests/",
+	}
+
+	req = &http.Request{
+		Method: http.MethodGet,
+		URL:    parsedURL,
+	}
+
+	resp, err = c.Do(req)
+	assert.Nil(t, err)
+	assert.Equal(t, http.StatusBadRequest, resp.StatusCode)
+	_ = resp.Body.Close()
+
+	parsedURL = &url.URL{
+		Scheme: "http",
+		User:   nil,
+		Host:   "localhost:21603",
+		Path:   "..%2ftests/",
+	}
+
+	req = &http.Request{
+		Method: http.MethodGet,
+		URL:    parsedURL,
+	}
+
+	resp, err = c.Do(req)
+	assert.Nil(t, err)
+	assert.Equal(t, http.StatusBadRequest, resp.StatusCode)
+	_ = resp.Body.Close()
+
+	parsedURL = &url.URL{
+		Scheme: "http",
+		User:   nil,
+		Host:   "localhost:21603",
+		Path:   "%2e%2e%2ftests/",
+	}
+
+	req = &http.Request{
+		Method: http.MethodGet,
+		URL:    parsedURL,
+	}
+
+	resp, err = c.Do(req)
+	assert.Nil(t, err)
+	assert.Equal(t, http.StatusBadRequest, resp.StatusCode)
+	_ = resp.Body.Close()
+
+	_, r, err := get("http://localhost:21603/../../../../tests/../static/sample.txt")
+	assert.NoError(t, err)
+	assert.Equal(t, r.StatusCode, 200)
+	_ = r.Body.Close()
+}
+
 func TestStaticPlugin(t *testing.T) {
 	cont, err := endure.NewContainer(nil, endure.SetLogLevel(endure.ErrorLevel))
 	assert.NoError(t, err)