mrtoth/baseimage-tutorial-framework
1
0
Fork 0
mirror of https://github.com/avatao-content/baseimage-tutorial-framework synced 2024-07-06 10:48:45 +00:00
Code Issues Releases Wiki Activity

Improve webide whitelisting by enforcing stricter rules (fix symlink attack)

Browse Source
This commit is contained in:
Kristóf Tóth 2018-04-05 17:01:50 +02:00
parent b74ff39438
commit b73b7307bd
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
lib/tfw/components/source_code_event_handler.py
View File

@ -41,7 +41,7 @@ class FileManager: # pylint: disable=too-many-instance-attributes
if not exists(directory) or not isdir(directory):
raise EnvironmentError('"{}" is not a directory!'.format(directory))
if self.allowed_directories:
if realpath(directory) not in self._allowed_directories:
if not self._is_whitelisted(directory):
raise EnvironmentError('Directory "{}" is not in whitelist!'.format(directory))
self._workdir = directory
@ -67,6 +67,7 @@ class FileManager: # pylint: disable=too-many-instance-attributes
def files(self):
return [self._relpath(file) for file in glob(join(self._workdir, '**/*'), recursive=True)
if isfile(file) and
self._is_whitelisted(file) and
not any(fnmatchcase(file, blacklisted) for blacklisted in self.exclude)]
@property
@ -79,6 +80,9 @@ class FileManager: # pylint: disable=too-many-instance-attributes
with open(self._filepath(self.filename), 'w', errors='surrogateescape') as ofile:
ofile.write(value)
def _is_whitelisted(self, file):
return any(realpath(file).startswith(allowed_dir) for allowed_dir in self.allowed_directories)
def _filepath(self, filename):
return join(self._workdir, filename)