Infrastructure/ghost
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-02-03 23:00:14 -05:00
Code Issues Activity

🔒 Fixed path traversal issue in theme files

Browse source 
refs https://github.com/TryGhost/Team/issues/2843

- Using encoded path traversal characters in URL's path allowed to fetch
  any file within active theme's folder, which is disallowed
- credits to: fuomag9 https://kiwi.fuo.fi/@fuomag9
This commit is contained in:
Daniel Lockyer 2023-04-07 09:39:41 +02:00
parent c99016fd2f
commit 378dd913aa
No known key found for this signature in database
2 changed files with 57 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

36
ghost/core/core/frontend/web/middleware/static-theme.js
View file

@ -14,15 +14,45 @@ function isDeniedFile(file) {
return deniedFiles.includes(base) || deniedFileTypes.includes(ext); return deniedFiles.includes(base) || deniedFileTypes.includes(ext);
} }
/**
* Copy from:
* https://github.com/pillarjs/send/blob/b69cbb3dc4c09c37917d08a4c13fcd1bac97ade5/index.js#L987-L1003
*
* Allows V8 to only deoptimize this fn instead of all
* of send().
*
* @param {string} filePath
* @returns {string|number} returns -1 number if decode decodeURIComponent throws
*/
function decode(filePath) {
try {
return decodeURIComponent(filePath);
} catch (err) {
return -1;
}
}
/**
*
* @param {string} file path to a requested file
* @returns {boolean}
*/
function isAllowedFile(file) { function isAllowedFile(file) {
const decodedFilePath = decode(file);
if (decodedFilePath === -1) {
return false;
}
const normalizedFilePath = path.normalize(decodedFilePath);
const allowedFiles = ['manifest.json']; const allowedFiles = ['manifest.json'];
const allowedPath = '/assets/'; const allowedPath = '/assets/';
const alwaysDeny = ['.hbs']; const alwaysDeny = ['.hbs'];
const ext = path.extname(file); const ext = path.extname(normalizedFilePath);
const base = path.basename(file); const base = path.basename(normalizedFilePath);
return allowedFiles.includes(base) || (file.startsWith(allowedPath) && !alwaysDeny.includes(ext)); return allowedFiles.includes(base) || (normalizedFilePath.startsWith(allowedPath) && !alwaysDeny.includes(ext));
} }
function forwardToExpressStatic(req, res, next) { function forwardToExpressStatic(req, res, next) {

24
ghost/core/test/unit/frontend/web/middleware/static-theme.test.js
View file

@ -184,4 +184,28 @@ describe('staticTheme', function () {
done(); done();
}); });
}); });
it('should disallow path traversal', function (done) {
req.path = '/assets/built%2F..%2F..%2F/package.json';
req.method = 'GET';
staticTheme()(req, res, function next() {
activeThemeStub.called.should.be.false();
expressStaticStub.called.should.be.false();
done();
});
});
it('should not crash when malformatted URL sequence is passed', function (done) {
req.path = '/assets/built%2F..%2F..%2F%E0%A4%A/package.json';
req.method = 'GET';
staticTheme()(req, res, function next() {
activeThemeStub.called.should.be.false();
expressStaticStub.called.should.be.false();
done();
});
});
}); });