Infrastructure/ghost
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-02-17 23:44:39 -05:00
Code Issues Activity

🔒 Fixed arbitrary file read via symlinks in content import

Browse source 
refs https://github.com/TryGhost/Product/issues/3726
refs https://github.com/TryGhost/Ghost/security/advisories/GHSA-9c9v-w225-v5rg

- credits to https://github.com/ixSly
This commit is contained in:
Simon Backx 2023-08-15 12:59:45 +02:00 committed by Daniel Lockyer
parent 6694456685
commit 690fbf3f73
No known key found for this signature in database
GPG key ID: D21186F0B47295AD
4 changed files with 20 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
ghost/core/package.json
View file

@ -160,7 +160,7 @@
"@tryghost/verification-trigger": "0.0.0", "@tryghost/verification-trigger": "0.0.0",
"@tryghost/version": "0.1.22", "@tryghost/version": "0.1.22",
"@tryghost/webmentions": "0.0.0", "@tryghost/webmentions": "0.0.0",
"@tryghost/zip": "1.1.34", "@tryghost/zip": "1.1.37",
"amperize": "0.6.1", "amperize": "0.6.1",
"analytics-node": "6.2.0", "analytics-node": "6.2.0",
"bluebird": "3.7.2", "bluebird": "3.7.2",

9
ghost/core/test/regression/api/admin/db.test.js
View file

@ -377,6 +377,15 @@ describe('DB API', function () {
yearlyPrice.get('stripe_price_id').should.equal('price_d04baebb73'); yearlyPrice.get('stripe_price_id').should.equal('price_d04baebb73');
yearlyPrice.get('stripe_product_id').should.equal('prod_d2c1708c21'); yearlyPrice.get('stripe_product_id').should.equal('prod_d2c1708c21');
}); });
it('Can not import a ZIP-file with symlinks', async function () {
await request.post(localUtils.API.getApiQuery('db/'))
.set('Origin', config.get('url'))
.set('Accept', 'application/json')
.expect('Content-Type', /json/)
.attach('importfile', path.join(__dirname, '/../../../utils/fixtures/import/symlinks.zip'))
.expect(415);
});
}); });
// The following tests will create a new clean database for every test // The following tests will create a new clean database for every test

BIN
ghost/core/test/utils/fixtures/import/symlinks.zip Normal file
View file

Binary file not shown.

19
yarn.lock
View file

@ -7173,15 +7173,6 @@
dependencies: dependencies:
p-wait-for "3.2.0" p-wait-for "3.2.0"
"@tryghost/zip@1.1.34":
version "1.1.34"
resolved "https://registry.yarnpkg.com/@tryghost/zip/-/zip-1.1.34.tgz#c8ab1ac3bb5bc780f29c63723d3933f345f0ec65"
integrity sha512-tfv1Lcd46/W0AkbBj/ttZLCdqI1LQppvkVQ7l5+gSx2ZOHqnZmkoKwMOB0J/LxEEC1TzhqrW0Vzx+ZYtoPACzA==
dependencies:
archiver "^5.0.0"
extract-zip "^2.0.1"
fs-extra "^10.0.0"
"@tryghost/zip@1.1.35": "@tryghost/zip@1.1.35":
version "1.1.35" version "1.1.35"
resolved "https://registry.yarnpkg.com/@tryghost/zip/-/zip-1.1.35.tgz#654239d0b48f2baac5679cec2930937b825c2f84" resolved "https://registry.yarnpkg.com/@tryghost/zip/-/zip-1.1.35.tgz#654239d0b48f2baac5679cec2930937b825c2f84"
@ -7191,6 +7182,16 @@
extract-zip "^2.0.1" extract-zip "^2.0.1"
fs-extra "^10.0.0" fs-extra "^10.0.0"
"@tryghost/zip@1.1.37":
version "1.1.37"
resolved "https://registry.yarnpkg.com/@tryghost/zip/-/zip-1.1.37.tgz#55ca424a42615d0e53aa12b2b108e7f20ac36b42"
integrity sha512-L+MKGsbIgHgEeoiq6lLpirNflp8CX89xDSwBRucHR/T+QLwVgnof+aiTTuaTrrF+pOWetBDTvB/gN5t94+k6hA==
dependencies:
"@tryghost/errors" "^1.2.26"
archiver "^5.0.0"
extract-zip "^2.0.1"
fs-extra "^11.0.0"
"@trysound/sax@0.2.0": "@trysound/sax@0.2.0":
version "0.2.0" version "0.2.0"
resolved "https://registry.yarnpkg.com/@trysound/sax/-/sax-0.2.0.tgz#cccaab758af56761eb7bf37af6f03f326dd798ad" resolved "https://registry.yarnpkg.com/@trysound/sax/-/sax-0.2.0.tgz#cccaab758af56761eb7bf37af6f03f326dd798ad"