mirror of
https://github.com/filebrowser/filebrowser.git
synced 2026-07-17 16:36:49 +00:00
fix: incomplete fix for symlinked directories let scopes users and public-share recipients read and write files outside of scope
This commit is contained in:
parent
69c76d11cc
commit
3471ec2c4b
7 changed files with 368 additions and 11 deletions
166
http/public_symlink_test.go
Normal file
166
http/public_symlink_test.go
Normal file
|
|
@ -0,0 +1,166 @@
|
|||
package fbhttp
|
||||
|
||||
import (
|
||||
"archive/zip"
|
||||
"bytes"
|
||||
"io"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
"github.com/asdine/storm/v3"
|
||||
"github.com/spf13/afero"
|
||||
|
||||
"github.com/filebrowser/filebrowser/v2/settings"
|
||||
"github.com/filebrowser/filebrowser/v2/share"
|
||||
"github.com/filebrowser/filebrowser/v2/storage"
|
||||
"github.com/filebrowser/filebrowser/v2/storage/bolt"
|
||||
"github.com/filebrowser/filebrowser/v2/users"
|
||||
)
|
||||
|
||||
// symlinkShareStorage builds a storage whose single user is rooted at a real
|
||||
// on-disk scope containing a public share "/shared" with a symlinked
|
||||
// descendant "link -> ../private". Skips the test if symlinks are unavailable.
|
||||
func symlinkShareStorage(t *testing.T) *storage.Storage {
|
||||
t.Helper()
|
||||
scope := t.TempDir()
|
||||
if err := os.MkdirAll(filepath.Join(scope, "shared"), 0o755); err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
if err := os.MkdirAll(filepath.Join(scope, "private"), 0o755); err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
if err := os.WriteFile(filepath.Join(scope, "private", "secret.txt"), []byte("symlink-secret"), 0o600); err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
if err := os.Symlink(filepath.Join(scope, "private"), filepath.Join(scope, "shared", "link")); err != nil {
|
||||
t.Skipf("cannot create symlink on this platform: %v", err)
|
||||
}
|
||||
|
||||
db, err := storm.Open(filepath.Join(t.TempDir(), "db"))
|
||||
if err != nil {
|
||||
t.Fatalf("failed to open db: %v", err)
|
||||
}
|
||||
t.Cleanup(func() { _ = db.Close() })
|
||||
|
||||
st, err := bolt.NewStorage(db)
|
||||
if err != nil {
|
||||
t.Fatalf("failed to get storage: %v", err)
|
||||
}
|
||||
if err := st.Share.Save(&share.Link{Hash: "h", UserID: 1, Path: "/shared"}); err != nil {
|
||||
t.Fatalf("failed to save share: %v", err)
|
||||
}
|
||||
if err := st.Users.Save(&users.User{
|
||||
Username: "username",
|
||||
Password: "pw",
|
||||
Perm: users.Permissions{Share: true, Download: true},
|
||||
}); err != nil {
|
||||
t.Fatalf("failed to save user: %v", err)
|
||||
}
|
||||
if err := st.Settings.Save(&settings.Settings{Key: []byte("key")}); err != nil {
|
||||
t.Fatalf("failed to save settings: %v", err)
|
||||
}
|
||||
st.Users = &customFSUser{
|
||||
Store: st.Users,
|
||||
fs: afero.NewBasePathFs(afero.NewOsFs(), scope),
|
||||
}
|
||||
return st
|
||||
}
|
||||
|
||||
// Reproduces GHSA-hf77-9m7w-fq8q: a public directory share whose subtree
|
||||
// contains a symlink to a directory outside the share. Requesting a regular
|
||||
// file behind that linked ancestor must NOT disclose its contents.
|
||||
func TestPublicShareSymlinkDescendantDisclosure(t *testing.T) {
|
||||
cases := map[string]struct {
|
||||
handler handleFunc
|
||||
path string
|
||||
}{
|
||||
"direct file download via dl handler": {handler: publicDlHandler, path: "h/link/secret.txt"},
|
||||
"share info via share handler": {handler: publicShareHandler, path: "h/link/secret.txt"},
|
||||
"listing of linked dir": {handler: publicShareHandler, path: "h/link/"},
|
||||
}
|
||||
|
||||
for name, tc := range cases {
|
||||
tc := tc
|
||||
t.Run(name, func(t *testing.T) {
|
||||
st := symlinkShareStorage(t)
|
||||
|
||||
req := newHTTPRequest(t, func(r *http.Request) { r.URL.Path = tc.path })
|
||||
recorder := httptest.NewRecorder()
|
||||
handler := handle(tc.handler, "", st, &settings.Server{})
|
||||
handler.ServeHTTP(recorder, req)
|
||||
|
||||
result := recorder.Result()
|
||||
defer result.Body.Close()
|
||||
body, _ := io.ReadAll(result.Body)
|
||||
|
||||
t.Logf("status=%d body=%q", result.StatusCode, string(body))
|
||||
if result.StatusCode == http.StatusOK {
|
||||
t.Errorf("VULNERABLE: leaked path outside share (status 200, body=%q)", string(body))
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
// The listing of the public share root must omit the escaping symlink "link"
|
||||
// entirely (no target metadata leak).
|
||||
func TestPublicShareSymlinkListingOmitsEscapingLink(t *testing.T) {
|
||||
st := symlinkShareStorage(t)
|
||||
|
||||
req := newHTTPRequest(t, func(r *http.Request) { r.URL.Path = "h/" })
|
||||
recorder := httptest.NewRecorder()
|
||||
handler := handle(publicShareHandler, "", st, &settings.Server{})
|
||||
handler.ServeHTTP(recorder, req)
|
||||
|
||||
result := recorder.Result()
|
||||
defer result.Body.Close()
|
||||
body, _ := io.ReadAll(result.Body)
|
||||
if result.StatusCode != http.StatusOK {
|
||||
t.Fatalf("share root listing failed: status=%d body=%q", result.StatusCode, string(body))
|
||||
}
|
||||
if strings.Contains(string(body), "\"link\"") {
|
||||
t.Errorf("VULNERABLE: listing exposes escaping symlink: %s", string(body))
|
||||
}
|
||||
}
|
||||
|
||||
// Reproduces the archive variant of GHSA-hf77-9m7w-fq8q: downloading the whole
|
||||
// public share as a zip must not pull in files reached through a symlinked
|
||||
// descendant.
|
||||
func TestPublicShareSymlinkArchiveDisclosure(t *testing.T) {
|
||||
st := symlinkShareStorage(t)
|
||||
|
||||
// Request the whole share root as an archive.
|
||||
req := newHTTPRequest(t, func(r *http.Request) { r.URL.Path = "h/" })
|
||||
recorder := httptest.NewRecorder()
|
||||
handler := handle(publicDlHandler, "", st, &settings.Server{})
|
||||
handler.ServeHTTP(recorder, req)
|
||||
|
||||
result := recorder.Result()
|
||||
defer result.Body.Close()
|
||||
body, _ := io.ReadAll(result.Body)
|
||||
if result.StatusCode != http.StatusOK {
|
||||
t.Fatalf("archive request failed: status=%d body=%q", result.StatusCode, string(body))
|
||||
}
|
||||
|
||||
zr, err := zip.NewReader(bytes.NewReader(body), int64(len(body)))
|
||||
if err != nil {
|
||||
t.Fatalf("failed to read zip: %v", err)
|
||||
}
|
||||
for _, f := range zr.File {
|
||||
if strings.Contains(f.Name, "secret.txt") {
|
||||
t.Errorf("VULNERABLE: archive includes file behind symlinked descendant: %q", f.Name)
|
||||
}
|
||||
rc, err := f.Open()
|
||||
if err != nil {
|
||||
continue
|
||||
}
|
||||
content, _ := io.ReadAll(rc)
|
||||
rc.Close()
|
||||
if bytes.Contains(content, []byte("symlink-secret")) {
|
||||
t.Errorf("VULNERABLE: archive entry %q leaks out-of-scope content", f.Name)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -220,7 +220,13 @@ func TestPublicShareHandlerRules(t *testing.T) {
|
|||
t.Fatalf("failed to save settings: %v", err)
|
||||
}
|
||||
|
||||
fs := afero.NewMemMapFs()
|
||||
fs := afero.NewBasePathFs(afero.NewOsFs(), t.TempDir())
|
||||
if err := fs.MkdirAll("/projects/private", 0o755); err != nil {
|
||||
t.Fatalf("failed to create private dir: %v", err)
|
||||
}
|
||||
if err := fs.MkdirAll("/projects/public", 0o755); err != nil {
|
||||
t.Fatalf("failed to create public dir: %v", err)
|
||||
}
|
||||
if err := afero.WriteFile(fs, "/projects/private/secret.txt", []byte("top secret"), 0o600); err != nil {
|
||||
t.Fatalf("failed to write secret file: %v", err)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -115,6 +115,10 @@ func getFiles(d *data, path, commonPath string) ([]archives.FileInfo, error) {
|
|||
return nil, nil
|
||||
}
|
||||
|
||||
if ok, err := files.WithinScope(d.user.Fs, path); err != nil || !ok {
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
info, err := d.user.Fs.Stat(path)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
|
|
|||
|
|
@ -44,6 +44,11 @@ func tusPostHandler(cache UploadCache) handleFunc {
|
|||
if !d.user.Perm.Create || !d.Check(r.URL.Path) {
|
||||
return http.StatusForbidden, nil
|
||||
}
|
||||
|
||||
if ok, scopeErr := files.WithinScope(d.user.Fs, r.URL.Path); scopeErr != nil || !ok {
|
||||
return http.StatusForbidden, nil
|
||||
}
|
||||
|
||||
file, err := files.NewFileInfo(&files.FileOptions{
|
||||
Fs: d.user.Fs,
|
||||
Path: r.URL.Path,
|
||||
|
|
@ -161,6 +166,11 @@ func tusPatchHandler(cache UploadCache) handleFunc {
|
|||
if r.Header.Get("Content-Type") != "application/offset+octet-stream" {
|
||||
return http.StatusUnsupportedMediaType, nil
|
||||
}
|
||||
// Defense in depth: refuse to write through a symlink that escapes the
|
||||
// scope, in case the target path is (or sits behind) an escaping link.
|
||||
if ok, scopeErr := files.WithinScope(d.user.Fs, r.URL.Path); scopeErr != nil || !ok {
|
||||
return http.StatusForbidden, nil
|
||||
}
|
||||
|
||||
uploadOffset, err := getUploadOffset(r)
|
||||
if err != nil {
|
||||
|
|
|
|||
118
http/tus_symlink_test.go
Normal file
118
http/tus_symlink_test.go
Normal file
|
|
@ -0,0 +1,118 @@
|
|||
package fbhttp
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/asdine/storm/v3"
|
||||
"github.com/golang-jwt/jwt/v5"
|
||||
"github.com/spf13/afero"
|
||||
|
||||
"github.com/filebrowser/filebrowser/v2/settings"
|
||||
"github.com/filebrowser/filebrowser/v2/storage/bolt"
|
||||
"github.com/filebrowser/filebrowser/v2/users"
|
||||
)
|
||||
|
||||
// Reproduces the TUS write vector of GHSA-v9g6-9pp4-3w22: a scoped user must
|
||||
// not be able to create or write files through a symlinked directory that
|
||||
// escapes their scope.
|
||||
func TestTusHandlersRejectSymlinkScopeEscape(t *testing.T) {
|
||||
root := t.TempDir()
|
||||
userScope := filepath.Join(root, "user")
|
||||
outside := filepath.Join(root, "otheruser")
|
||||
for _, d := range []string{userScope, outside} {
|
||||
if err := os.MkdirAll(d, 0o755); err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
}
|
||||
// A directory symlink inside the user's scope pointing outside it.
|
||||
if err := os.Symlink(outside, filepath.Join(userScope, "escape_link")); err != nil {
|
||||
t.Skipf("cannot create symlink: %v", err)
|
||||
}
|
||||
|
||||
key := []byte("test-signing-key")
|
||||
|
||||
db, err := storm.Open(filepath.Join(t.TempDir(), "db"))
|
||||
if err != nil {
|
||||
t.Fatalf("failed to open db: %v", err)
|
||||
}
|
||||
t.Cleanup(func() { _ = db.Close() })
|
||||
|
||||
st, err := bolt.NewStorage(db)
|
||||
if err != nil {
|
||||
t.Fatalf("failed to get storage: %v", err)
|
||||
}
|
||||
if err := st.Users.Save(&users.User{
|
||||
Username: "u",
|
||||
Password: "pw",
|
||||
Perm: users.Permissions{Create: true, Modify: true},
|
||||
}); err != nil {
|
||||
t.Fatalf("failed to save user: %v", err)
|
||||
}
|
||||
if err := st.Settings.Save(&settings.Settings{Key: key}); err != nil {
|
||||
t.Fatalf("failed to save settings: %v", err)
|
||||
}
|
||||
st.Users = &customFSUser{
|
||||
Store: st.Users,
|
||||
fs: afero.NewBasePathFs(afero.NewOsFs(), userScope),
|
||||
}
|
||||
|
||||
// Forge a valid auth token for user ID 1.
|
||||
claims := &authToken{
|
||||
User: userInfo{ID: 1, Username: "u", Perm: users.Permissions{Create: true, Modify: true}},
|
||||
RegisteredClaims: jwt.RegisteredClaims{
|
||||
IssuedAt: jwt.NewNumericDate(time.Now().Add(-time.Minute)),
|
||||
ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Hour)),
|
||||
},
|
||||
}
|
||||
signed, err := jwt.NewWithClaims(jwt.SigningMethodHS256, claims).SignedString(key)
|
||||
if err != nil {
|
||||
t.Fatalf("failed to sign token: %v", err)
|
||||
}
|
||||
|
||||
cases := map[string]struct {
|
||||
method string
|
||||
handler handleFunc
|
||||
headers map[string]string
|
||||
}{
|
||||
"POST create through symlinked dir": {
|
||||
method: http.MethodPost,
|
||||
handler: tusPostHandler(newMemoryUploadCache()),
|
||||
headers: map[string]string{"Upload-Length": "20"},
|
||||
},
|
||||
"PATCH write through symlinked dir": {
|
||||
method: http.MethodPatch,
|
||||
handler: tusPatchHandler(newMemoryUploadCache()),
|
||||
headers: map[string]string{"Content-Type": "application/offset+octet-stream", "Upload-Offset": "0"},
|
||||
},
|
||||
}
|
||||
|
||||
for name, tc := range cases {
|
||||
tc := tc
|
||||
t.Run(name, func(t *testing.T) {
|
||||
req, err := http.NewRequest(tc.method, "escape_link/injected.txt", http.NoBody)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
req.Header.Set("X-Auth", signed)
|
||||
for k, v := range tc.headers {
|
||||
req.Header.Set(k, v)
|
||||
}
|
||||
|
||||
recorder := httptest.NewRecorder()
|
||||
handler := handle(tc.handler, "", st, &settings.Server{})
|
||||
handler.ServeHTTP(recorder, req)
|
||||
|
||||
if recorder.Code != http.StatusForbidden {
|
||||
t.Errorf("expected 403, got %d", recorder.Code)
|
||||
}
|
||||
if _, statErr := os.Stat(filepath.Join(outside, "injected.txt")); statErr == nil {
|
||||
t.Errorf("VULNERABLE: file was created outside the user's scope")
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue