dradis-projects 4.1.1 → 4.1.2.1

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: b8f7035cd71c220abd7de8ba0ac994663cd2181a98e29c9f320de14e9a4122c4
4
- data.tar.gz: 15ae46a145265e5c54880c0e47747efb0246b25bf7c36c1bc2717523f77729d2
3
+ metadata.gz: 68ddaed8e020a33f06c7dd722bbb0502f7598a76eaf61a0f2c4a05716ebbf2be
4
+ data.tar.gz: 66d06ddd0941b6eaa9ab7b1839af76620b2e764cf25ce0cc90778a91ecfe003b
5
5
  SHA512:
6
- metadata.gz: 94cf726365809dfe78d7ad235a1ce5a0b18a0e8c4d4b35b6d4707cab777f758918b659671eed99c86cb3d26208966febcbc06ca7f57a95108e8c19caa5e73f7d
7
- data.tar.gz: 5ba40bacbcd2335f580f11faf25cb8a6812b3658061d7edaf5ed812e66f99960d9fef4374a20fb6fd7e7961cb39b350c2ded3c34e04669c4b51867b6016fe9cc
6
+ metadata.gz: 7d3b899c0aa7a605c47fdc85d52baea5b966a94392f123a835495a14ae05ba8a6637e37a2dd74cfa76458b19f12a1013979afed7a191e1ea95c6ff5e1015ccb7
7
+ data.tar.gz: 8d84010325dfadaa0d51ef0ae3e45e27d049bcd7ed0a0754d1c3c605b7598c2bbc78e3dc7306b600a09e5ad77a4c208c170aa27fcd4c9d2c44c00093afff5cb6
data/CHANGELOG.md CHANGED
@@ -1,3 +1,7 @@
1
+ v4.1.2.1 (December 2021)
2
+ - Security Fixes:
3
+ - High: Authenticated author path traversal
4
+
1
5
  v4.1.1 (November 2021)
2
6
  - Loosen dradis-plugins version requirement
3
7
 
@@ -20,7 +20,7 @@ Gem::Specification.new do |spec|
20
20
  spec.executables = spec.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
21
21
  spec.test_files = spec.files.grep(%r{^(test|spec|features)/})
22
22
 
23
- spec.add_development_dependency 'bundler', '~> 1.6'
23
+ spec.add_development_dependency 'bundler', '~> 2.2'
24
24
  spec.add_development_dependency 'combustion'
25
25
  spec.add_development_dependency 'rake', '~> 10.0'
26
26
  spec.add_development_dependency 'rspec'
@@ -9,8 +9,8 @@ module Dradis
9
9
  module VERSION
10
10
  MAJOR = 4
11
11
  MINOR = 1
12
- TINY = 1
13
- PRE = nil
12
+ TINY = 2
13
+ PRE = 1
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
16
16
  end
@@ -47,13 +47,18 @@ module Dradis::Plugins::Projects::Upload
47
47
 
48
48
 
49
49
  logger.info { 'Moving attachments to their final destinations...' }
50
- lookup_table[:nodes].each do |oldid,newid|
51
- if File.directory? Rails.root.join('tmp', 'zip', oldid)
52
- FileUtils.mkdir_p Attachment.pwd.join(newid.to_s)
50
+ lookup_table[:nodes].each do |oldid, newid|
51
+ tmp_dir = Rails.root.join('tmp', 'zip')
52
+ old_attachments_dir = File.expand_path(tmp_dir.join(oldid.to_s))
53
53
 
54
- Dir.glob(Rails.root.join('tmp', 'zip', oldid, '*')).each do |attachment|
55
- FileUtils.mv(attachment, Attachment.pwd.join(newid.to_s))
56
- end
54
+ # Ensure once the path is expanded it's still within the expected
55
+ # tmp directory to prevent unauthorized access to other dirs
56
+ next unless old_attachments_dir.starts_with?(tmp_dir.to_s) && File.directory?(old_attachments_dir)
57
+
58
+ FileUtils.mkdir_p Attachment.pwd.join(newid.to_s)
59
+
60
+ Dir.glob(Pathname.new(old_attachments_dir).join('*')).each do |attachment|
61
+ FileUtils.mv(attachment, Attachment.pwd.join(newid.to_s))
57
62
  end
58
63
  end
59
64
  logger.info { 'Done.' }
@@ -105,7 +105,7 @@ module Dradis::Plugins::Projects::Upload::V1
105
105
  logger.info { "Adjusting screenshot URLs: #{item.class.name} ##{item.id}" }
106
106
 
107
107
  new_text = item.send(text_attr).gsub(ATTACHMENT_URL) do |_|
108
- "!%s/projects/%d/nodes/%d/attachments/%s!" % [$1, project.id, lookup_table[:nodes][$2], $3]
108
+ "!%s/projects/%d/nodes/%d/attachments/%s!" % [$1, project.id, lookup_table[:nodes][$2.to_i], $3]
109
109
  end
110
110
  item.send(text_attr.to_s + "=", new_text)
111
111
 
@@ -121,7 +121,7 @@ module Dradis::Plugins::Projects::Upload::V1
121
121
  evidence.issue_id = lookup_table[:issues][evidence.issue_id.to_s]
122
122
 
123
123
  new_content = evidence.content.gsub(ATTACHMENT_URL) do |_|
124
- "!%s/projects/%d/nodes/%d/attachments/%s!" % [$1, project.id, lookup_table[:nodes][$2], $3]
124
+ "!%s/projects/%d/nodes/%d/attachments/%s!" % [$1, project.id, lookup_table[:nodes][$2.to_i], $3]
125
125
  end
126
126
  evidence.content = new_content
127
127
 
@@ -289,7 +289,12 @@ module Dradis::Plugins::Projects::Upload::V1
289
289
  node = parse_node(xml_node)
290
290
 
291
291
  # keep track of reassigned ids
292
- lookup_table[:nodes][xml_node.at_xpath('id').text.strip] = node.id
292
+ # Convert the id to an integer as it has no place being a string, or
293
+ # directory path. We later use this ID to build a directory structure
294
+ # to place attachments and without validation opens the potential for
295
+ # path traversal.
296
+ node_original_id = Integer(xml_node.at_xpath('id').text.strip)
297
+ lookup_table[:nodes][node_original_id] = node.id
293
298
  end
294
299
 
295
300
  logger.info { 'Done.' }
@@ -131,7 +131,7 @@ module Dradis::Plugins::Projects::Upload::V3
131
131
  xml_node_id = xml_board.at_xpath('node_id').try(:text)
132
132
  node_id =
133
133
  if xml_node_id.present?
134
- lookup_table[:nodes][xml_node_id]
134
+ lookup_table[:nodes][xml_node_id.to_i]
135
135
  else
136
136
  project.methodology_library.id
137
137
  end
@@ -0,0 +1,14 @@
1
+ <?xml version="1.0" encoding="UTF-8"?>
2
+ <dradis-template version="1">
3
+ <nodes>
4
+ <node>
5
+ <id>../../../../../../tmp</id>
6
+ <label>Node 1</label>
7
+ <parent-id/>
8
+ <position>0</position>
9
+ <properties><![CDATA[{
10
+ }]]></properties>
11
+ <type-id>1</type-id>
12
+ </node>
13
+ </nodes>
14
+ </dradis-template>
@@ -1,15 +1,17 @@
1
+ # frozen_string_literal: true
2
+
1
3
  require 'rails_helper'
2
4
 
3
5
  describe Dradis::Plugins::Projects::Upload::V1::Template::Importer do
4
-
5
6
  let(:project) { create(:project) }
6
7
  let(:user) { create(:user) }
7
8
  let(:importer_class) { Dradis::Plugins::Projects::Upload::Template }
8
- let(:file_path) {
9
- File.join(File.dirname(__FILE__), '../../../../../../', 'fixtures', 'files', 'attachments_url.xml')
10
- }
11
9
 
12
10
  context 'uploading a template with attachments url' do
11
+ let(:file_path) do
12
+ File.join(File.dirname(__FILE__), '../../../../../../', 'fixtures', 'files', 'attachments_url.xml')
13
+ end
14
+
13
15
  it 'converts the urls' do
14
16
  importer = importer_class::Importer.new(
15
17
  default_user_id: user.id,
@@ -30,4 +32,20 @@ describe Dradis::Plugins::Projects::Upload::V1::Template::Importer do
30
32
  )
31
33
  end
32
34
  end
35
+
36
+ context 'uploading a template malformed paths as ids' do
37
+ let(:file_path) do
38
+ File.join(File.dirname(__FILE__), '../../../../../../', 'fixtures', 'files', 'malformed_ids.xml')
39
+ end
40
+
41
+ it 'returns false' do
42
+ importer = importer_class::Importer.new(
43
+ default_user_id: user.id,
44
+ plugin: importer_class,
45
+ project_id: project.id
46
+ )
47
+
48
+ expect(importer.import(file: file_path)).to be false
49
+ end
50
+ end
33
51
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dradis-projects
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.1.1
4
+ version: 4.1.2.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Daniel Martin
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-11-18 00:00:00.000000000 Z
11
+ date: 2021-12-22 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - "~>"
18
18
  - !ruby/object:Gem::Version
19
- version: '1.6'
19
+ version: '2.2'
20
20
  type: :development
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - "~>"
25
25
  - !ruby/object:Gem::Version
26
- version: '1.6'
26
+ version: '2.2'
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: combustion
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -134,6 +134,7 @@ files:
134
134
  - lib/dradis/plugins/projects/version.rb
135
135
  - lib/tasks/thorfile.rb
136
136
  - spec/fixtures/files/attachments_url.xml
137
+ - spec/fixtures/files/malformed_ids.xml
137
138
  - spec/fixtures/files/with_comments.xml
138
139
  - spec/lib/dradis/plugins/projects/export/v2/template_spec.rb
139
140
  - spec/lib/dradis/plugins/projects/upload/v1/template_spec.rb
@@ -163,6 +164,7 @@ specification_version: 4
163
164
  summary: Project export/upload for the Dradis Framework.
164
165
  test_files:
165
166
  - spec/fixtures/files/attachments_url.xml
167
+ - spec/fixtures/files/malformed_ids.xml
166
168
  - spec/fixtures/files/with_comments.xml
167
169
  - spec/lib/dradis/plugins/projects/export/v2/template_spec.rb
168
170
  - spec/lib/dradis/plugins/projects/upload/v1/template_spec.rb