dradis-projects 4.1.1 → 4.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b8f7035cd71c220abd7de8ba0ac994663cd2181a98e29c9f320de14e9a4122c4
-  data.tar.gz: 15ae46a145265e5c54880c0e47747efb0246b25bf7c36c1bc2717523f77729d2
+  metadata.gz: 2c39ba4b5ddb30f2479c7338e57ae63bebeaf1d6e8c6ff43ab7b2aa2bbff8adf
+  data.tar.gz: 641e756e4f05fb16909d6c27af88cc59cf098ca5772abe936f528268850cde56
 SHA512:
-  metadata.gz: 94cf726365809dfe78d7ad235a1ce5a0b18a0e8c4d4b35b6d4707cab777f758918b659671eed99c86cb3d26208966febcbc06ca7f57a95108e8c19caa5e73f7d
-  data.tar.gz: 5ba40bacbcd2335f580f11faf25cb8a6812b3658061d7edaf5ed812e66f99960d9fef4374a20fb6fd7e7961cb39b350c2ded3c34e04669c4b51867b6016fe9cc
+  metadata.gz: d72658eeb7da4cec64c115606049dbab50226ea2bd8ceef3f35a1d9e8d3381b828053b0be993d8207b96952e026d5b28f684d683e14f8f720d8e08d58b28016d
+  data.tar.gz: 9c5435993d5ca16a61edfa0093897a7702b9618ebe298e8cf3928046b1a7b750d416dc536454a496d133e674a065167d170496591a6dc2482f69bc8ca3257326

data/CHANGELOG.md

@@ -1,3 +1,15 @@
+v4.3.0 (April 2022)
+  - No changes
+
+v4.2.0 (February 2022)
+  - Bugs fixes:
+    - Fix missing nodes for attachments during template and package imports
+    - Fix missing parent nodes during template and package imports
+
+v4.1.2.1 (December 2021)
+  - Security Fixes:
+    - High: Authenticated author path traversal
+
 v4.1.1 (November 2021)
   - Loosen dradis-plugins version requirement
 

data/dradis-projects.gemspec

@@ -20,7 +20,7 @@ Gem::Specification.new do |spec|
   spec.executables = spec.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
   spec.test_files = spec.files.grep(%r{^(test|spec|features)/})
 
-  spec.add_development_dependency 'bundler', '~> 1.6'
+  spec.add_development_dependency 'bundler', '~> 2.2'
   spec.add_development_dependency 'combustion'
   spec.add_development_dependency 'rake', '~> 10.0'
   spec.add_development_dependency 'rspec'

data/lib/dradis/plugins/projects/gem_version.rb

@@ -8,8 +8,8 @@ module Dradis
 
       module VERSION
         MAJOR = 4
-        MINOR = 1
-        TINY = 1
+        MINOR = 3
+        TINY = 0
         PRE = nil
 
         STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")

data/lib/dradis/plugins/projects/upload/package.rb

@@ -47,13 +47,18 @@ module Dradis::Plugins::Projects::Upload
 
 
           logger.info { 'Moving attachments to their final destinations...' }
-          lookup_table[:nodes].each do |oldid,newid|
-            if File.directory? Rails.root.join('tmp', 'zip', oldid)
-              FileUtils.mkdir_p Attachment.pwd.join(newid.to_s)
+          lookup_table[:nodes].each do |oldid, newid|
+            tmp_dir = Rails.root.join('tmp', 'zip')
+            old_attachments_dir = File.expand_path(tmp_dir.join(oldid.to_s))
 
-              Dir.glob(Rails.root.join('tmp', 'zip', oldid, '*')).each do |attachment|
-                FileUtils.mv(attachment, Attachment.pwd.join(newid.to_s))
-              end
+            # Ensure once the path is expanded it's still within the expected
+            # tmp directory to prevent unauthorized access to other dirs
+            next unless old_attachments_dir.starts_with?(tmp_dir.to_s) && File.directory?(old_attachments_dir)
+
+            FileUtils.mkdir_p Attachment.pwd.join(newid.to_s)
+
+            Dir.glob(Pathname.new(old_attachments_dir).join('*')).each do |attachment|
+              FileUtils.mv(attachment, Attachment.pwd.join(newid.to_s))
             end
           end
           logger.info { 'Done.' }

data/lib/dradis/plugins/projects/upload/v1/template.rb

@@ -104,9 +104,7 @@ module Dradis::Plugins::Projects::Upload::V1
 
           logger.info { "Adjusting screenshot URLs: #{item.class.name} ##{item.id}" }
 
-          new_text = item.send(text_attr).gsub(ATTACHMENT_URL) do |_|
-            "!%s/projects/%d/nodes/%d/attachments/%s!" % [$1, project.id, lookup_table[:nodes][$2], $3]
-          end
+          new_text = update_attachment_references(item.send(text_attr))
           item.send(text_attr.to_s + "=", new_text)
 
           raise "Couldn't save note attachment URL for #{item.class.name} ##{item.id}" unless validate_and_save(item)
@@ -118,12 +116,9 @@ module Dradis::Plugins::Projects::Upload::V1
       def finalize_evidence
         pending_changes[:evidence].each_with_index do |evidence, i|
           logger.info { "Setting issue_id for evidence" }
-          evidence.issue_id = lookup_table[:issues][evidence.issue_id.to_s]
+          evidence.issue_id = lookup_table[:issues][evidence.issue_id]
 
-          new_content = evidence.content.gsub(ATTACHMENT_URL) do |_|
-            "!%s/projects/%d/nodes/%d/attachments/%s!" % [$1, project.id, lookup_table[:nodes][$2], $3]
-          end
-          evidence.content = new_content
+          evidence.content = update_attachment_references(evidence.content)
 
           raise "Couldn't save Evidence :issue_id / attachment URL Evidence ##{evidence.id}" unless validate_and_save(evidence)
 
@@ -141,7 +136,7 @@ module Dradis::Plugins::Projects::Upload::V1
       def finalize_nodes
         pending_changes[:orphan_nodes].each do |node|
           logger.info { "Finding parent for orphaned node: #{node.label}. Former parent was #{node.parent_id}" }
-          node.parent_id = lookup_table[:nodes][node.parent_id.to_s]
+          node.parent_id = lookup_table[:nodes][node.parent_id]
           raise "Couldn't save node parent for Node ##{node.id}" unless validate_and_save(node)
         end
       end
@@ -153,7 +148,7 @@ module Dradis::Plugins::Projects::Upload::V1
         logger.info { 'Processing Categories...' }
 
         template.xpath('dradis-template/categories/category').each do |xml_category|
-          old_id   = xml_category.at_xpath('id').text.strip
+          old_id   = Integer(xml_category.at_xpath('id').text.strip)
           name     = xml_category.at_xpath('name').text.strip
           category = nil
 
@@ -183,7 +178,7 @@ module Dradis::Plugins::Projects::Upload::V1
             pending_changes[:attachment_notes] << issue
           end
 
-          old_id = xml_issue.at_xpath('id').text.strip
+          old_id = Integer(xml_issue.at_xpath('id').text.strip)
           lookup_table[:issues][old_id] = issue.id
           logger.info{ "New issue detected: #{issue.title}" }
         end
@@ -289,7 +284,12 @@ module Dradis::Plugins::Projects::Upload::V1
           node = parse_node(xml_node)
 
           # keep track of reassigned ids
-          lookup_table[:nodes][xml_node.at_xpath('id').text.strip] = node.id
+          # Convert the id to an integer as it has no place being a string, or
+          # directory path. We later use this ID to build a directory structure
+          # to place attachments and without validation opens the potential for
+          # path traversal.
+          node_original_id = Integer(xml_node.at_xpath('id').text.strip)
+          lookup_table[:nodes][node_original_id] = node.id
         end
 
         logger.info { 'Done.' }
@@ -326,7 +326,7 @@ module Dradis::Plugins::Projects::Upload::V1
         xml_node.xpath('notes/note').each do |xml_note|
 
           if xml_note.at_xpath('author') != nil
-            old_id = xml_note.at_xpath('category-id').text.strip
+            old_id = Integer(xml_note.at_xpath('category-id').text.strip)
             new_id = lookup_table[:categories][old_id]
 
             created_at = xml_note.at_xpath('created-at')
@@ -370,7 +370,7 @@ module Dradis::Plugins::Projects::Upload::V1
           logger.info { "New tag detected: #{name}" }
 
           xml_tag.xpath('./taggings/tagging').each do |xml_tagging|
-            old_taggable_id = xml_tagging.at_xpath('taggable-id').text()
+            old_taggable_id = Integer(xml_tagging.at_xpath('taggable-id').text())
             taggable_type   = xml_tagging.at_xpath('taggable-type').text()
 
             new_taggable_id = case taggable_type
@@ -394,6 +394,18 @@ module Dradis::Plugins::Projects::Upload::V1
         end
       end
 
+      def update_attachment_references(string)
+        string.gsub(ATTACHMENT_URL) do |attachment|
+          node_id = lookup_table[:nodes][$2.to_i]
+          if node_id
+            "!%s/projects/%d/nodes/%d/attachments/%s!" % [$1, project.id, node_id, $3]
+          else
+            logger.error { "The attachment wasn't included in the package: #{attachment}" }
+            attachment
+          end
+        end
+      end
+
       def user_id_for_email(email)
         users[email] || @default_user_id
       end

data/lib/dradis/plugins/projects/upload/v3/template.rb

@@ -94,7 +94,7 @@ module Dradis::Plugins::Projects::Upload::V3
         card = list.cards.create name: xml_card.at_xpath('name').text,
           description: xml_card.at_xpath('description').text,
           due_date: due_date,
-          previous_id: xml_card.at_xpath('previous_id').text
+          previous_id: xml_card.at_xpath('previous_id').text&.to_i
 
         xml_card.xpath('activities/activity').each do |xml_activity|
           raise "Couldn't create activity for Card ##{card.id}" unless create_activity(card, xml_activity)
@@ -106,7 +106,8 @@ module Dradis::Plugins::Projects::Upload::V3
 
         raise "Couldn't create comments for Card ##{card.id}" unless create_comments(card, xml_card.xpath('comments/comment'))
 
-        lookup_table[:cards][xml_card.at_xpath('id').text.to_i] = card.id
+        xml_id = Integer(xml_card.at_xpath('id').text)
+        lookup_table[:cards][xml_id] = card.id
         pending_changes[:cards] << card
       end
 
@@ -131,7 +132,7 @@ module Dradis::Plugins::Projects::Upload::V3
           xml_node_id = xml_board.at_xpath('node_id').try(:text)
           node_id =
             if xml_node_id.present?
-              lookup_table[:nodes][xml_node_id]
+              lookup_table[:nodes][xml_node_id.to_i]
             else
               project.methodology_library.id
             end
@@ -143,9 +144,10 @@ module Dradis::Plugins::Projects::Upload::V3
 
           xml_board.xpath('./list').each do |xml_list|
             list = board.lists.create name: xml_list.at_xpath('name').text,
-              previous_id: xml_list.at_xpath('previous_id').text
+              previous_id: xml_list.at_xpath('previous_id').text&.to_i
+            xml_id = Integer(xml_list.at_xpath('id').text)
 
-            lookup_table[:lists][xml_list.at_xpath('id').text.to_i] = list.id
+            lookup_table[:lists][xml_id] = list.id
             pending_changes[:lists] << list
 
             xml_list.xpath('./card').each do |xml_card|

data/spec/fixtures/files/malformed_ids.xml

@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<dradis-template version="1">
+  <nodes>
+    <node>
+      <id>../../../../../../tmp</id>
+      <label>Node 1</label>
+      <parent-id/>
+      <position>0</position>
+      <properties><![CDATA[{
+}]]></properties>
+      <type-id>1</type-id>
+    </node>
+  </nodes>
+</dradis-template>

data/spec/fixtures/files/missing_node.xml

@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<dradis-template version="2">
+<nodes><node><id>5</id><label>Uploaded files</label><parent-id/><position>0</position><properties><![CDATA[{}]]></properties><type-id>0</type-id><notes></notes><evidence></evidence><activities></activities></node></nodes>
+<issues><issue><id>2</id><author>admin@securityroots.com</author><text><![CDATA[#[Title]#
+Test Issue
+
+#[Description]#
+!/pro/projects/222/nodes/12345/attachments/hello.jpg!
+
+  ]]></text><activities></activities><comments></comments></issue></issues>
+</dradis-template>

data/spec/lib/dradis/plugins/projects/upload/v1/template_spec.rb

@@ -1,15 +1,17 @@
+# frozen_string_literal: true
+
 require 'rails_helper'
 
 describe Dradis::Plugins::Projects::Upload::V1::Template::Importer do
-
   let(:project) { create(:project) }
   let(:user) { create(:user) }
   let(:importer_class) { Dradis::Plugins::Projects::Upload::Template }
-  let(:file_path) {
-    File.join(File.dirname(__FILE__), '../../../../../../', 'fixtures', 'files', 'attachments_url.xml')
-  }
 
   context 'uploading a template with attachments url' do
+    let(:file_path) do
+      File.join(File.dirname(__FILE__), '../../../../../../', 'fixtures', 'files', 'attachments_url.xml')
+    end
+
     it 'converts the urls' do
       importer = importer_class::Importer.new(
         default_user_id: user.id,
@@ -30,4 +32,45 @@ describe Dradis::Plugins::Projects::Upload::V1::Template::Importer do
       )
     end
   end
+
+  context 'uploading a template malformed paths as ids' do
+    let(:file_path) do
+      File.join(File.dirname(__FILE__), '../../../../../../', 'fixtures', 'files', 'malformed_ids.xml')
+    end
+
+    it 'returns false' do
+      importer = importer_class::Importer.new(
+        default_user_id: user.id,
+        plugin: importer_class,
+        project_id: project.id
+      )
+
+      expect(importer.import(file: file_path)).to be false
+    end
+  end
+
+  context 'uploading a template with attachment but missing node' do
+    let(:file_path) do
+      File.join(File.dirname(__FILE__), '../../../../../../', 'fixtures', 'files', 'missing_node.xml')
+    end
+
+    it 'does not modify the attachment' do
+      logger = double('logger')
+      allow(logger).to receive_messages(debug: nil, error: nil, fatal: nil, info: nil)
+      expect(logger).to receive(:error).once
+
+      importer = importer_class::Importer.new(
+        default_user_id: user.id,
+        logger: logger,
+        plugin: importer_class,
+        project_id: project.id
+      )
+
+      importer.import(file: file_path)
+
+      expect(project.issues.first.text).to include(
+        "!/pro/projects/222/nodes/12345/attachments/hello.jpg!"
+      )
+    end
+  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dradis-projects
 version: !ruby/object:Gem::Version
-  version: 4.1.1
+  version: 4.3.0
 platform: ruby
 authors:
 - Daniel Martin
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-11-18 00:00:00.000000000 Z
+date: 2022-04-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.6'
+        version: '2.2'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.6'
+        version: '2.2'
 - !ruby/object:Gem::Dependency
   name: combustion
   requirement: !ruby/object:Gem::Requirement
@@ -134,6 +134,8 @@ files:
 - lib/dradis/plugins/projects/version.rb
 - lib/tasks/thorfile.rb
 - spec/fixtures/files/attachments_url.xml
+- spec/fixtures/files/malformed_ids.xml
+- spec/fixtures/files/missing_node.xml
 - spec/fixtures/files/with_comments.xml
 - spec/lib/dradis/plugins/projects/export/v2/template_spec.rb
 - spec/lib/dradis/plugins/projects/upload/v1/template_spec.rb
@@ -157,12 +159,14 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.28
+rubygems_version: 3.1.4
 signing_key: 
 specification_version: 4
 summary: Project export/upload for the Dradis Framework.
 test_files:
 - spec/fixtures/files/attachments_url.xml
+- spec/fixtures/files/malformed_ids.xml
+- spec/fixtures/files/missing_node.xml
 - spec/fixtures/files/with_comments.xml
 - spec/lib/dradis/plugins/projects/export/v2/template_spec.rb
 - spec/lib/dradis/plugins/projects/upload/v1/template_spec.rb