dradis-projects 4.1.1 → 4.1.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b8f7035cd71c220abd7de8ba0ac994663cd2181a98e29c9f320de14e9a4122c4
-  data.tar.gz: 15ae46a145265e5c54880c0e47747efb0246b25bf7c36c1bc2717523f77729d2
+  metadata.gz: 68ddaed8e020a33f06c7dd722bbb0502f7598a76eaf61a0f2c4a05716ebbf2be
+  data.tar.gz: 66d06ddd0941b6eaa9ab7b1839af76620b2e764cf25ce0cc90778a91ecfe003b
 SHA512:
-  metadata.gz: 94cf726365809dfe78d7ad235a1ce5a0b18a0e8c4d4b35b6d4707cab777f758918b659671eed99c86cb3d26208966febcbc06ca7f57a95108e8c19caa5e73f7d
-  data.tar.gz: 5ba40bacbcd2335f580f11faf25cb8a6812b3658061d7edaf5ed812e66f99960d9fef4374a20fb6fd7e7961cb39b350c2ded3c34e04669c4b51867b6016fe9cc
+  metadata.gz: 7d3b899c0aa7a605c47fdc85d52baea5b966a94392f123a835495a14ae05ba8a6637e37a2dd74cfa76458b19f12a1013979afed7a191e1ea95c6ff5e1015ccb7
+  data.tar.gz: 8d84010325dfadaa0d51ef0ae3e45e27d049bcd7ed0a0754d1c3c605b7598c2bbc78e3dc7306b600a09e5ad77a4c208c170aa27fcd4c9d2c44c00093afff5cb6

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+v4.1.2.1 (December 2021)
+  - Security Fixes:
+    - High: Authenticated author path traversal
+
 v4.1.1 (November 2021)
   - Loosen dradis-plugins version requirement
 

data/dradis-projects.gemspec

@@ -20,7 +20,7 @@ Gem::Specification.new do |spec|
   spec.executables = spec.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
   spec.test_files = spec.files.grep(%r{^(test|spec|features)/})
 
-  spec.add_development_dependency 'bundler', '~> 1.6'
+  spec.add_development_dependency 'bundler', '~> 2.2'
   spec.add_development_dependency 'combustion'
   spec.add_development_dependency 'rake', '~> 10.0'
   spec.add_development_dependency 'rspec'

data/lib/dradis/plugins/projects/gem_version.rb

@@ -9,8 +9,8 @@ module Dradis
       module VERSION
         MAJOR = 4
         MINOR = 1
-        TINY = 1
-        PRE = nil
+        TINY = 2
+        PRE = 1
 
         STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
       end

data/lib/dradis/plugins/projects/upload/package.rb

@@ -47,13 +47,18 @@ module Dradis::Plugins::Projects::Upload
 
 
           logger.info { 'Moving attachments to their final destinations...' }
-          lookup_table[:nodes].each do |oldid,newid|
-            if File.directory? Rails.root.join('tmp', 'zip', oldid)
-              FileUtils.mkdir_p Attachment.pwd.join(newid.to_s)
+          lookup_table[:nodes].each do |oldid, newid|
+            tmp_dir = Rails.root.join('tmp', 'zip')
+            old_attachments_dir = File.expand_path(tmp_dir.join(oldid.to_s))
 
-              Dir.glob(Rails.root.join('tmp', 'zip', oldid, '*')).each do |attachment|
-                FileUtils.mv(attachment, Attachment.pwd.join(newid.to_s))
-              end
+            # Ensure once the path is expanded it's still within the expected
+            # tmp directory to prevent unauthorized access to other dirs
+            next unless old_attachments_dir.starts_with?(tmp_dir.to_s) && File.directory?(old_attachments_dir)
+
+            FileUtils.mkdir_p Attachment.pwd.join(newid.to_s)
+
+            Dir.glob(Pathname.new(old_attachments_dir).join('*')).each do |attachment|
+              FileUtils.mv(attachment, Attachment.pwd.join(newid.to_s))
             end
           end
           logger.info { 'Done.' }

data/lib/dradis/plugins/projects/upload/v1/template.rb

@@ -105,7 +105,7 @@ module Dradis::Plugins::Projects::Upload::V1
           logger.info { "Adjusting screenshot URLs: #{item.class.name} ##{item.id}" }
 
           new_text = item.send(text_attr).gsub(ATTACHMENT_URL) do |_|
-            "!%s/projects/%d/nodes/%d/attachments/%s!" % [$1, project.id, lookup_table[:nodes][$2], $3]
+            "!%s/projects/%d/nodes/%d/attachments/%s!" % [$1, project.id, lookup_table[:nodes][$2.to_i], $3]
           end
           item.send(text_attr.to_s + "=", new_text)
 
@@ -121,7 +121,7 @@ module Dradis::Plugins::Projects::Upload::V1
           evidence.issue_id = lookup_table[:issues][evidence.issue_id.to_s]
 
           new_content = evidence.content.gsub(ATTACHMENT_URL) do |_|
-            "!%s/projects/%d/nodes/%d/attachments/%s!" % [$1, project.id, lookup_table[:nodes][$2], $3]
+            "!%s/projects/%d/nodes/%d/attachments/%s!" % [$1, project.id, lookup_table[:nodes][$2.to_i], $3]
           end
           evidence.content = new_content
 
@@ -289,7 +289,12 @@ module Dradis::Plugins::Projects::Upload::V1
           node = parse_node(xml_node)
 
           # keep track of reassigned ids
-          lookup_table[:nodes][xml_node.at_xpath('id').text.strip] = node.id
+          # Convert the id to an integer as it has no place being a string, or
+          # directory path. We later use this ID to build a directory structure
+          # to place attachments and without validation opens the potential for
+          # path traversal.
+          node_original_id = Integer(xml_node.at_xpath('id').text.strip)
+          lookup_table[:nodes][node_original_id] = node.id
         end
 
         logger.info { 'Done.' }

data/lib/dradis/plugins/projects/upload/v3/template.rb

@@ -131,7 +131,7 @@ module Dradis::Plugins::Projects::Upload::V3
           xml_node_id = xml_board.at_xpath('node_id').try(:text)
           node_id =
             if xml_node_id.present?
-              lookup_table[:nodes][xml_node_id]
+              lookup_table[:nodes][xml_node_id.to_i]
             else
               project.methodology_library.id
             end

data/spec/fixtures/files/malformed_ids.xml

@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<dradis-template version="1">
+  <nodes>
+    <node>
+      <id>../../../../../../tmp</id>
+      <label>Node 1</label>
+      <parent-id/>
+      <position>0</position>
+      <properties><![CDATA[{
+}]]></properties>
+      <type-id>1</type-id>
+    </node>
+  </nodes>
+</dradis-template>

data/spec/lib/dradis/plugins/projects/upload/v1/template_spec.rb

@@ -1,15 +1,17 @@
+# frozen_string_literal: true
+
 require 'rails_helper'
 
 describe Dradis::Plugins::Projects::Upload::V1::Template::Importer do
-
   let(:project) { create(:project) }
   let(:user) { create(:user) }
   let(:importer_class) { Dradis::Plugins::Projects::Upload::Template }
-  let(:file_path) {
-    File.join(File.dirname(__FILE__), '../../../../../../', 'fixtures', 'files', 'attachments_url.xml')
-  }
 
   context 'uploading a template with attachments url' do
+    let(:file_path) do
+      File.join(File.dirname(__FILE__), '../../../../../../', 'fixtures', 'files', 'attachments_url.xml')
+    end
+
     it 'converts the urls' do
       importer = importer_class::Importer.new(
         default_user_id: user.id,
@@ -30,4 +32,20 @@ describe Dradis::Plugins::Projects::Upload::V1::Template::Importer do
       )
     end
   end
+
+  context 'uploading a template malformed paths as ids' do
+    let(:file_path) do
+      File.join(File.dirname(__FILE__), '../../../../../../', 'fixtures', 'files', 'malformed_ids.xml')
+    end
+
+    it 'returns false' do
+      importer = importer_class::Importer.new(
+        default_user_id: user.id,
+        plugin: importer_class,
+        project_id: project.id
+      )
+
+      expect(importer.import(file: file_path)).to be false
+    end
+  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dradis-projects
 version: !ruby/object:Gem::Version
-  version: 4.1.1
+  version: 4.1.2.1
 platform: ruby
 authors:
 - Daniel Martin
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-11-18 00:00:00.000000000 Z
+date: 2021-12-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.6'
+        version: '2.2'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.6'
+        version: '2.2'
 - !ruby/object:Gem::Dependency
   name: combustion
   requirement: !ruby/object:Gem::Requirement
@@ -134,6 +134,7 @@ files:
 - lib/dradis/plugins/projects/version.rb
 - lib/tasks/thorfile.rb
 - spec/fixtures/files/attachments_url.xml
+- spec/fixtures/files/malformed_ids.xml
 - spec/fixtures/files/with_comments.xml
 - spec/lib/dradis/plugins/projects/export/v2/template_spec.rb
 - spec/lib/dradis/plugins/projects/upload/v1/template_spec.rb
@@ -163,6 +164,7 @@ specification_version: 4
 summary: Project export/upload for the Dradis Framework.
 test_files:
 - spec/fixtures/files/attachments_url.xml
+- spec/fixtures/files/malformed_ids.xml
 - spec/fixtures/files/with_comments.xml
 - spec/lib/dradis/plugins/projects/export/v2/template_spec.rb
 - spec/lib/dradis/plugins/projects/upload/v1/template_spec.rb