dradis-projects 4.1.1 → 4.1.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (10) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +4 -0
  3. data/dradis-projects.gemspec +1 -1
  4. data/lib/dradis/plugins/projects/gem_version.rb +2 -2
  5. data/lib/dradis/plugins/projects/upload/package.rb +11 -6
  6. data/lib/dradis/plugins/projects/upload/v1/template.rb +8 -3
  7. data/lib/dradis/plugins/projects/upload/v3/template.rb +1 -1
  8. data/spec/fixtures/files/malformed_ids.xml +14 -0
  9. data/spec/lib/dradis/plugins/projects/upload/v1/template_spec.rb +22 -4
  10. metadata +6 -4
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: b8f7035cd71c220abd7de8ba0ac994663cd2181a98e29c9f320de14e9a4122c4
4
- data.tar.gz: 15ae46a145265e5c54880c0e47747efb0246b25bf7c36c1bc2717523f77729d2
3
+ metadata.gz: 68ddaed8e020a33f06c7dd722bbb0502f7598a76eaf61a0f2c4a05716ebbf2be
4
+ data.tar.gz: 66d06ddd0941b6eaa9ab7b1839af76620b2e764cf25ce0cc90778a91ecfe003b
5
5
  SHA512:
6
- metadata.gz: 94cf726365809dfe78d7ad235a1ce5a0b18a0e8c4d4b35b6d4707cab777f758918b659671eed99c86cb3d26208966febcbc06ca7f57a95108e8c19caa5e73f7d
7
- data.tar.gz: 5ba40bacbcd2335f580f11faf25cb8a6812b3658061d7edaf5ed812e66f99960d9fef4374a20fb6fd7e7961cb39b350c2ded3c34e04669c4b51867b6016fe9cc
6
+ metadata.gz: 7d3b899c0aa7a605c47fdc85d52baea5b966a94392f123a835495a14ae05ba8a6637e37a2dd74cfa76458b19f12a1013979afed7a191e1ea95c6ff5e1015ccb7
7
+ data.tar.gz: 8d84010325dfadaa0d51ef0ae3e45e27d049bcd7ed0a0754d1c3c605b7598c2bbc78e3dc7306b600a09e5ad77a4c208c170aa27fcd4c9d2c44c00093afff5cb6
data/CHANGELOG.md CHANGED
@@ -1,3 +1,7 @@
1
+ v4.1.2.1 (December 2021)
2
+ - Security Fixes:
3
+ - High: Authenticated author path traversal
4
+
1
5
  v4.1.1 (November 2021)
2
6
  - Loosen dradis-plugins version requirement
3
7
 
data/dradis-projects.gemspec CHANGED
@@ -20,7 +20,7 @@ Gem::Specification.new do |spec|
20
20
  spec.executables = spec.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
21
21
  spec.test_files = spec.files.grep(%r{^(test|spec|features)/})
22
22
 
23
- spec.add_development_dependency 'bundler', '~> 1.6'
23
+ spec.add_development_dependency 'bundler', '~> 2.2'
24
24
  spec.add_development_dependency 'combustion'
25
25
  spec.add_development_dependency 'rake', '~> 10.0'
26
26
  spec.add_development_dependency 'rspec'
data/lib/dradis/plugins/projects/gem_version.rb CHANGED
@@ -9,8 +9,8 @@ module Dradis
9
9
  module VERSION
10
10
  MAJOR = 4
11
11
  MINOR = 1
12
- TINY = 1
13
- PRE = nil
12
+ TINY = 2
13
+ PRE = 1
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
16
16
  end
data/lib/dradis/plugins/projects/upload/package.rb CHANGED
@@ -47,13 +47,18 @@ module Dradis::Plugins::Projects::Upload
47
47
 
48
48
 
49
49
  logger.info { 'Moving attachments to their final destinations...' }
50
- lookup_table[:nodes].each do |oldid,newid|
51
- if File.directory? Rails.root.join('tmp', 'zip', oldid)
52
- FileUtils.mkdir_p Attachment.pwd.join(newid.to_s)
50
+ lookup_table[:nodes].each do |oldid, newid|
51
+ tmp_dir = Rails.root.join('tmp', 'zip')
52
+ old_attachments_dir = File.expand_path(tmp_dir.join(oldid.to_s))
53
53
 
54
- Dir.glob(Rails.root.join('tmp', 'zip', oldid, '*')).each do |attachment|
55
- FileUtils.mv(attachment, Attachment.pwd.join(newid.to_s))
56
- end
54
+ # Ensure once the path is expanded it's still within the expected
55
+ # tmp directory to prevent unauthorized access to other dirs
56
+ next unless old_attachments_dir.starts_with?(tmp_dir.to_s) && File.directory?(old_attachments_dir)
57
+
58
+ FileUtils.mkdir_p Attachment.pwd.join(newid.to_s)
59
+
60
+ Dir.glob(Pathname.new(old_attachments_dir).join('*')).each do |attachment|
61
+ FileUtils.mv(attachment, Attachment.pwd.join(newid.to_s))
57
62
  end
58
63
  end
59
64
  logger.info { 'Done.' }
data/lib/dradis/plugins/projects/upload/v1/template.rb CHANGED
@@ -105,7 +105,7 @@ module Dradis::Plugins::Projects::Upload::V1
105
105
  logger.info { "Adjusting screenshot URLs: #{item.class.name} ##{item.id}" }
106
106
 
107
107
  new_text = item.send(text_attr).gsub(ATTACHMENT_URL) do |_|
108
- "!%s/projects/%d/nodes/%d/attachments/%s!" % [$1, project.id, lookup_table[:nodes][$2], $3]
108
+ "!%s/projects/%d/nodes/%d/attachments/%s!" % [$1, project.id, lookup_table[:nodes][$2.to_i], $3]
109
109
  end
110
110
  item.send(text_attr.to_s + "=", new_text)
111
111
 
@@ -121,7 +121,7 @@ module Dradis::Plugins::Projects::Upload::V1
121
121
  evidence.issue_id = lookup_table[:issues][evidence.issue_id.to_s]
122
122
 
123
123
  new_content = evidence.content.gsub(ATTACHMENT_URL) do |_|
124
- "!%s/projects/%d/nodes/%d/attachments/%s!" % [$1, project.id, lookup_table[:nodes][$2], $3]
124
+ "!%s/projects/%d/nodes/%d/attachments/%s!" % [$1, project.id, lookup_table[:nodes][$2.to_i], $3]
125
125
  end
126
126
  evidence.content = new_content
127
127
 
@@ -289,7 +289,12 @@ module Dradis::Plugins::Projects::Upload::V1
289
289
  node = parse_node(xml_node)
290
290
 
291
291
  # keep track of reassigned ids
292
- lookup_table[:nodes][xml_node.at_xpath('id').text.strip] = node.id
292
+ # Convert the id to an integer as it has no place being a string, or
293
+ # directory path. We later use this ID to build a directory structure
294
+ # to place attachments and without validation opens the potential for
295
+ # path traversal.
296
+ node_original_id = Integer(xml_node.at_xpath('id').text.strip)
297
+ lookup_table[:nodes][node_original_id] = node.id
293
298
  end
294
299
 
295
300
  logger.info { 'Done.' }
data/lib/dradis/plugins/projects/upload/v3/template.rb CHANGED
@@ -131,7 +131,7 @@ module Dradis::Plugins::Projects::Upload::V3
131
131
  xml_node_id = xml_board.at_xpath('node_id').try(:text)
132
132
  node_id =
133
133
  if xml_node_id.present?
134
- lookup_table[:nodes][xml_node_id]
134
+ lookup_table[:nodes][xml_node_id.to_i]
135
135
  else
136
136
  project.methodology_library.id
137
137
  end
data/spec/fixtures/files/malformed_ids.xml ADDED
@@ -0,0 +1,14 @@
1
+ <?xml version="1.0" encoding="UTF-8"?>
2
+ <dradis-template version="1">
3
+ <nodes>
4
+ <node>
5
+ <id>../../../../../../tmp</id>
6
+ <label>Node 1</label>
7
+ <parent-id/>
8
+ <position>0</position>
9
+ <properties><![CDATA[{
10
+ }]]></properties>
11
+ <type-id>1</type-id>
12
+ </node>
13
+ </nodes>
14
+ </dradis-template>
data/spec/lib/dradis/plugins/projects/upload/v1/template_spec.rb CHANGED
@@ -1,15 +1,17 @@
1
+ # frozen_string_literal: true
2
+
1
3
  require 'rails_helper'
2
4
 
3
5
  describe Dradis::Plugins::Projects::Upload::V1::Template::Importer do
4
-
5
6
  let(:project) { create(:project) }
6
7
  let(:user) { create(:user) }
7
8
  let(:importer_class) { Dradis::Plugins::Projects::Upload::Template }
8
- let(:file_path) {
9
- File.join(File.dirname(__FILE__), '../../../../../../', 'fixtures', 'files', 'attachments_url.xml')
10
- }
11
9
 
12
10
  context 'uploading a template with attachments url' do
11
+ let(:file_path) do
12
+ File.join(File.dirname(__FILE__), '../../../../../../', 'fixtures', 'files', 'attachments_url.xml')
13
+ end
14
+
13
15
  it 'converts the urls' do
14
16
  importer = importer_class::Importer.new(
15
17
  default_user_id: user.id,
@@ -30,4 +32,20 @@ describe Dradis::Plugins::Projects::Upload::V1::Template::Importer do
30
32
  )
31
33
  end
32
34
  end
35
+
36
+ context 'uploading a template malformed paths as ids' do
37
+ let(:file_path) do
38
+ File.join(File.dirname(__FILE__), '../../../../../../', 'fixtures', 'files', 'malformed_ids.xml')
39
+ end
40
+
41
+ it 'returns false' do
42
+ importer = importer_class::Importer.new(
43
+ default_user_id: user.id,
44
+ plugin: importer_class,
45
+ project_id: project.id
46
+ )
47
+
48
+ expect(importer.import(file: file_path)).to be false
49
+ end
50
+ end
33
51
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dradis-projects
3
3
  version: !ruby/object:Gem::Version
4
- version: 4.1.1
4
+ version: 4.1.2.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Daniel Martin
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-11-18 00:00:00.000000000 Z
11
+ date: 2021-12-22 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - "~>"
18
18
  - !ruby/object:Gem::Version
19
- version: '1.6'
19
+ version: '2.2'
20
20
  type: :development
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - "~>"
25
25
  - !ruby/object:Gem::Version
26
- version: '1.6'
26
+ version: '2.2'
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: combustion
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -134,6 +134,7 @@ files:
134
134
  - lib/dradis/plugins/projects/version.rb
135
135
  - lib/tasks/thorfile.rb
136
136
  - spec/fixtures/files/attachments_url.xml
137
+ - spec/fixtures/files/malformed_ids.xml
137
138
  - spec/fixtures/files/with_comments.xml
138
139
  - spec/lib/dradis/plugins/projects/export/v2/template_spec.rb
139
140
  - spec/lib/dradis/plugins/projects/upload/v1/template_spec.rb
@@ -163,6 +164,7 @@ specification_version: 4
163
164
  summary: Project export/upload for the Dradis Framework.
164
165
  test_files:
165
166
  - spec/fixtures/files/attachments_url.xml
167
+ - spec/fixtures/files/malformed_ids.xml
166
168
  - spec/fixtures/files/with_comments.xml
167
169
  - spec/lib/dradis/plugins/projects/export/v2/template_spec.rb
168
170
  - spec/lib/dradis/plugins/projects/upload/v1/template_spec.rb