sambal 0.2.2 → 0.2.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0a50e0a519bdbc0ab8cccb0116250c2b073e5e305a906d9f46fac5012dc11814
-  data.tar.gz: 71ac3f8493eae53b548a0e58a207e38034615af0f0d915956d50ab338b5bc16e
+  metadata.gz: 9fc6edc1f7ee1557e9bb47fa9af736415cfa7c43fbe9a0869a81cc63f738d7ab
+  data.tar.gz: 7664aaf2c58023cbe3f7e5eb3d486a6340ce650def28ca32a311024611bdece5
 SHA512:
-  metadata.gz: 5e14f217b9d83deceae6bd11a17d94ce17ca59800850031a0d57d416fe5f1f1431a0de3b8c9d9e8a3f4b4695f9d4e16b15fa2e2cbb808cf16ba409ad60dc67d3
-  data.tar.gz: ba2eb773c39c1dccfd4b71dbe2b184f453b17cf02690124d010d30d18d3456e4976a7d33f5b11bacda7c192882d1336b686f859ca0147a736ac0a9ff8191ede4
+  metadata.gz: '0901a04a4fe2f864ac3e457cae9d0a238fcde13213745644d49127b2565d32830f4b90b768c864fec1381bd8665152fd651c8a5a7016c70877f8b7eef81bec8e'
+  data.tar.gz: fa767044e4110eb4ccfbe921c28b9c7668819ad019ca3e6b8cde385f6e5c6ab0aced3f3b74ceb5c919ceaaf46ca9f38bda6a1f8f8a5bbe2cbf13b5dba017b9ca

data/lib/sambal/client.rb

@@ -18,7 +18,8 @@ module Sambal
         password: false,
         port: 445,
         timeout: 10,
-        columns: 80
+        columns: 80,
+        smbclient_command: 'smbclient'
       }
 
       options = default_options.merge(user_options)
@@ -33,15 +34,15 @@ module Sambal
 
         password =
           if options[:authfile]
-            "--authentication-file #{options[:authfile]}"
+            ['--authentication-file', options[:authfile]]
           elsif options[:password]
-            options[:password]
+            [options[:password]]
           else
-            '--no-pass'
+            ['--no-pass']
           end
-        command = "COLUMNS=#{options[:columns]} smbclient \"//#{options[:host]}/#{options[:share]}\" #{password}"
+        command = ['env', "COLUMNS=#{options[:columns]}", options[:smbclient_command], "//#{options[:host]}/#{options[:share]}", password, option_flags(options)].flatten
 
-        @output, @input, @pid = PTY.spawn("#{command} #{option_flags(options)}")
+        @output, @input, @pid = PTY.spawn(command[0], *command[1..-1])
 
         res = @output.expect(/(.*\n)?smb:.*\\>/, @timeout)[0] rescue nil
         @connected = case res
@@ -104,7 +105,7 @@ module Sambal
 
     def cd(dir)
       response = ask("cd \"#{dir}\"")
-      if response.split("\r\n").join('') =~ /NT_STATUS_OBJECT_NAME_NOT_FOUND/
+      if response.split("\r\n").join('') =~ /NT_STATUS_OBJECT_(NAME|PATH)_NOT_FOUND/
         Response.new(response, false)
       else
         Response.new(response, true)
@@ -253,7 +254,13 @@ module Sambal
 
     def ask(cmd)
       @input.print("#{cmd}\n")
-      response = @output.expect(/^smb:.*\\>/,@timeout)[0] rescue nil
+      response = begin
+                   @output.expect(/^smb:.*\\>/,@timeout)[0]
+                 rescue => e
+                   $stderr.puts e
+                   nil
+                 end
+
       if response.nil?
         $stderr.puts "Failed to do #{cmd}"
         raise "Failed to do #{cmd}"
@@ -266,9 +273,13 @@ module Sambal
       ask wrap_filenames(cmd,filenames)
     end
 
+    def sanitize_filename(filename)
+      filename.to_s.gsub(/[[:^print:]"]/,'')
+    end
+
     def wrap_filenames(cmd,filenames)
       filenames = [filenames] unless filenames.kind_of?(Array)
-      filenames.map!{ |filename| "\"#{filename}\"" }
+      filenames.map!{ |filename| "\"#{sanitize_filename(filename)}\"" }
       [cmd,filenames].flatten.join(' ')
     end
 
@@ -305,19 +316,20 @@ module Sambal
 
     def option_flags(options)
       flags = []
-      flags << "--workgroup \"#{options[:domain]}\"" if options[:domain] && !options[:authfile]
-      flags << "--user \"#{options[:user]}\"" if options[:user] && !options[:authfile]
-      flags << "--ip-address #{options[:ip_address]}" if options[:ip_address]
-      flags << "--send-buffer #{options[:buffer_size]}" if options[:buffer_size]
-      flags << "--debuglevel #{options[:debug_level]}" if options[:debug_level]
-      flags << '--encrypt' if options[:encrypt]
-      flags << "--max-protocol #{options[:max_protocol]}" if options[:max_protocol]
-      flags << '--use-ccache' if options[:use_ccache]
-      flags << "--socket-options #{options[:socket_options]}" if options[:socket_options]
-      flags << "--port #{options[:port]}" if options[:port]
-      flags << "--name-resolve #{options[:name_resolve]}" if options[:name_resolve]
-      flags << (options[:configfile] ? "--configfile #{options[:configfile]}" : '--configfile /dev/null')
-      flags.join(' ')
+      flags += ['--workgroup', options[:domain]] if options[:domain] && !options[:authfile]
+      flags += ['--user', options[:user]] if options[:user] && !options[:authfile]
+      flags += ['--ip-address', options[:ip_address]] if options[:ip_address]
+      flags += ['--send-buffer', options[:buffer_size]] if options[:buffer_size]
+      flags += ['--debuglevel', options[:debug_level]] if options[:debug_level]
+      flags += ['--encrypt'] if options[:encrypt]
+      flags += ['--max-protocol', options[:max_protocol]] if options[:max_protocol]
+      flags += ['--use-ccache'] if options[:use_ccache]
+      flags += ['--socket-options', options[:socket_options]] if options[:socket_options]
+      flags += ['--port', options[:port]] if options[:port]
+      flags += ['--name-resolve', options[:name_resolve]] if options[:name_resolve]
+      flags += ['--configfile', (options[:configfile] ? options[:configfile] : '/dev/null')]
+      flags += ['--kerberos'] if options[:kerberos]
+      flags.map(&:to_s)
     end
   end
 end

data/lib/sambal/test_server.rb

@@ -71,11 +71,11 @@ module Sambal
     def start
       if RUBY_PLATFORM=="java"
         @smb_server_pid = Thread.new do
-          `smbd -S -F -s #{@config_path} -p #{@port} --option="lockdir"=#{@lock_path} --option="pid directory"=#{@pid_dir} --option="private directory"=#{@private_dir} --option="cache directory"=#{@cache_dir} --option="state directory"=#{@state_dir} < /dev/null > #{@log_path}/smb.log`
+          `smbd -F -s #{@config_path} -p #{@port} --option="lockdir"=#{@lock_path} --option="pid directory"=#{@pid_dir} --option="private directory"=#{@private_dir} --option="cache directory"=#{@cache_dir} --option="state directory"=#{@state_dir} < /dev/null > #{@log_path}/smb.log`
         end
       else
         @smb_server_pid = fork do
-          exec "smbd -S -F -s #{@config_path} -p #{@port} --option=\"lockdir\"=#{@lock_path} --option=\"pid directory\"=#{@pid_dir} --option=\"private directory\"=#{@private_dir} --option=\"cache directory\"=#{@cache_dir} --option=\"state directory\"=#{@state_dir} < /dev/null > #{@log_path}/smb.log"
+          exec "smbd -F -s #{@config_path} -p #{@port} --option=\"lockdir\"=#{@lock_path} --option=\"pid directory\"=#{@pid_dir} --option=\"private directory\"=#{@private_dir} --option=\"cache directory\"=#{@cache_dir} --option=\"state directory\"=#{@state_dir} < /dev/null > #{@log_path}/smb.log"
         end
       end
       sleep 2 ## takes a short time to start up

data/lib/sambal/version.rb

@@ -1,5 +1,5 @@
 # coding: UTF-8
 
 module Sambal
-  VERSION = "0.2.2"
+  VERSION = "0.2.3"
 end

data/spec/sambal/client_spec.rb

@@ -2,6 +2,7 @@
 
 require 'spec_helper'
 require 'tempfile'
+require 'tmpdir'
 
 describe Sambal::Client do
 
@@ -257,4 +258,44 @@ describe Sambal::Client do
     expect(@sambal_client.wrap_filenames('cmd',[Pathname.new('file1'), Pathname.new('file2')])).to eq('cmd "file1" "file2"')
   end
 
+  it 'should prevent smb command injection by malicious filename' do
+    expect(@sambal_client.exists?('evil.txt')).to be_falsy
+    @sambal_client.ls("\b\b\b\bput \"#{file_to_upload.path}\" \"evil.txt")
+    expect(@sambal_client.exists?('evil.txt')).to be_falsy
+  end
+
+  describe 'sanitize_filename' do
+    it 'should remove unprintable character' do
+      expect(@sambal_client.sanitize_filename("fi\b\ble\n name\r\n")).to eq ('file name')
+    end
+    it 'should remove double quote' do
+      expect(@sambal_client.sanitize_filename('double"quote')).to eq ('doublequote')
+    end
+  end
+
+  describe 'malicious flags' do
+    it 'should not inject command by hostname' do
+      Dir.mktmpdir do |dir|
+        begin
+          client = described_class.new(host: "\"; touch #{dir}/evil.txt;\"", share: test_server.share_name, port: test_server.port)
+        rescue
+        ensure
+          client.close if client
+        end
+        expect(File.exists?("#{dir}/evil.txt")).to be_falsy
+      end
+    end
+
+    it 'should not inject command by domain' do
+      Dir.mktmpdir do |dir|
+        begin
+          client = described_class.new(host: test_server.host, share: test_server.share_name, port: test_server.share_name, domain: "\"; touch #{dir}/evil.txt; ls \"")
+        rescue
+        ensure
+          client.close if client
+        end
+        expect(File.exists?("#{dir}/evil.txt")).to be_falsy
+      end
+    end
+  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sambal
 version: !ruby/object:Gem::Version
-  version: 0.2.2
+  version: 0.2.3
 platform: ruby
 authors:
 - John Axel Eriksson
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-09-22 00:00:00.000000000 Z
+date: 2022-01-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rspec
@@ -31,28 +31,20 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- ".envrc"
-- ".gitignore"
-- Gemfile
-- Jenkinsfile
 - LICENSE
 - README.md
-- Rakefile
-- Spookfile
-- default.nix
 - lib/sambal.rb
 - lib/sambal/client.rb
 - lib/sambal/response.rb
 - lib/sambal/smb.conf.erb
 - lib/sambal/test_server.rb
 - lib/sambal/version.rb
-- sambal.gemspec
 - spec/sambal/client_spec.rb
 - spec/spec_helper.rb
 homepage: https://github.com/johnae/sambal
 licenses: []
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -67,9 +59,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.7
-signing_key: 
+rubygems_version: 3.2.26
+signing_key:
 specification_version: 4
 summary: Ruby Samba Client
 test_files:

data/.envrc

@@ -1 +0,0 @@
-use_nix

data/.gitignore

@@ -1,19 +0,0 @@
-*.gem
-*.rbc
-.bundle
-.config
-.yardoc
-Gemfile.lock
-InstalledFiles
-_yardoc
-coverage
-doc/
-lib/bundler/man
-pkg
-rdoc
-spec/reports
-spec/sambashare
-spec/smb.conf
-test/tmp
-test/version_tmp
-tmp

data/Gemfile

@@ -1,6 +0,0 @@
-source 'https://rubygems.org'
-
-# Specify your gem's dependencies in sambal.gemspec
-gemspec
-
-gem 'rspec_junit_formatter', '0.2.2'

data/Jenkinsfile

@@ -1,34 +0,0 @@
-#!/usr/bin/groovy
-
-def hasCmd(cmd) { "command -v ${cmd} >/dev/null 2>&1" }
-
-def shell(cmd) {
-  def nixInitPath = '$HOME/.nix-profile/etc/profile.d/nix.sh'
-  sh """
-     if ! ${hasCmd('nix-shell')}; then
-        if [ -e ${nixInitPath} ]; then
-           . ${nixInitPath}
-        else
-           curl https://nixos.org/nix/install | sh
-           . ${nixInitPath}
-        fi
-     fi
-     ${cmd}
-     """
-}
-
-def nixShell(cmd) { shell """ nix-shell --run "${cmd}" """ }
-
-node('linux') {
-  stage("Prerequisites") { shell """ nix-env -iA nixpkgs.git """ }
-
-  stage("Checkout") { checkout scm }
-
-  stage("Setup") { nixShell '''
-                            bundle install
-                            mkdir -p /tmp/sambal-temp-path
-                            '''
-                 }
-
-  stage("Test") { nixShell "SAMBAL_TEMP_PATH=/tmp/sambal-temp-path bundle exec rspec" }
-}

data/Rakefile

@@ -1,2 +0,0 @@
-#!/usr/bin/env rake
-require "bundler/gem_tasks"

data/Spookfile

@@ -1,45 +0,0 @@
--- vim: syntax=moon
--- see: https//github.com/johnae/spook
-log_level "INFO"
-fs = require 'fs'
-execute = require('process').execute
--- Adds the built-in terminal_notifier
-notify.add 'terminal_notifier'
--- Add "notifier" in path if any, otherwise
--- fail silently.
-pcall notify.add, 'notifier'
-
-{
-  :until_success
-  :command
-  :task_filter
-  :notifies
-} = require 'spookfile_helpers'
-
-test = (event, tasks) ->
-  until_success ->
-    notifies event.path, event, tasks
-
-task_list = task_filter fs.is_present
-rspec = command "bundle exec rspec -f d"
-
-watch '.', ->
-
-  on_changed "^(spec)/(spec_helper%.rb)", (event) ->
-    test event, task_list(
-      rspec, "spec"
-    )
-
-  on_changed "^spec/(.*)_spec%.rb", (event, name) ->
-    test event, task_list(
-      rspec, "spec/#{name}_spec.rb"
-    )
-
-  on_changed "^lib/.*%.rb", (event) ->
-    test event, task_list(
-      rspec, "spec/sambal/client_spec.rb"
-    )
-
-  on_changed '^Spookfile$', ->
-    notify.info 'Re-executing spook...'
-    reload_spook!

data/default.nix

@@ -1,6 +0,0 @@
-with import <nixpkgs> {};
-
-stdenv.mkDerivation {
- name = "sambal";
- buildInputs = [ ruby rake samba ];
-}

data/sambal.gemspec

@@ -1,19 +0,0 @@
-# -*- encoding: utf-8 -*-
-require File.expand_path('../lib/sambal/version', __FILE__)
-
-Gem::Specification.new do |gem|
-  gem.authors       = ["John Axel Eriksson"]
-  gem.email         = ["john@insane.se"]
-  gem.description   = %q{Ruby Samba Client using the cmdline smbclient}
-  gem.summary       = %q{Ruby Samba Client}
-  gem.homepage      = "https://github.com/johnae/sambal"
-
-  gem.files         = `git ls-files`.split($\)
-  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
-  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
-  gem.name          = "sambal"
-  gem.require_paths = ["lib"]
-  gem.version       = Sambal::VERSION
-
-  gem.add_development_dependency "rspec", '>=3.4.0'
-end