-
Notifications
You must be signed in to change notification settings - Fork 284
Possible security issue with slugs and filename #210
Comments
We've gone back and forth several times on user-defined slugs. If @tyler-smith and @cpacia agree there's a vulnerability here, that's a serious issue we need to discuss. |
There are also issues in |
This is for the local user to create files though right? How could this be exploited to create new files or overwrite remotely? |
If by "This" you mean |
I'm not sure I see how this could be exploited. It seems like one would need malware on their machine and even there I don't see how that would impact any other users on the network. |
No malware is assumed otherwise all bets are off. I see two attack vectors for an attacker:
|
So I think there are several things that leave Electron's security model to be desired. Not sandboxing things is the first dramatic issue, but would be difficult for us to limit due to the nature of this product (needing OS integration). I think for now the prudent thing to do would be to look at all the points in the code where we're integrating with the file system for these types of exploits and ensure we're properly filtering out paths, etc. This is app development 101, but everyone overlooks things from time to time. We need more eyes on this.
|
Ok, I'm not the only one with these concerns. Very interesting discussion on this IPFS issue: |
I looked at this briefly, but it looked like they already disallow slashes in names. Doesn't that pretty much prevent the issue you're proposing? |
Just disallowing slashes in names almost certainly doesn't prevent an attacker from messing around. (There are huge amounts of complexity involved; just read the thread in a little more detail.) I can only confidently say that a conservative check such as |
I was just making one point, not saying that was the only protection is provides currently. I don't think it's worth our time to do something too dramatic, beyond a simple check for now considering they're working on it and it is more of an IPFS issue than an OpenBazaar one. If you'd like to submit a PR for doing the check you suggest that would be appreciated. Beyond that you'll have to be more specific what you would like us to do to appease your concern. |
If people think that restricting slugs and filenames to
I disagree. Proper validation of slugs, filenames and |
Ok we are talking about two separate issues here. You brought up IPFS. In IPFS there's no way it will serve up those improper files. The slug validation issue is a whole other problem and valid. I would think just removing anything except for the last component would be good enough to avoid the issue you mentioned. |
As I understand, the
slug
is effectively a user-defined filename. The idea of user-defined filenames should raise security alarm bells.Let's look at an example in
listings.go
.Because
slug
can be a string like../../path/to/internal/file.private
, we're allowing an attacker to ask the OS to read arbitrary files. This could leak the existence of files (e.g. by looking at errors, or doing a timing attack), could allow a DoS attack (e.g. by forcing openbazaar-go to read very large files), and could maybe even lead an attacker to read the contents of any file.Similar stuff is happening with image filenames, for example in
images.go
:os.Create
will overwrite any existing file.I believe I have previously flagged up the possible security concerns of user-set filenames with @hoffmabc and @cpacia on Slack. This was months ago when discussing the initial design of the protobufs. Are we really going down this route? If so, there will be little room for sloppiness, e.g. in validating slugs and filenames.
The text was updated successfully, but these errors were encountered: