You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by GitBox <gi...@apache.org> on 2020/11/03 13:34:38 UTC
[GitHub] [nifi] azgron opened a new pull request #4639: Update PutFile.java: fix path traversal vulnerability
azgron opened a new pull request #4639:
URL: https://github.com/apache/nifi/pull/4639
Check if filename contains path traversal
Thank you for submitting a contribution to Apache NiFi.
Please provide a short description of the PR here:
#### Description of PR
_Enables X functionality; fixes bug NIFI-YYYY._
In order to streamline the review of the contribution we ask you
to ensure the following steps have been taken:
### For all changes:
- [ ] Is there a JIRA ticket associated with this PR? Is it referenced
in the commit message?
- [ ] Does your PR title start with **NIFI-XXXX** where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character.
- [ ] Has your PR been rebased against the latest commit within the target branch (typically `main`)?
- [ ] Is your initial contribution a single, squashed commit? _Additional commits in response to PR reviewer feedback should be made on this branch and pushed to allow change tracking. Do not `squash` or use `--force` when pushing to allow for clean monitoring of changes._
### For code changes:
- [ ] Have you ensured that the full suite of tests is executed via `mvn -Pcontrib-check clean install` at the root `nifi` folder?
- [ ] Have you written or updated unit tests to verify your changes?
- [ ] Have you verified that the full build is successful on JDK 8?
- [ ] Have you verified that the full build is successful on JDK 11?
- [ ] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)?
- [ ] If applicable, have you updated the `LICENSE` file, including the main `LICENSE` file under `nifi-assembly`?
- [ ] If applicable, have you updated the `NOTICE` file, including the main `NOTICE` file found under `nifi-assembly`?
- [ ] If adding new Properties, have you added `.displayName` in addition to .name (programmatic access) for each of the new properties?
### For documentation related changes:
- [ ] Have you ensured that format looks appropriate for the output in which it is rendered?
### Note:
Please ensure that once the PR is submitted, you check GitHub Actions CI for build issues and submit an update to your PR as soon as possible.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] joewitt commented on pull request #4639: Update PutFile.java: fix path traversal vulnerability
Posted by GitBox <gi...@apache.org>.
joewitt commented on pull request #4639:
URL: https://github.com/apache/nifi/pull/4639#issuecomment-721276193
Yep I am fine with that - perhaps 'prevent' is better than 'avoid' The display name would be 'Prevent Path Escape' and the name would be 'preventpathescape' or something consistent with how others do it. Default of false is good. Description will let the user know the purpose of the property if true is to detect whether the resolved path (including following symlinks) still appears inline with the intended specified target directory. Where this could be confusing is when the base dir itself is a symlink and resolves to something else. But the more context you can give the user on the intent and so long as this is purely optional it is fine.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] azgron commented on pull request #4639: Update PutFile.java: fix path traversal vulnerability
Posted by GitBox <gi...@apache.org>.
azgron commented on pull request #4639:
URL: https://github.com/apache/nifi/pull/4639#issuecomment-721291253
I have done the changes. What do you think?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] joewitt commented on pull request #4639: Update PutFile.java: fix path traversal vulnerability
Posted by GitBox <gi...@apache.org>.
joewitt commented on pull request #4639:
URL: https://github.com/apache/nifi/pull/4639#issuecomment-720618061
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] exceptionfactory commented on pull request #4639: Update PutFile.java: fix path traversal vulnerability
Posted by GitBox <gi...@apache.org>.
exceptionfactory commented on pull request #4639:
URL: https://github.com/apache/nifi/pull/4639#issuecomment-734051291
@azgron The current commit includes a checkstyle violation on line 250, causing failures on Linux and MacOS. The PR checklist includes several steps that will help streamline the review process, including prefixing the PR and commit messages with an associated Jira issue number, adding unit tests, and including a displayName() setting on new properties. Based on previous feedback, it may be better to close this PR, create a Jira issue, and then create a new PR after working through the applicable checklist steps.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] MikeThomsen commented on pull request #4639: Update PutFile.java: fix path traversal vulnerability
Posted by GitBox <gi...@apache.org>.
MikeThomsen commented on pull request #4639:
URL: https://github.com/apache/nifi/pull/4639#issuecomment-720795906
I agree with @joewitt. I wouldn't call this a vulnerability unless you're running NiFi as root or something (and let's be honest, this is the least of your worries if that's the case).
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] azgron commented on pull request #4639: Update PutFile.java: fix path traversal vulnerability
Posted by GitBox <gi...@apache.org>.
azgron commented on pull request #4639:
URL: https://github.com/apache/nifi/pull/4639#issuecomment-723029208
@joewitt @MikeThomsen What do you think? What are the next steps?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] azgron commented on a change in pull request #4639: Update PutFile.java: fix path traversal vulnerability
Posted by GitBox <gi...@apache.org>.
azgron commented on a change in pull request #4639:
URL: https://github.com/apache/nifi/pull/4639#discussion_r516893887
##########
File path: nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/PutFile.java
##########
@@ -232,8 +240,14 @@ public void onTrigger(final ProcessContext context, final ProcessSession session
final Path rootDirPath = configuredRootDirPath.toAbsolutePath();
String filename = flowFile.getAttribute(CoreAttributes.FILENAME.key());
final Path tempCopyFile = rootDirPath.resolve("." + filename);
- final Path copyFile = rootDirPath.resolve(filename);
-
+ final Path copyFile = rootDirPath.resolve(filename)
+ if (context.getProperty(PREVENT_PATH_ESCAPE).asBoolean() && !copyFile.startsWith(rootDirPath)) {
+ flowFile = session.penalize(flowFile);
+ session.transfer(flowFile, REL_FAILURE);
+ logger.error("Resolved path escapes the root dir path");
Review comment:
Do you mean:
!(copyFile.startsWith(rootDirPath) || tempCopyFile.startsWith(rootDirPath))
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] github-actions[bot] closed pull request #4639: Update PutFile.java: fix path traversal vulnerability
Posted by GitBox <gi...@apache.org>.
github-actions[bot] closed pull request #4639:
URL: https://github.com/apache/nifi/pull/4639
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] azgron commented on pull request #4639: Update PutFile.java: fix path traversal vulnerability
Posted by GitBox <gi...@apache.org>.
azgron commented on pull request #4639:
URL: https://github.com/apache/nifi/pull/4639#issuecomment-721274476
Thanks for your comments.
Do you agree to add a boolean property witch called "AvoidPathEscapes"?
The default value will be false as @joewitt mentioned.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] github-actions[bot] commented on pull request #4639: Update PutFile.java: fix path traversal vulnerability
Posted by GitBox <gi...@apache.org>.
github-actions[bot] commented on pull request #4639:
URL: https://github.com/apache/nifi/pull/4639#issuecomment-819929645
We're marking this PR as stale due to lack of updates in the past few months. If after another couple of weeks the stale label has not been removed this PR will be closed. This stale marker and eventual auto close does not indicate a judgement of the PR just lack of reviewer bandwidth and helps us keep the PR queue more manageable. If you would like this PR re-opened you can do so and a committer can remove the stale tag. Or you can open a new PR. Try to help review other PRs to increase PR review bandwidth which in turn helps yours.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] azgron commented on a change in pull request #4639: Update PutFile.java: fix path traversal vulnerability
Posted by GitBox <gi...@apache.org>.
azgron commented on a change in pull request #4639:
URL: https://github.com/apache/nifi/pull/4639#discussion_r516893887
##########
File path: nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/PutFile.java
##########
@@ -232,8 +240,14 @@ public void onTrigger(final ProcessContext context, final ProcessSession session
final Path rootDirPath = configuredRootDirPath.toAbsolutePath();
String filename = flowFile.getAttribute(CoreAttributes.FILENAME.key());
final Path tempCopyFile = rootDirPath.resolve("." + filename);
- final Path copyFile = rootDirPath.resolve(filename);
-
+ final Path copyFile = rootDirPath.resolve(filename)
+ if (context.getProperty(PREVENT_PATH_ESCAPE).asBoolean() && !copyFile.startsWith(rootDirPath)) {
+ flowFile = session.penalize(flowFile);
+ session.transfer(flowFile, REL_FAILURE);
+ logger.error("Resolved path escapes the root dir path");
Review comment:
Do you mean:
!(copyFile.startsWith(rootDirPath) || tempCopyFile.startsWith(rootDirPath))
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [nifi] joewitt commented on a change in pull request #4639: Update PutFile.java: fix path traversal vulnerability
Posted by GitBox <gi...@apache.org>.
joewitt commented on a change in pull request #4639:
URL: https://github.com/apache/nifi/pull/4639#discussion_r516862513
##########
File path: nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/PutFile.java
##########
@@ -232,8 +240,14 @@ public void onTrigger(final ProcessContext context, final ProcessSession session
final Path rootDirPath = configuredRootDirPath.toAbsolutePath();
String filename = flowFile.getAttribute(CoreAttributes.FILENAME.key());
final Path tempCopyFile = rootDirPath.resolve("." + filename);
- final Path copyFile = rootDirPath.resolve(filename);
-
+ final Path copyFile = rootDirPath.resolve(filename)
+ if (context.getProperty(PREVENT_PATH_ESCAPE).asBoolean() && !copyFile.startsWith(rootDirPath)) {
+ flowFile = session.penalize(flowFile);
+ session.transfer(flowFile, REL_FAILURE);
+ logger.error("Resolved path escapes the root dir path");
Review comment:
I would provide the two path values that were compared/tested so the user can understand what really happened.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org