awful-salmonella-tar
Introduction
This is an awful application to extract salmonella report files from tar archives.
It requires tar (tested it with GNU tar, specifically). For compressed report tar files, gzip or bzip2 are required (by default, gzip is used)
To see it working, install awful-salmonella-tar with:
$ chicken-install awful-salmonella-tar
Then add some test data:
$ mkdir -p reports/master/gcc/linux/x86-64/2018/09/02/ $ cd reports/master/gcc/linux/x86-64/2018/09/02/ $ wget https://salmonella-linux-x86-64.call-cc.org/master/gcc/linux/x86-64/2018/09/02/salmonella.log.bz2 $ bzip2 -d salmonella.log.bz2
You'll need salmonella-html-report to generate report data out of the salmonella log file. If you don't have it installed, chicken-install salmonella-html-report
$ salmonella-html-report salmonella.log salmonella-report $ tar czf salmonella-report.tar.gz salmonella-report $ rm -rf salmonella-report $ cd - $ cat <<EOF > awful-salmonella-tar-app.scm (cond-expand (chicken-4 (use awful-salmonella-tar)) (chicken-5 (import awful-salmonella-tar)) (else (error "Unsupported CHICKEN version."))) (awful-salmonella-tar "/") EOF $ awful awful-salmonella-tar-app.scm
Then request, for example http://localhost:8080/reports/master/gcc/linux/x86-64/2018/09/02/salmonella-report/
Author
Repository
awful-salmonella-tar is maintained in a Github repository.
License
Copyright (c) 2011-2020, Mario Domenech Goulart
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. The name of the authors may not be used to endorse or promote products
derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE AUTHORS ``AS IS'' AND ANY EXPRESS
OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Version history
Version 0.0.4 (2022-02-17)
Fix path traversal vulnerability
This change fixes a path traversal vulnerability that would allow attackers to navigate through the filesystem of the server (provided execute access to directories for the user running the web server). Attackers could only list the contents of directories -- not download files.
The vulnerability was caused by the lack of a check for the validity requested paths when handling directories, notably when ..%2F (../ URL-encoded) was present in requested paths.
Background:
awful-samonella-tar is implemented using awful. Awful is implemented on top of spiffy, and overrides the (handle-not-found) parameter to map URL paths to procedures. Spiffy takes some precautions regarding dealing with malicious paths when it handles static files. Code that uses spiffy to implement generation of dynamic content (like awful does), must take their own precautions.
awful-salmonella-tar uses a procedure (safe-path?) with a relatively strict policy to allow access to files, but it was not being used to validate access to directories, and that was causing the vulnerability.
This change applies safe-path? to all requested paths.
Thanks to Chris Brannon for responsibly reporting this issue.
Version 0.0.3
- Initial release as a CHICKEN egg (2020-11-07)