awful-salmonella-tar

  1. awful-salmonella-tar
    1. Introduction
    2. Author
    3. Repository
    4. License
    5. Version history
      1. Version 0.0.4 (2022-02-17)
      2. Version 0.0.3

Introduction

This is an awful application to extract salmonella report files from tar archives.

It requires tar (tested it with GNU tar, specifically). For compressed report tar files, gzip or bzip2 are required (by default, gzip is used)

To see it working, install awful-salmonella-tar with:

 $ chicken-install awful-salmonella-tar

Then add some test data:

 $ mkdir -p reports/master/gcc/linux/x86-64/2018/09/02/
 $ cd reports/master/gcc/linux/x86-64/2018/09/02/
 $ wget https://salmonella-linux-x86-64.call-cc.org/master/gcc/linux/x86-64/2018/09/02/salmonella.log.bz2
 $ bzip2 -d salmonella.log.bz2

You'll need salmonella-html-report to generate report data out of the salmonella log file. If you don't have it installed, chicken-install salmonella-html-report

 $ salmonella-html-report salmonella.log salmonella-report
 $ tar czf salmonella-report.tar.gz salmonella-report
 $ rm -rf salmonella-report
 $ cd -
 $ cat <<EOF > awful-salmonella-tar-app.scm
 (cond-expand
 (chicken-4
  (use awful-salmonella-tar))
 (chicken-5
  (import awful-salmonella-tar))
 (else
  (error "Unsupported CHICKEN version.")))
 
 (awful-salmonella-tar "/")
 EOF
 $ awful awful-salmonella-tar-app.scm

Then request, for example http://localhost:8080/reports/master/gcc/linux/x86-64/2018/09/02/salmonella-report/

Author

Mario Domenech Goulart

Repository

awful-salmonella-tar is maintained in a Github repository.

License

 Copyright (c) 2011-2020, Mario Domenech Goulart
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions
 are met:
 1. Redistributions of source code must retain the above copyright
    notice, this list of conditions and the following disclaimer.
 2. Redistributions in binary form must reproduce the above copyright
    notice, this list of conditions and the following disclaimer in the
    documentation and/or other materials provided with the distribution.
 3. The name of the authors may not be used to endorse or promote products
    derived from this software without specific prior written permission.
 
 THIS SOFTWARE IS PROVIDED BY THE AUTHORS ``AS IS'' AND ANY EXPRESS
 OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
 WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY
 DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
 GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
 IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
 OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
 IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Version history

Version 0.0.4 (2022-02-17)

Fix path traversal vulnerability

This change fixes a path traversal vulnerability that would allow attackers to navigate through the filesystem of the server (provided execute access to directories for the user running the web server). Attackers could only list the contents of directories -- not download files.

The vulnerability was caused by the lack of a check for the validity requested paths when handling directories, notably when ..%2F (../ URL-encoded) was present in requested paths.

Background:

awful-samonella-tar is implemented using awful. Awful is implemented on top of spiffy, and overrides the (handle-not-found) parameter to map URL paths to procedures. Spiffy takes some precautions regarding dealing with malicious paths when it handles static files. Code that uses spiffy to implement generation of dynamic content (like awful does), must take their own precautions.

awful-salmonella-tar uses a procedure (safe-path?) with a relatively strict policy to allow access to files, but it was not being used to validate access to directories, and that was causing the vulnerability.

This change applies safe-path? to all requested paths.

Thanks to Chris Brannon for responsibly reporting this issue.

Version 0.0.3