Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check file path prefixes #1844

Merged
merged 5 commits into from
Jan 22, 2025
Merged

Check file path prefixes #1844

merged 5 commits into from
Jan 22, 2025

Conversation

ryan-pratt
Copy link
Contributor

No description provided.

github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 17, 2025
View reviewed changes
openc3/lib/openc3/utilities/local_mode.rb Dismissed Show dismissed Hide dismissed
@codecov Codecov
Copy link

codecov bot commented Jan 17, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 79.56%. Comparing base (fb1a8ad) to head (5435330).
Report is 9 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1844      +/-   ##
==========================================
- Coverage   79.57%   79.56%   -0.02%     
==========================================
  Files         519      519              
  Lines       40774    40791      +17     
==========================================
+ Hits        32447    32456       +9     
- Misses       8327     8335       +8
Flag Coverage Δ
python 84.27% <ø> (-0.05%) ⬇️
ruby-api 48.72% <ø> (ø)
ruby-backend 82.59% <100.00%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@ryan-pratt ryan-pratt requested a review from jmthomas January 20, 2025 18:12
@ryan-pratt ryan-pratt marked this pull request as ready for review January 20, 2025 18:12
jmthomas
jmthomas requested changes Jan 21, 2025
View reviewed changes
Copy link
Member

@jmthomas jmthomas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add checks to local_mode.py

openc3/lib/openc3/utilities/local_mode.rb
@@ -446,14 +450,17 @@ def self.sync_tool_config()
def self.save_tool_config(scope, tool, name, data)
json = JSON.parse(data, :allow_nan => true, :create_additions => true)
config_path = "#{OPENC3_LOCAL_MODE_PATH}/#{scope}/tool_config/#{tool}/#{name}.json"
return unless File.expand_path(config_path).start_with?(OPENC3_LOCAL_MODE_PATH)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We're building this so isn't it always going to start with OPENC3_LOCAL_MODE_PATH? Or are we protecting from someone adding ../../../ or whatever in the scope, tool, or name portion?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also we should implement these same checks in local_mode.py

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correct, this is better protection against traversing up the file tree. Basic attacks will be caught by this, but calling expand_path and making sure that it starts in the correct dir is a better way to protect against theoretically more sophisticated attacks

Ah I see, I missed part of local_mode.py, I'll update that... Is there a reason most of that file is commented out? Can we remove the large blocks of commented out code?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Anything that's part of the plugin installation process can be removed because that's Ruby only. So yeah you can remove it all.

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@ryan-pratt ryan-pratt requested a review from jmthomas January 22, 2025 02:48
@ryan-pratt ryan-pratt merged commit f259a1a into main Jan 22, 2025
28 checks passed
@ryan-pratt ryan-pratt deleted the file-path-prefixes branch January 22, 2025 16:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jmthomas jmthomas jmthomas approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ryan-pratt @jmthomas