From f6e98894cfe841aedaa7efd590937f0255193913 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Sat, 9 Mar 2019 18:38:37 +0100 Subject: [PATCH 1/2] Check for path traversal issue --- package_linter.py | 46 ++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 44 insertions(+), 2 deletions(-) diff --git a/package_linter.py b/package_linter.py index 620dcd5..2ad01cb 100755 --- a/package_linter.py +++ b/package_linter.py @@ -137,12 +137,19 @@ class App(): ) # - # Deprecated usage of 'add_header' in nginx conf + # Analyze nginx conf + # - Deprecated usage of 'add_header' in nginx conf + # - Spot path traversal issue vulnerability # for filename in os.listdir(self.path + "/conf"): - if not os.path.isfile(self.path + "/conf/" + filename): + # Ignore subdirs or filename not containing nginx in the name + if not os.path.isfile(self.path + "/conf/" + filename) or "nginx" not in filename: continue + + # + # 'add_header' usage + # content = open(self.path + "/conf/" + filename).read() if "location" in content and "add_header" in content: print_warning( @@ -151,6 +158,41 @@ class App(): "and https://github.com/openresty/headers-more-nginx-module#more_set_headers )" ) + # + # Path traversal issues + # + lines = open(self.path + "/conf/" + filename).readlines() + lines = [line.strip() for line in lines if not line.strip().startswith("#")] + # Let's find the first location line + location_line = None + path_traversal_vulnerable = False + lines_iter = lines.__iter__() + for line in lines_iter: + if line.startswith("location"): + location_line = line + break + # Look at the next lines for an 'alias' directive + if location_line is not None: + for line in lines_iter: + if line.startswith("location"): + # Entering a new location block ... abort here + # and assume there's no alias block later... + break + if line.startswith("alias"): + # We should definitely check for path traversal issue + # Does the location target ends with / ? + target = location_line.split()[-2] + if not target.endswith("/"): + path_traversal_vulnerable = True + break + if path_traversal_vulnerable: + print_warning( + "The nginx configuration appears vulnerable to path traversal as explained in " + "https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/\n" + "To fix it, look at the first lines of the nginx conf of the example app : " + "https://github.com/YunoHost/example_ynh/blob/master/conf/nginx.conf" + ) + def check_helper_consistency(self): """ check if ynh_install_app_dependencies is present in install/upgrade/restore From 82b715f06801d356e0714f497ef25636a8a8bdec Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Sat, 9 Mar 2019 19:22:43 +0100 Subject: [PATCH 2/2] Handle case were { is on a newline --- package_linter.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package_linter.py b/package_linter.py index 2ad01cb..c5edcb9 100755 --- a/package_linter.py +++ b/package_linter.py @@ -169,7 +169,7 @@ class App(): lines_iter = lines.__iter__() for line in lines_iter: if line.startswith("location"): - location_line = line + location_line = line.split() break # Look at the next lines for an 'alias' directive if location_line is not None: @@ -181,7 +181,7 @@ class App(): if line.startswith("alias"): # We should definitely check for path traversal issue # Does the location target ends with / ? - target = location_line.split()[-2] + target = location_line[-2] if location_line[-1] == "{" else location_line[-1] if not target.endswith("/"): path_traversal_vulnerable = True break