Check for path traversal issue

2024-09-03 20:06:12 +02:00 · 2019-03-09 18:38:37 +01:00 · 2019-03-09 18:38:37 +01:00 · f6e98894cf
commit f6e98894cf
parent 74e60bab86
1 changed files with 44 additions and 2 deletions
--- a/package_linter.py
+++ b/package_linter.py
@ -137,12 +137,19 @@ class App():
            )

        #
-        # Deprecated usage of 'add_header' in nginx conf
+        # Analyze nginx conf
+        # - Deprecated usage of 'add_header' in nginx conf
+        # - Spot path traversal issue vulnerability
        #

        for filename in os.listdir(self.path + "/conf"):
-            if not os.path.isfile(self.path + "/conf/" + filename):
+            # Ignore subdirs or filename not containing nginx in the name
+            if not os.path.isfile(self.path + "/conf/" + filename) or "nginx" not in filename:
                continue
+
+            #
+            # 'add_header' usage
+            #
            content = open(self.path + "/conf/" + filename).read()
            if "location" in content and "add_header" in content:
                print_warning(
@ -151,6 +158,41 @@ class App():
                    "and https://github.com/openresty/headers-more-nginx-module#more_set_headers )"
                )

+            #
+            # Path traversal issues
+            #
+            lines = open(self.path + "/conf/" + filename).readlines()
+            lines = [line.strip() for line in lines if not line.strip().startswith("#")]
+            # Let's find the first location line
+            location_line = None
+            path_traversal_vulnerable = False
+            lines_iter = lines.__iter__()
+            for line in lines_iter:
+                if line.startswith("location"):
+                    location_line = line
+                    break
+            # Look at the next lines for an 'alias' directive
+            if location_line is not None:
+                for line in lines_iter:
+                    if line.startswith("location"):
+                        # Entering a new location block ... abort here
+                        # and assume there's no alias block later...
+                        break
+                    if line.startswith("alias"):
+                        # We should definitely check for path traversal issue
+                        # Does the location target ends with / ?
+                        target = location_line.split()[-2]
+                        if not target.endswith("/"):
+                            path_traversal_vulnerable = True
+                        break
+            if path_traversal_vulnerable:
+                print_warning(
+                    "The nginx configuration appears vulnerable to path traversal as explained in "
+                    "https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/\n"
+                    "To fix it, look at the first lines of the nginx conf of the example app : "
+                    "https://github.com/YunoHost/example_ynh/blob/master/conf/nginx.conf"
+                )
+
    def check_helper_consistency(self):
        """
        check if ynh_install_app_dependencies is present in install/upgrade/restore