Resolve information disclosure vulnerability through emoji pack archive download endpoint
The pack name has been sanitized so an attacker cannot upload a media file called pack.json with their own handcrafted list of emoji files as arbitrary files on the filesystem and then call the emoji pack archive download endpoint with a pack name crafted to the location of the media file they uploaded which tricks Pleroma into generating a zip file of the target files the attacker wants to download. The attack only works if the Pleroma instance does not have the AnonymizeFilename upload filter enabled, which is currently the default. Reported by: graf@poast.org
This commit is contained in:
parent
819fccb7d1
commit
2c79509453
3 changed files with 6 additions and 0 deletions
1
changelog.d/emoji-pack-sanitization.security
Normal file
1
changelog.d/emoji-pack-sanitization.security
Normal file
|
@ -0,0 +1 @@
|
||||||
|
Emoji pack loader sanitizes pack names
|
|
@ -285,6 +285,7 @@ defmodule Pleroma.Emoji.Pack do
|
||||||
|
|
||||||
@spec load_pack(String.t()) :: {:ok, t()} | {:error, :file.posix()}
|
@spec load_pack(String.t()) :: {:ok, t()} | {:error, :file.posix()}
|
||||||
def load_pack(name) do
|
def load_pack(name) do
|
||||||
|
name = Path.basename(name)
|
||||||
pack_file = Path.join([emoji_path(), name, "pack.json"])
|
pack_file = Path.join([emoji_path(), name, "pack.json"])
|
||||||
|
|
||||||
with {:ok, _} <- File.stat(pack_file),
|
with {:ok, _} <- File.stat(pack_file),
|
||||||
|
|
|
@ -90,4 +90,8 @@ defmodule Pleroma.Emoji.PackTest do
|
||||||
|
|
||||||
assert updated_pack.files_count == 1
|
assert updated_pack.files_count == 1
|
||||||
end
|
end
|
||||||
|
|
||||||
|
test "load_pack/1 ignores path traversal in a forged pack name", %{pack: pack} do
|
||||||
|
assert {:ok, ^pack} = Pack.load_pack("../../../../../dump_pack")
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in a new issue