Project

General

Profile

Actions

Bug #23606

closed

Creating files with the file explorer fails when using invalid character

Added by Nicolas CHARLES about 1 year ago. Updated about 1 year ago.

Status:
Released
Priority:
N/A
Category:
Web - Config management
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:
No

Description

I tried to create a file named

<script>alert("true");</script>
with the file explorer in directive page, saved it, and nothing seemed to have happened
Webapp log say
2023-10-18 18:59:37+0000 ERROR com.normation.rudder.rest.internal.SharedFilesAPI - An error occurred while looking into directory <- An error occurred. Cause was: NoSuchFileException: /var/rudder/configuration-repository/shared-files/<script>alert("true");</script>


Files

clipboard-202310191655-mgnm5.png (15 KB) clipboard-202310191655-mgnm5.png Alexis Mousset, 2023-10-19 16:55
Actions #1

Updated by Alexis Mousset about 1 year ago

There is no security impact. The FS refuses to create the file as its name contains a slash wich is the expected behavior.

The problem lies in error handling. It returns a 500 error with no indication to the user. We should add a failure notification in the interface.

Actions #2

Updated by Alexis Mousset about 1 year ago

The 500 answer contains the error message so it is a pure UI problem

Actions #3

Updated by Vincent MEMBRÉ about 1 year ago

  • Target version changed from 8.0.1 to 8.0.2
Actions #4

Updated by François ARMAND about 1 year ago

  • Assignee set to Clark ANDRIANASOLO
Actions #5

Updated by Clark ANDRIANASOLO about 1 year ago

  • Status changed from New to In progress
Actions #6

Updated by Clark ANDRIANASOLO about 1 year ago · Edited

We should also prevent the user from doing such operation by disallowing an empty filename or any invalid character in the filename : '/' and '\0' (https://stackoverflow.com/a/1311070).

A notification should also be added in case of a server error...

Actions #7

Updated by Clark ANDRIANASOLO about 1 year ago · Edited

I got

2023-11-02 15:20:26+0100 ERROR com.normation.rudder.rest.internal.SharedFilesAPI - An error occurred while looking into directory <- An error occurred. Cause was: NoSuchFileException: /var/rudder/configuration-repository/workspace/.../resources/test.txt -> /var/rudder/configuration-repository/workspace/.../resources/test/coucou.txt
2023-11-02 15:25:16+0100 ERROR com.normation.rudder.rest.internal.SharedFilesAPI - An error occurred while looking into directory <- An error occurred. Cause was: NoSuchFileException: /var/rudder/configuration-repository/workspace/.../resources/testcouct.txt -> /var/rudder/configuration-repository/workspace/.../resources/testcouct''"a("é(/&
2023-11-02 15:26:16+0100 ERROR com.normation.rudder.rest.internal.SharedFilesAPI - An error occurred while looking into directory <- An error occurred. Cause was: FileAlreadyExistsException: /var/rudder/configuration-repository/workspace/.../resources

by trying those cases

Actions #8

Updated by Clark ANDRIANASOLO about 1 year ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Clark ANDRIANASOLO to François ARMAND
  • Pull Request set to https://github.com/Normation/rudder/pull/5156
Actions #9

Updated by Vincent MEMBRÉ about 1 year ago

  • Target version changed from 8.0.2 to 8.0.3
Actions #10

Updated by Vincent MEMBRÉ about 1 year ago

  • Target version changed from 8.0.3 to 8.0.4
Actions #11

Updated by Clark ANDRIANASOLO about 1 year ago

  • Status changed from Pending technical review to Pending release
Actions #12

Updated by Alexis Mousset about 1 year ago

  • Fix check changed from To do to Checked
Actions #13

Updated by Vincent MEMBRÉ about 1 year ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 8.0.4 which was released today.

Actions

Also available in: Atom PDF