Bug #23606
closed
Creating files with the file explorer fails when using invalid character
Description
I tried to create a file named
<script>alert("true");</script> with the file explorer in directive page, saved it, and nothing seemed to have happenedWebapp log say
2023-10-18 18:59:37+0000 ERROR com.normation.rudder.rest.internal.SharedFilesAPI - An error occurred while looking into directory <- An error occurred. Cause was: NoSuchFileException: /var/rudder/configuration-repository/shared-files/<script>alert("true");</script>
Files
Updated by Alexis Mousset about 1 year ago
There is no security impact. The FS refuses to create the file as its name contains a slash wich is the expected behavior.
The problem lies in error handling. It returns a 500 error with no indication to the user. We should add a failure notification in the interface.
Updated by Alexis Mousset about 1 year ago
The 500 answer contains the error message so it is a pure UI problem
Updated by Vincent MEMBRÉ about 1 year ago
- Target version changed from 8.0.1 to 8.0.2
Updated by
Updated by Clark ANDRIANASOLO about 1 year ago
- Status changed from New to In progress
Updated by Clark ANDRIANASOLO about 1 year ago
· Edited
We should also prevent the user from doing such operation by disallowing an empty filename or any invalid character in the filename : '/' and '\0' (https://stackoverflow.com/a/1311070).
A notification should also be added in case of a server error...
Updated by Clark ANDRIANASOLO about 1 year ago
· Edited
I got
2023-11-02 15:20:26+0100 ERROR com.normation.rudder.rest.internal.SharedFilesAPI - An error occurred while looking into directory <- An error occurred. Cause was: NoSuchFileException: /var/rudder/configuration-repository/workspace/.../resources/test.txt -> /var/rudder/configuration-repository/workspace/.../resources/test/coucou.txt
2023-11-02 15:25:16+0100 ERROR com.normation.rudder.rest.internal.SharedFilesAPI - An error occurred while looking into directory <- An error occurred. Cause was: NoSuchFileException: /var/rudder/configuration-repository/workspace/.../resources/testcouct.txt -> /var/rudder/configuration-repository/workspace/.../resources/testcouct''"a("é(/&
2023-11-02 15:26:16+0100 ERROR com.normation.rudder.rest.internal.SharedFilesAPI - An error occurred while looking into directory <- An error occurred. Cause was: FileAlreadyExistsException: /var/rudder/configuration-repository/workspace/.../resources
by trying those cases
Updated by Clark ANDRIANASOLO about 1 year ago
- Status changed from In progress to Pending technical review
- Assignee changed from Clark ANDRIANASOLO to François ARMAND
- Pull Request set to https://github.com/Normation/rudder/pull/5156
Updated by Vincent MEMBRÉ about 1 year ago
- Target version changed from 8.0.2 to 8.0.3
Updated by Vincent MEMBRÉ about 1 year ago
- Target version changed from 8.0.3 to 8.0.4
Updated by Clark ANDRIANASOLO about 1 year ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder|885009676abaecabb1a69d8f883fb231ee0fc1f2.
Updated by Alexis Mousset 12 months ago
- Fix check changed from To do to Checked
Updated by Vincent MEMBRÉ 11 months ago
- Status changed from Pending release to Released
This bug has been fixed in Rudder 8.0.4 which was released today.