Bug #23606
closed
Creating files with the file explorer fails when using invalid character
Added by Nicolas CHARLES 9 months ago.
Updated 8 months ago.
Category:
Web - Config management
Description
I tried to create a file named
<script>alert("true");</script> with the file explorer in directive page, saved it, and nothing seemed to have happened
Webapp log say
2023-10-18 18:59:37+0000 ERROR com.normation.rudder.rest.internal.SharedFilesAPI - An error occurred while looking into directory <- An error occurred. Cause was: NoSuchFileException: /var/rudder/configuration-repository/shared-files/<script>alert("true");</script>
Files
There is no security impact. The FS refuses to create the file as its name contains a slash wich is the expected behavior.
The problem lies in error handling. It returns a 500 error with no indication to the user. We should add a failure notification in the interface.
The 500 answer contains the error message so it is a pure UI problem
- Target version changed from 8.0.1 to 8.0.2
- Assignee set to Clark ANDRIANASOLO
- Status changed from New to In progress
We should also prevent the user from doing such operation by disallowing an empty filename or any invalid character in the filename : '/' and '\0' (https://stackoverflow.com/a/1311070).
A notification should also be added in case of a server error...
I got
2023-11-02 15:20:26+0100 ERROR com.normation.rudder.rest.internal.SharedFilesAPI - An error occurred while looking into directory <- An error occurred. Cause was: NoSuchFileException: /var/rudder/configuration-repository/workspace/.../resources/test.txt -> /var/rudder/configuration-repository/workspace/.../resources/test/coucou.txt
2023-11-02 15:25:16+0100 ERROR com.normation.rudder.rest.internal.SharedFilesAPI - An error occurred while looking into directory <- An error occurred. Cause was: NoSuchFileException: /var/rudder/configuration-repository/workspace/.../resources/testcouct.txt -> /var/rudder/configuration-repository/workspace/.../resources/testcouct''"a("é(/&
2023-11-02 15:26:16+0100 ERROR com.normation.rudder.rest.internal.SharedFilesAPI - An error occurred while looking into directory <- An error occurred. Cause was: FileAlreadyExistsException: /var/rudder/configuration-repository/workspace/.../resources
by trying those cases
- Status changed from In progress to Pending technical review
- Assignee changed from Clark ANDRIANASOLO to François ARMAND
- Pull Request set to https://github.com/Normation/rudder/pull/5156
- Target version changed from 8.0.2 to 8.0.3
- Target version changed from 8.0.3 to 8.0.4
- Status changed from Pending technical review to Pending release
- Fix check changed from To do to Checked
- Status changed from Pending release to Released
This bug has been fixed in Rudder 8.0.4 which was released today.
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by