-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Question about possible code exploit #9
Comments
Interesting.. For use in WhereDIV (just rendering our own templates), if that is in the file then I put it there so I'm not too worried about it in that context. In principle, if you were to accept a user-uploaded api blueprint file and then render that, then there is a potential directory traversal vulnerability there.
Yep - sounds like a good plan..
It isn't - as noted in the readme, the include directive isn't part of the API blueprint spec (hence I'm implementing it myself here) |
Thinking about this in slightly more detail, it is probably sensible to make processing includes a configurable option and document that it should be off if accepting unsanitised user input. Even if you limit the paths as you've suggested, there's still potential for bad stuff to happen (e.g: including your django settings files). I don't think there's a safe way to do it.. You could whitelists paths or extensions but it probably makes sense to just enable processing include directives if you trust your input and disable it if you don't.. |
Maybe you could piggyback on Django's But yes, I agree that it's a good idea to have an option to disable it. Also, noted that this is content from known contributors in most cases, but it's generally good for the software to think about human error as well as humans… |
Fixed in version 1.1.0 |
From the README:
And the line in the code that parses includes looks like this:
What if the value of
match
there is../../../etc/passwd
? Is there some sort of sanity check that makes sure this code can't be made to include arbitrary files on the file system?It might be best to use Django's
safe_join
and raise aSuspiciousOperation
exception if the absolute path of the included file is outside of the django project's directory.This might be built in to
drafter
, but it's not obvious that a) it is and b) it can be trusted to be there forever.The text was updated successfully, but these errors were encountered: