aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

datasets: don't allow absolute or paths with directory traversal

Browse Source 
For dataset filenames coming from rules, do not allow filenames that
are absolute or contain a directory traversal with "..". This prevents
datasets from escaping the define data-directory which may allow a bad
rule to overwrite any file that Suricata has permission to write to.

Add a new configuration option,
"datasets.rules.allow-absolute-filenames" to allow absolute filenames
in dataset rules. This will be a way to revert back to the pre 6.0.13
behavior where save/state rules could use any filename.

Ticket: #6118
pull/9032/head
Jason Ish 2 years ago committed by Victor Julien
parent 4a97461f9a
commit fd79b337ca
4 changed files with 38 additions and 2 deletions
Show Stats Download Patch File Download Diff File

16
src/detect-dataset.c
Unescape Escape View File

@ -303,8 +303,20 @@ static int SetupSavePath(const DetectEngineCtx *de_ctx,
{ {
SCLogDebug("save %s", save); SCLogDebug("save %s", save);
if (PathIsAbsolute(save)) { int allow_absolute = 0;
return 0; (void)ConfGetBool("datasets.rules.allow-absolute-filenames", &allow_absolute);
if (allow_absolute) {
SCLogNotice("Allowing absolute filename for dataset rule: %s", save);
} else {
if (PathIsAbsolute(save)) {
SCLogError("Absolute paths not allowed: %s", save);
return -1;
}
if (SCPathContainsTraversal(save)) {
SCLogError("Directory traversals not allowed: %s", save);
return -1;
}
} }
// data dir // data dir

17
src/util-path.c
Unescape Escape View File

@ -246,3 +246,20 @@ const char *SCBasename(const char *path)
return final + 1; return final + 1;
} }
/**
* \brief Check for directory traversal
*
* \param path The path string to check for traversal
*
* \retval true if directory traversal is found, otherwise false
*/
bool SCPathContainsTraversal(const char *path)
{
#ifdef OS_WIN32
const char *pattern = "..\\";
#else
const char *pattern = "../";
#endif
return strstr(path, pattern) != NULL;
}

1
src/util-path.h
Unescape Escape View File

@ -41,5 +41,6 @@ bool SCIsRegularDirectory(const struct dirent *const dir_entry);
bool SCIsRegularFile(const struct dirent *const dir_entry); bool SCIsRegularFile(const struct dirent *const dir_entry);
char *SCRealPath(const char *path, char *resolved_path); char *SCRealPath(const char *path, char *resolved_path);
const char *SCBasename(const char *path); const char *SCBasename(const char *path);
bool SCPathContainsTraversal(const char *path);
#endif /* __UTIL_PATH_H__ */ #endif /* __UTIL_PATH_H__ */

6
suricata.yaml.in
Unescape Escape View File

@ -1158,6 +1158,12 @@ asn1-max-frames: 256
# defaults: # defaults:
# memcap: 100mb # memcap: 100mb
# hashsize: 2048 # hashsize: 2048
#
# rules:
# # Set to true to allow absolute filenames and filenames that use
# # ".." components to reference parent directories in rules that specify
# # their filenames.
# #allow-absolute-filenames: false
############################################################################## ##############################################################################
## ##

Write Preview
Loading…
Cancel
Save