From 094b211259e05b7552a8b0c4945ed67d51ad369c Mon Sep 17 00:00:00 2001
From: Terrtia <or1994@hotmail.fr>
Date: Mon, 17 Sep 2018 15:42:22 +0200
Subject: [PATCH] fix: [showpaste] path transversal

---
 var/www/modules/Flask_config.py              | 2 ++
 var/www/modules/showpaste/Flask_showpaste.py | 7 +++++++
 2 files changed, 9 insertions(+)

diff --git a/var/www/modules/Flask_config.py b/var/www/modules/Flask_config.py
index 256ea3a8..2b32f5ab 100644
--- a/var/www/modules/Flask_config.py
+++ b/var/www/modules/Flask_config.py
@@ -144,6 +144,8 @@ bootstrap_label = ['primary', 'success', 'danger', 'warning', 'info']
 
 UPLOAD_FOLDER = os.path.join(os.environ['AIL_FLASK'], 'submitted')
 
+PASTES_FOLDER = os.path.join(os.environ['AIL_HOME'], cfg.get("Directories", "pastes"))
+
 max_dashboard_logs = int(cfg.get("Flask", "max_dashboard_logs"))
 
 # VT
diff --git a/var/www/modules/showpaste/Flask_showpaste.py b/var/www/modules/showpaste/Flask_showpaste.py
index 25e60279..09ff8ba7 100644
--- a/var/www/modules/showpaste/Flask_showpaste.py
+++ b/var/www/modules/showpaste/Flask_showpaste.py
@@ -31,12 +31,19 @@ bootstrap_label = Flask_config.bootstrap_label
 misp_event_url = Flask_config.misp_event_url
 hive_case_url = Flask_config.hive_case_url
 vt_enabled = Flask_config.vt_enabled
+PASTES_FOLDER = Flask_config.PASTES_FOLDER
 
 showsavedpastes = Blueprint('showsavedpastes', __name__, template_folder='templates')
 
 # ============ FUNCTIONS ============
 
 def showpaste(content_range, requested_path):
+    if PASTES_FOLDER not in requested_path:
+        requested_path = os.path.join(PASTES_FOLDER, requested_path)
+    # escape directory transversal
+    if os.path.commonprefix((os.path.realpath(requested_path),PASTES_FOLDER)) != PASTES_FOLDER:
+        return 'path transversal detected'
+
     vt_enabled = Flask_config.vt_enabled
 
     paste = Paste.Paste(requested_path)