diff --git a/bin/Global.py b/bin/Global.py index 00207c63..b0419bea 100755 --- a/bin/Global.py +++ b/bin/Global.py @@ -45,8 +45,10 @@ if __name__ == '__main__': p = Process(config_section) + # get and sanityze PASTE DIRECTORY PASTES_FOLDER = os.path.join(os.environ['AIL_HOME'], p.config.get("Directories", "pastes")) PASTES_FOLDERS = PASTES_FOLDER + '/' + PASTES_FOLDERS = os.path.join(os.path.realpath(PASTES_FOLDERS), '') # LOGGING # publisher.info("Feed Script started to receive & publish.") @@ -75,6 +77,10 @@ if __name__ == '__main__': time.sleep(1) continue + # remove PASTES_FOLDER from item path (crawled item + submited) + if PASTES_FOLDERS in paste: + paste = paste.replace(PASTES_FOLDERS, '', 1) + file_name_paste = paste.split('/')[-1] if len(file_name_paste)>255: new_file_name_paste = '{}{}.gz'.format(file_name_paste[:215], str(uuid.uuid4())) @@ -82,33 +88,35 @@ if __name__ == '__main__': # Creating the full filepath filename = os.path.join(PASTES_FOLDER, paste) + filename = os.path.realpath(filename) - dirname = os.path.dirname(filename) - if not os.path.exists(dirname): - os.makedirs(dirname) + # incorrect filename + if not os.path.commonprefix([filename, PASTES_FOLDER]) == PASTES_FOLDER: + print('Path traversal detected {}'.format(filename)) + publisher.warning('Global; Path traversal detected') + else: + dirname = os.path.dirname(filename) + if not os.path.exists(dirname): + os.makedirs(dirname) - decoded = base64.standard_b64decode(gzip64encoded) + decoded = base64.standard_b64decode(gzip64encoded) - with open(filename, 'wb') as f: - f.write(decoded) - '''try: - decoded2 = gunzip_bytes_obj(decoded) - except: - decoded2 ='' + with open(filename, 'wb') as f: + f.write(decoded) + '''try: + decoded2 = gunzip_bytes_obj(decoded) + except: + decoded2 ='' - type = magic.from_buffer(decoded2, mime=True) + type = magic.from_buffer(decoded2, mime=True) - if type!= 'text/x-c++' and type!= 'text/html' and type!= 'text/x-c' and type!= 'text/x-python' and type!= 'text/x-php' and type!= 'application/xml' and type!= 'text/x-shellscript' and type!= 'text/plain' and type!= 'text/x-diff' and type!= 'text/x-ruby': + if type!= 'text/x-c++' and type!= 'text/html' and type!= 'text/x-c' and type!= 'text/x-python' and type!= 'text/x-php' and type!= 'application/xml' and type!= 'text/x-shellscript' and type!= 'text/plain' and type!= 'text/x-diff' and type!= 'text/x-ruby': - print('-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------') - print(filename) - print(type) - print('-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------') - ''' + print('-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------') + print(filename) + print(type) + print('-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------') + ''' - # remove PASTES_FOLDER from item path (crawled item + submited) - if PASTES_FOLDERS in paste: - paste = paste.replace(PASTES_FOLDERS, '', 1) - - p.populate_set_out(paste) - processed_paste+=1 + p.populate_set_out(paste) + processed_paste+=1