Unsafe directory traversal

[jhlywa]

The maybe_file/3 function doesn't sanitize input which allows unsafe directory traversal. I've added a failing unsafe_traversal test which demonstrates this by reading /etc/passwd. I'll follow up shortly with a fix.

BTW - I think elli is awesome!

[coveralls]

Coverage increased (+2.1%) to 86.486% when pulling ed51c07 on jhlywa:develop into af44305 on elli-lib:develop.

[jhlywa]

I'll backport safe_relative_path to provide 18.x - 19.12 compatibility.

[yurrriq]

Thanks for this! I look forward to the backport of filename:safe_relative_path/1.

Further PRs are most welcome too! As it stands, elli_static is not quite ready for wide adoption.

[yurrriq]

I don't think I've seen this sort of ifdef before, but it appears to work as desired.

[jhlywa]

My preference would be to defer to filename:safe_relative_path/1 if available. However, checking this at runtime (via module_info(exports)) caused lots of coverall coverage complaints.

Xref and dialyzer are run under the test profile, so in-module eunit tests ended up failing xref right out of the gate (elli_static:safe_relative_path_test/0 is unused export). Doh!

I didn't want to introduce a new module, but I suppose I could create something like elli_static_utils, place safe_relative_path/1 in there, and test independently of the OTP version. The utils module would be a cleaner approach IMO.

[yurrriq]

👍 to a utils module, if you're up for it.

[yurrriq]

Good call.

[yurrriq]

Thoughts, @elli-lib/team?

[deadtrickster]

hi, since we are there let's learn from

https://www.owasp.org/index.php/Path_Traversal
https://www.owasp.org/index.php/File_System#Path_traversal
https://www.owasp.org/index.php/Testing_Directory_traversal/file_include_(OTG-AUTHZ-001)

I would suggest reusing their examples as test cases and maybe even throw proper

[jhlywa]

I'm under the assumption that we should we be calling the filename version of safe_relative_path if available (e.g. if they patch/upgrade the OTP version, we'd get the changes for "free"). This sounds like a good idea, until you run xref with older OTP versions which complains about filename:safe_relative_path being an undefined function: https://travis-ci.org/elli-lib/elli_static/jobs/441451130#L473

I'm not sure there's any way to silence xref without either:

• a). using the OTP_RELEASE macro, or
• b). always using the backported version of safe_relative_path/1

Thoughts?

[yurrriq]

The common approach, I think, is to use Rebar3's platform_define and ifdef, e.g.

• https://github.com/elli-lib/elli/blob/3.1.0/rebar.config#L2
• https://github.com/elli-lib/elli/blob/3.1.0/src/elli_request.erl#L277-L299

[yurrriq]

LGTM. What do you think, @deadtrickster?

[jhlywa]

I probably need to add additional test cases per @deadtrickster's suggestions.

[yurrriq]

That would be great. I'd also be amenable to pulling that out to a new issue, I think.