Build: Fix an XSS in the test server HTML serving logic#2309
Conversation
fba692e to
84164d6
Compare
84164d6 to
0eca8b8
Compare
timmywil
left a comment
There was a problem hiding this comment.
Doesn't fix it. The issue is using a user-provided value in the argument to readfile without limiting the reads to a certain location.
|
@timmywil this limits it to the |
|
I meant that it doesn't fix the codeql check, which is all we really care about here as there isn't a real vulnerability since the test server is not hosted. Why not refactor this in a way that passes codeql so we don't have to dismiss the alert? |
No, I care about it precisely because it might be a real vulnerability. I've dismissed a number of purely test/demo reports that we don't need to care about. But here we have a dev server running on a local network; any device on that network can access its resources this way. TBH, I don't know how to exploit it considering that the matcher already excludes But OK, I can try to do it the way CodeQL is happy. |
0eca8b8 to
5000491
Compare
|
Updating the regex in the matcher seems to make CodeQL happy. It now complains about a lack of rate limiter for file system access, but caring about potential DoS on a local test server would probably be too much, so I'd leave it as-is. |
The test server has a rule for `/tests/unit/*/*.html` paths that serves a proper local file. However, the parameters after `/unit/` were so far not escaped, leading to possibly reading a file from outside of the Git repository. Fix that by replacing non-alphanumeric characters that are also not `-` or `_`. This should resolve one CodeQL alert.
5000491 to
78947f1
Compare
timmywil
left a comment
There was a problem hiding this comment.
Interesting. How could it know it's not rate limited when that's often handled by a front door? Seems strange it's an error and not a warning. Anyway, thanks for humoring me. My OCD was kicking in and I didn't want us to address an error and then have to dismiss it anyway.
Whether we call this a "real" vulnerability I think is still debatable since this isn't production code, but I was certainly not opposed to addressing it.
The test server has a rule for
/tests/unit/*/*.htmlpaths that serves a proper local file. However, the parameters after/unit/were so far not escaped, leading to possibly reading a file from outside of the Git repository. Fix that by replacing non-alphanumeric characters that are also not-or_.This should resolve one CodeQL alert.