HTTP: Ensure url path expansion only works inside of plugins

spinscale · spinscale · commit 55b890f9bb83 · 2015-04-27T08:27:23.000+02:00
This prevents reading of files that are not part of the plugin
directory by specifically crafted paths.
diff --git a/src/main/java/org/elasticsearch/http/HttpServer.java b/src/main/java/org/elasticsearch/http/HttpServer.java
@@ -174,10 +174,11 @@ void handlePluginSite(HttpRequest request, HttpChannel channel) {
         // this is a plugin provided site, serve it as static files from the plugin location
         File siteFile = new File(new File(environment.pluginsFile(), pluginName), "_site");
         File file = new File(siteFile, sitePath);
-        if (!file.exists() || file.isHidden()) {
+        if (!file.exists() || file.isHidden() || !file.getAbsoluteFile().toPath().normalize().startsWith(siteFile.getAbsoluteFile().toPath())) {
             channel.sendResponse(new BytesRestResponse(NOT_FOUND));
             return;
         }
+
         if (!file.isFile()) {
             // If it's not a dir, we send a 403
             if (!file.isDirectory()) {
@@ -191,10 +192,7 @@ void handlePluginSite(HttpRequest request, HttpChannel channel) {
                 return;
             }
         }
-        if (!file.getAbsolutePath().startsWith(siteFile.getAbsolutePath())) {
-            channel.sendResponse(new BytesRestResponse(FORBIDDEN));
-            return;
-        }
+
         try {
             byte[] data = Streams.copyToByteArray(file);
             channel.sendResponse(new BytesRestResponse(OK, guessMimeType(sitePath), data));
diff --git a/src/test/java/org/elasticsearch/plugins/SitePluginTests.java b/src/test/java/org/elasticsearch/plugins/SitePluginTests.java
@@ -32,6 +32,9 @@
 
 import java.io.File;
 import java.net.URISyntaxException;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Locale;
 
 import static org.elasticsearch.common.settings.ImmutableSettings.settingsBuilder;
 import static org.elasticsearch.test.ElasticsearchIntegrationTest.Scope;
@@ -88,6 +91,34 @@ public void testAnyPage() throws Exception {
         assertThat(response.getBody(), containsString("<title>Dummy Site Plugin</title>"));
     }
 
+    /**
+     * Test normalizing of path
+     */
+    @Test
+    public void testThatPathsAreNormalized() throws Exception {
+        // more info: https://www.owasp.org/index.php/Path_Traversal
+        List<String> notFoundUris = new ArrayList<>();
+        notFoundUris.add("/_plugin/dummy/../../../../../log4j.properties");
+        notFoundUris.add("/_plugin/dummy/../../../../../%00log4j.properties");
+        notFoundUris.add("/_plugin/dummy/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%aflog4j.properties");
+        notFoundUris.add("/_plugin/dummy/%2E%2E/%2E%2E/%2E%2E/%2E%2E/index.html");
+        notFoundUris.add("/_plugin/dummy/%2e%2e/%2e%2e/%2e%2e/%2e%2e/index.html");
+        notFoundUris.add("/_plugin/dummy/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2findex.html");
+        notFoundUris.add("/_plugin/dummy/%2E%2E/%2E%2E/%2E%2E/%2E%2E/index.html");
+        notFoundUris.add("/_plugin/dummy/..\\..\\..\\..\\..\\log4j.properties");
+
+        for (String uri : notFoundUris) {
+            HttpResponse response = httpClient().path(uri).execute();
+            String message = String.format(Locale.ROOT, "URI [%s] expected to be not found", uri);
+            assertThat(message, response.getStatusCode(), equalTo(RestStatus.NOT_FOUND.getStatus()));
+        }
+
+        // using relative path inside of the plugin should work
+        HttpResponse response = httpClient().path("/_plugin/dummy/dir1/../dir1/../index.html").execute();
+        assertThat(response.getStatusCode(), equalTo(RestStatus.OK.getStatus()));
+        assertThat(response.getBody(), containsString("<title>Dummy Site Plugin</title>"));
+    }
+
     /**
      * Test case for #4845: https://github.com/elasticsearch/elasticsearch/issues/4845
      * Serving _site plugins do not pick up on index.html for sub directories
diff --git a/src/test/resources/org/elasticsearch/plugins/dummy/_site/dir1/.empty b/src/test/resources/org/elasticsearch/plugins/dummy/_site/dir1/.empty
