Commit 26aac5ab authored by BAIRE Anthony's avatar BAIRE Anthony
Browse files

prevent potential option injections in job input files

A malicious user may submit an input file starting with '-'.
A loosely-implemented webapp entrypoint could misinterpret
it as a command-line option a let the user inject arbitrary
options to the commands executed inside the job.

To prevent this the leading '-' in input filenames are silently
changed into '_'.
parent f22bcdc9
Pipeline #139261 failed with stages
in 1 second
......@@ -94,17 +94,21 @@ def upload_data(uploaded_files, job):
for file_data in uploaded_files:
filename = file_data.name
# sanitise the filename to prevent directory escape
# sanitise the filename to prevent directory escape and options injection
#
# The filename is provided by the user submitting the job, it cannot be
# tructed. Dangerous characters are replaced with "_" so as to
# guarantee that we do not write anything outside the job dir.
# trusted. Dangerous characters are replaced with "_" so as to
# guarantee that the user won't:
# - read/write anything outside the job dir
# - inject options (starting with '-') in a command
#
# This is a security feature, do not remove it.
#
if filename in (".", ".."):
filename = filename.replace(".", "_")
filename = filename.replace("/", "_")
if filename.startswith("-"):
filename = "_" + filename[1:]
filepath = os.path.join(job_dir, filename)
with open(filepath, 'wb+') as destination:
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment