Commit 26aac5ab authored by BAIRE Anthony's avatar BAIRE Anthony
Browse files

prevent potential option injections in job input files

A malicious user may submit an input file starting with '-'.
A loosely-implemented webapp entrypoint could misinterpret
it as a command-line option a let the user inject arbitrary
options to the commands executed inside the job.

To prevent this the leading '-' in input filenames are silently
changed into '_'.
parent f22bcdc9
Pipeline #139261 failed with stages
in 1 second
...@@ -94,17 +94,21 @@ def upload_data(uploaded_files, job): ...@@ -94,17 +94,21 @@ def upload_data(uploaded_files, job):
for file_data in uploaded_files: for file_data in uploaded_files:
filename = file_data.name filename = file_data.name
# sanitise the filename to prevent directory escape # sanitise the filename to prevent directory escape and options injection
# #
# The filename is provided by the user submitting the job, it cannot be # The filename is provided by the user submitting the job, it cannot be
# tructed. Dangerous characters are replaced with "_" so as to # trusted. Dangerous characters are replaced with "_" so as to
# guarantee that we do not write anything outside the job dir. # guarantee that the user won't:
# - read/write anything outside the job dir
# - inject options (starting with '-') in a command
# #
# This is a security feature, do not remove it. # This is a security feature, do not remove it.
# #
if filename in (".", ".."): if filename in (".", ".."):
filename = filename.replace(".", "_") filename = filename.replace(".", "_")
filename = filename.replace("/", "_") filename = filename.replace("/", "_")
if filename.startswith("-"):
filename = "_" + filename[1:]
filepath = os.path.join(job_dir, filename) filepath = os.path.join(job_dir, filename)
with open(filepath, 'wb+') as destination: with open(filepath, 'wb+') as destination:
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment