grim/hgkeeper
Clone
Summary
Browse
Changes
Graph
Normalize paths before passing them to the authorization checker
17 months ago, Gary Kramlich
e33f7739ab49
Normalize paths before passing them to the authorization checker
This bug allowed attackers to bypass deny rules by adding a trailing / to the
repository which depending on the policy could grant them access to said
repository.
package
hgweb
import
(
"embed"
"io/ioutil"
"net/http"
"net/http/cgi"
"os"
"path/filepath"
"text/template"
"keep.imfreedom.org/grim/hgkeeper/access"
)
type
HGWeb
struct
{
configPath
string
cgiPath
string
}
//go:embed files/*
var
files
embed
.
FS
func
New
()
*
HGWeb
{
return
&
HGWeb
{}
}
func
(
hgw
*
HGWeb
)
createConfig
()
error
{
configPath
,
err
:=
ioutil
.
TempFile
(
""
,
"hgkeeper-hgweb-*.config"
)
if
err
!=
nil
{
return
err
}
defer
configPath
.
Close
()
contents
,
err
:=
files
.
ReadFile
(
"files/hgweb.config"
)
if
err
!=
nil
{
return
err
}
t
:=
template
.
Must
(
template
.
New
(
"hgweb-config"
).
Parse
(
string
(
contents
)))
data
:=
map
[
string
]
string
{
"HGWEB_ACCESS_CONFIG"
:
access
.
HgwebConfigPath
(),
"SITE_HGRC"
:
filepath
.
Join
(
access
.
AdminRepoPath
(),
"site.hgrc"
),
"GLOBAL_HGRC"
:
filepath
.
Join
(
access
.
AdminRepoPath
(),
"config/hgrc"
),
}
if
err
:=
t
.
Execute
(
configPath
,
data
);
err
!=
nil
{
return
err
}
hgw
.
configPath
=
configPath
.
Name
()
return
nil
}
func
(
hgw
*
HGWeb
)
createCGI
()
error
{
cgiPath
,
err
:=
ioutil
.
TempFile
(
""
,
"hgkeeper-hgweb-*.cgi"
)
if
err
!=
nil
{
return
err
}
defer
cgiPath
.
Close
()
// make the cgi file executable
if
err
:=
cgiPath
.
Chmod
(
0755
);
err
!=
nil
{
return
err
}
// create a template based for the cgi file
contents
,
err
:=
files
.
ReadFile
(
"files/hgweb.cgi"
)
if
err
!=
nil
{
return
err
}
t
:=
template
.
Must
(
template
.
New
(
"cgi"
).
Parse
(
string
(
contents
)))
// create our data
data
:=
map
[
string
]
string
{
"HGWEB_CONFIG"
:
hgw
.
configPath
,
}
if
err
:=
t
.
Execute
(
cgiPath
,
data
);
err
!=
nil
{
return
err
}
hgw
.
cgiPath
=
cgiPath
.
Name
()
return
nil
}
func
(
hgw
*
HGWeb
)
Handler
()
(
http
.
Handler
,
error
)
{
if
err
:=
hgw
.
createConfig
();
err
!=
nil
{
return
nil
,
err
}
if
err
:=
hgw
.
createCGI
();
err
!=
nil
{
return
nil
,
err
}
return
&
cgi
.
Handler
{
Path
:
hgw
.
cgiPath
},
nil
}
func
(
hgw
*
HGWeb
)
Close
()
error
{
if
err
:=
os
.
Remove
(
hgw
.
cgiPath
);
err
!=
nil
{
return
err
}
return
nil
}