From b6654b894f3994047f1e10473890c242b2db58db Mon Sep 17 00:00:00 2001 From: David Anderson Date: Mon, 25 Nov 2024 14:49:36 -0800 Subject: [PATCH] web (BUDA) - validate URL args that are used as filenames; prevent ../ stuff. Do this by checking for '/'; is that sufficient? - add 'delete app' function - remove binary test file --- html/inc/util_basic.inc | 15 +++-- html/user/buda.php | 58 ++++++++++++++++-- .../test_buda/worker_3_x86_64-pc-linux-gnu | Bin 18536 -> 0 bytes 3 files changed, 60 insertions(+), 13 deletions(-) delete mode 100644 samples/docker_wrapper/test_buda/worker_3_x86_64-pc-linux-gnu diff --git a/html/inc/util_basic.inc b/html/inc/util_basic.inc index 39e5fe3ec4..8785c24b11 100644 --- a/html/inc/util_basic.inc +++ b/html/inc/util_basic.inc @@ -56,14 +56,6 @@ function sched_stopped() { return file_exists("$d/stop_sched"); } -function show_page($x, $y) { - echo " - $x -

$x

- $y - "; -} - function xml_error($num=-1, $msg=null, $file=null, $line=null) { global $xml_outer_tag; if (!$msg) { @@ -205,4 +197,11 @@ function dtime() { return microtime(true); } +// is $x a valid file (or dir) name? +// +function is_valid_filename($x) { + if (strstr($x, '/')) return false; + return true; +} + ?> diff --git a/html/user/buda.php b/html/user/buda.php index b3066bd0c9..7a8048844c 100644 --- a/html/user/buda.php +++ b/html/user/buda.php @@ -71,7 +71,6 @@ function app_list($notice=null) { function show_app($dir) { global $buda_root; - $indent = "        "; echo "
$dir\n"; start_table('table-striped'); table_header('Variant name (click for details)', 'Submit jobs'); @@ -97,7 +96,9 @@ function show_app($dir) { function variant_view() { global $buda_root; $app = get_str('app'); + if (!is_valid_filename($app)) die('bad arg'); $variant = get_str('variant'); + if (!is_valid_filename($variant)) die('bad arg'); page_head("App $app variant $variant"); $dir = "$buda_root/$app/$variant"; start_table(); @@ -131,6 +132,7 @@ function variant_view() { function variant_form($user) { $sbitems = sandbox_select_items($user); $app = get_str('app'); + if (!is_valid_filename($app)) die('bad arg'); page_head("Create variant of Docker app $app"); form_start('buda.php'); @@ -165,11 +167,23 @@ function copy_and_stage_file($user, $fname, $dir, $app, $variant) { function variant_action($user) { global $buda_root; $variant = get_str('variant'); + if (!is_valid_filename($variant)) die('bad arg'); $app = get_str('app'); + if (!is_valid_filename($app)) die('bad arg'); $dockerfile = get_str('dockerfile'); + if (!is_valid_filename($dockerfile)) die('bad arg'); $app_files = get_array('app_files'); + foreach ($app_files as $fname) { + if (!is_valid_filename($fname)) die('bad arg'); + } $input_file_names = explode(' ', get_str('input_file_names')); $output_file_names = explode(' ', get_str('output_file_names')); + foreach ($input_file_names as $fname) { + if (!is_valid_filename($fname)) die('bad arg'); + } + foreach ($output_file_names as $fname) { + if (!is_valid_filename($fname)) die('bad arg'); + } if (file_exists("$buda_root/$app/$variant")) { error_page("Variant '$variant' already exists."); @@ -210,10 +224,13 @@ function variant_action($user) { function variant_delete() { global $buda_root; $app = get_str('app'); + if (!is_valid_filename($app)) die('bad arg'); $variant = get_str('variant'); + if (!is_valid_filename($variant)) die('bad arg'); $confirmed = get_str('confirmed', true); if ($confirmed) { $dir = "$buda_root/$app/$variant"; + if (!file_exists($dir)) error_page('no such variant'); // delete staged files // foreach (scandir("$dir/.md5") as $fname) { @@ -232,9 +249,7 @@ function variant_delete() { app_list($notice); } else { page_head("Confirm"); - echo "Are you sure want to delete variant $variant of app $app? -

- "; + echo "Are you sure you want to delete variant $variant of app $app?

"; show_button( "buda.php?action=variant_delete&app=$app&variant=$variant&confirmed=yes", "Yes" @@ -243,8 +258,37 @@ function variant_delete() { } } +function app_delete() { + global $buda_root; + $app = get_str('app'); + if (!is_valid_filename($app)) die('bad arg'); + $confirmed = get_str('confirmed', true); + if ($confirmed) { + $dir = "$buda_root/$app"; + if (!file_exists($dir)) error_page('no such app'); + foreach (scandir($dir) as $fname) { + if ($fname[0] == '.') continue; + error_page("You must delete all variants first."); + } + system("rmdir $buda_root/$app", $ret); + if ($ret) { + error_page('delete failed'); + } + $notice = "App $app removed."; + app_list($notice); + } else { + page_head('Confirm'); + echo "Are you sure you want to delete app $app?

"; + show_button( + "buda.php?action=app_delete&app=$app&confirmed=yes", + "Yes" + ); + page_tail(); + } +} + function app_form() { - page_head("Create Docker app"); + page_head('Create Docker app'); form_start(); form_input_text('Name', 'name'); form_submit('OK'); @@ -255,6 +299,7 @@ function app_form() { function app_action() { global $buda_root; $name = get_str('name'); + if (!is_valid_filename($name)) die('bad arg'); $dir = "$buda_root/$name"; if (file_exists($dir)) { error_page("App $name already exists."); @@ -266,8 +311,11 @@ function app_action() { function view_file() { global $buda_root; $app = get_str('app'); + if (!is_valid_filename($app)) die('bad arg'); $variant = get_str('variant'); + if (!is_valid_filename($arg)) die('bad arg'); $fname = get_str('fname'); + if (!is_valid_filename($fname)) die('bad arg'); echo "

\n";
     readfile("$buda_root/$app/$variant/$fname");
     echo "
\n"; diff --git a/samples/docker_wrapper/test_buda/worker_3_x86_64-pc-linux-gnu b/samples/docker_wrapper/test_buda/worker_3_x86_64-pc-linux-gnu deleted file mode 100644 index 0aff3a397e1e65ae7aaa5e2acfccb504f223e0e1..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 18536 zcmeHPd30OVnZHl+B1^HY#5gz$jUWWFVA;;%BqSkr5(Nbu2#`?71XNj;Y&EhZv}6H7 z-6l{>2z9#9ltLTmlv28du1q_pO$JI}&S?vsw$SZNXq(ms+PYzxu*LKH-9?sO>`v#L z`D6ab&GGy0x8Co5chSA~-IospI@UTYOPJ&omk45gE=6h6jKP&U1JEXxh$=kK6X%Kw z;AN7g_-zV+tI|nr+CXhqIKigg5{Htr!|94F3^X1RmTTTv;OSaLHBbnjBv6mOrq7Wm zpigEDJgEIRrlHXzO1(a<*QfOi9M+B*XzIth@o%HHXNPORV=|DkOdF2px|naSk?3i# zLy?7nM(--<(a(Q0d9~oxy1en?GNAo8P*+zpCE}f}3!4&Mjfr?NzoT)-lGeu7h5l^H zKVR0H_9=Vm6`N#9Y;O}<`g|7tNF%@Qk1ySN`MnQS)f|j%ZLP?5ZvWfrhsiTGWW6k( z=(D^I(k9}MY0f!!PmgU1dzYTrYr2VI6g}@o-dBX1>}+Hv8KekK9*2J3IP}Hi(39iP zyT_q#7>E7{=sx_}6XP(J|Cf(L_l!edGYPu3w! zIMDY;|8XR!f1^1Iqs4+O+m$IlHC{z-pTszC`DD(-wGUjT9X5KKrn_u$HTVlNd{U2N zishMftcYGbj|>*kwP~p`TtwGXm8736qU)(x(oMhM+->SehUpiin{iFL=@+CI_wzfo z{Yucyd_wtwB0A>|lMWQo&0I;|!6JI`@5v)Ybe3V#p(46z1M(g(qPvYS;Nc=V$DT<~ z7ttpeBH*({^y(sdaQ7>&;NJ2T4L%XP{cz4P@@#PTlddNU5+jSgezs4H%=#vtwKLj~ zBi=*)(6JGuS&tHDQx82W@rQ^rbVG+Fejjm$Z0L~0KT4dT8agQPyNEMHLjw~35OH>q zp+1SY)KdWBm@_QUg$`c~L@t#-y5a#maqWK(co`Bi|yr6+^^$8%EWYk35&5Rz?iF8v0z8916M}nJJPK^E8dV+);_+1ZFM(Thr;m=k`UFg(J`}%UCrdiQzEMhDr=$wh zwZ*!-1Fu;x{}8;u$s3+vDd08bJg4ZNbjAiEt3SQhwA z?Y_r>u&@KceP{iUd{}-qXgwR;%hq@YJ(7Ohib8HboS(NlFldb@4YAv$yRQswhSA{e zUBjaG_AjZj#=K2FCU+x`WjlpIFH$#oG@bjd| zFCSZhKDH|#zpnI@kJSYq7a+$*7+QV`_88(^r7}4ey5-WLBj25d>U^Jd!npb%;NXOU zffH{-Z*Tdp>*)HC?{acCl37arPVzUML^l`?_Wy#ehY;eUfk8-$!PQ`&2-eO$jE-A< z8x&5|-gqQdJNs!lKw`E2BekDAyytLk5-PZFgVn!j5C$Gc=`TNtQlq+5PNk;QT9%rC zSy|O*FcLBT+TYuL?YjQw+c&ji?wNI?S57UBgx9q9zq_vgjgC1SFRtK`cb$W&w@{_q z|D5x+{MyV19sO^0^uMvD|F7*MXZDrvW}}g;UgKm$Z#l*dzmAqrx@SEpWwPk+$U(+Ywc2-+v z%QM*<*1jlre|>xW?bbBsGVVP%!4JGSGI9X04PiM9xB-yAJev{Y7XS|fo&+pMt27|^ z&!Q(S0c^u;*9XYNeE^en^VP!I;kBkssB{fjm0r@hc07hM=21YWvE_w0AAHIWpBx!E zMA;he+M0&TYCYRsePZR*Wpfvte;&!yN3)9^u**7_MBOd;yBT$ek=S12y~DA(y225L zN6PlCARh)lP{MC3@b3rxIQUOt02lO~M;sJjng5Ev0d(;wpjcJo{fJ{#O~XCTK#gx- z*{Yh^cb5lin(wFx)-2gwxxS_?Q?sPKrn$Xl_Np2m}6M-`kI1_>YpAj(U_U4>kZ-WbG@#akUpgw#yXTdq0 znWC#@-UsjihRN(@rz*7YUSPV$4gd91BPo&&=*=S!c9{ms6f|f5Piww8(|%5|g*nS^ z(0ILu2AH$=v_8)^dsKNq2qCk7H)rc-YsEvlU_*aIJ7)ZL=|Gux5T^Y1XniAxBL`VO zh)WWV93+0Hwuhq!!G691BRksfRZIe+JBZW4pm$=!*YQ!#6an&=s4k;RPDD zYPeRzYc-5%Xt)1A;pY9&rK?w8?3=x*GoQ@meT)5z{LPIE@)B#gt!0V7dEp#I6&Jyx zYFt&~UAkp%8YglOpeLz5=CUqB>y+_8@I_b{OVRN$NH|_t0uiUH@)UvP>V;*eqw*&N zWtC1yIIW75B$l58P*zrsSA9?@UjVa??~`+PoNmrR!Ond$`z5fP1I(7YDqNqEmMgYF zw32yO7jiF@y*>+4Ra-$Qd!rLiQS~}Ke*0q-sq(U{cbNB99VGo-<{PTKP%1mcyszpm z%8W2S+kGjXWx^uT>|PF6$}EX2aW5jrA(1wB2i40Y5_F$UyX6wu;C_)}6%x75{UIVQ zi*In==RU<^+*T4uk9!q$CRm*iNW05fj#nZ%_jMGTWTnB`;jSiUvb7dSpZii5znC_`Pht)d-!(-9M$H3#4y{-3#c>BI_;)JSiM}5mjFKd5C#9bCuoadI`b} zWd~W`sv}fH+RNbr%DCD>n&skPqq@n#9`T`R$-!V=tf zs|26^sss=GSb~FpmEdz0`a`|z^VJeOJVSyntd!u98zuPSE(yN$F$uo>FA@y5%3@zn zNI&2BnIxY4s|0VZ!emkJdaF!=w`WT5&KAxflQ-c}HS%F-oh@r_Sq)W|HBVZ3TG@O- z8T-95_6KFEGzp9gq*Ij zydv^t&oq~N*$ZGY-c=3|+{-&5B&KJgy~4eM`7+`7B_!OJJPMgCr6b zMvy98oAH!=D2dF}!ULQf2s3;aN_7W)-b)ESz}ydT?s?0}+~gpj0Q-;SE>r%I6vKr6fw{m_utZ1T()z{vlSEV{eqNjL+Oa z_BT1raZK9TK0g@lYFQl)R>>DW-m-FkUWVlxq_Uu?GRH`v6s@dN{?U8ZJq^kF7+&AH#$GunHBDUtl!tD%?>2$ zJ*}StQtw$Tr&iArIkkG0vg_A-E|ycPXStl?JeSC+)zc=YR?liVwR+absnrvZQ>*7v zIkkF%a!&PJCg)Vo<#JB-bjUf?vtG`ro-5>>>e(RYRL@nMQzx)pF0ax*W0vsVf@rZi|A{b9I7pYh-@s$SgX|&RT@-j&3cN^xuS$V$QQ&J7s0}gOAp7EM4}`5{lvt!! z`|<@AaO?gFpv?I;Oeg`z{*F0MI*74rI`+5C#g!>*Ii(!?-#3>xu?*HTH!dtWSvvM# zH;+Gm2HS#;#Rb+yH?xTO{B;~gRhR+_px`Yq*@){}5Kz{yoAVl&2HP+*DVbFpWcXI&kphx3KUa|!t9(K?F`QeF!xh6(|tDlZTOt~$$EDnOrKk9xN|vl@b&jqT{Kaony{^}c3*e(qnq;|PE}uf>bL&ArZ9xV z^9wE&^k)^M%9YFoql6Dzh!;&==ohF;pKQ(kB>2lkqC5o=vH zqVq;WPxPWuGfCNb3T7H%rby54*Wos$eR37TDc(Z&b%-=OvGsOMHJ%pof_PIto8evC zrtV0j372d`tqb*y+wNq(X>n6L8A;^3qC(1PrCJhrjm+)2_@bGM`4jvG8XR!2fs*)fjrfu5b_Yq#e1WQy1X+VPvjco$xG-F7hq<_ za9(KTU7LlY%vq7c(^0XXPuKPGdF}hJZ+`uFx9gs!nU@@YbsK0_MXus|j=6P?d39d_ zcnyDFam=rK2=L$Wmq(tO&ctV&QwFqr-gW#z*B@QYc?kS%zU%n)SY28c?z2Xd+e9ea zlgi{e^ReQnh1Oje;@#I!j`iW?RzxF*btoB-4Mme(q8ArZlaeAYzDgSIrzZ2b^SVR8 zd{;OZWe7zmmI!xe#r8-~I0KWBRC;G99}&3v%3C8@_<&d^rR3%-mKJO*z%nfWQ@AyY zd$)-MZoe|3H{;fbq9wXC1S_4Aw^;aF(A$|yZHIaInhkG*3vf1;NQHT=7i`?7?e@t> zKADYoC!<}s?vjIdxm0hbs$n>?HJ=W3hO<%8l?sJJ-SKYR;!UK|B9Y+Q5qEs)4)4b# zQ@l*>TRm@H%R+TV;cM*8<&)7B-BDC29swH8M0!@JtLnbSZeL>zS79Ps8`GIoE{ak! zji@1<5?S04X2>&Pcue;*(Qub?qca<&6%o#K%L~W&i9*D7EPO{;6n`Q+AQYI`yS-B3E*MPY#X3M^1yp#r!O z9g;V(S*vY1-h&RMVzF#A$7rAjZ(gi>)P^N=groVI=8$OWN%cmXI#ZaQ!d<;8)07SO zrW4U@le&~7)a@sE1)Hie-s~=NP{?k9KFkZ@#&9T|$Y;_1p_}q?j1R@r*TiKn6`@q3 z%lK!sM4_i~2%tW>o0H*QT<6Ym;899No~GU?e7= zm6EY6FsJ>a3@jzk3;#AUN>Mq!M{%IN4%ym~;U#_8Mn6~6&3hSTMTo`7SonS=sN=x$ znAYOY8YBL_pwqs2&qGErz~r z(6?whrb?Nj3W%QqdNE!$_xHRbpD*Dxe3^zygmLqw0--L#4brMF)fjSap(_? zL;vPDbpCEJK6Zb82D@=WgFLYq5U7M8BU<4|9Fb^H22C~(CZ zxr8h+fVK0Q>#t~Eziu_;ia7EDI!IWrhXO%uA-Lvh5xTVF%2n+hp)1#}y(X|Rw6T3v zM}X@d?Dis|NH#C4f<@2x-{oPIjD>JpTk&^%`dh(LqFhdwl0s2zl)~y`!%~j?=Fmps z7l);!)4nFOvuR#^GRRdVK0quL(BCSS673%vhPtw;P!IMc39MSN`cvBit_H_le;37% zjevM|X0zH4x#E@|S(X;dk0(nhTw#||)OVJpv``42Nt)ikb{g}e$kMMdOD&*6SnZb5 zgg?8p7aI;htiC1eF*z)-qnWhuC$Wd~x35~)m(fH;jU_;2<%1*j{GLns+1 zqmR=;nXbhXQ-49<+_y3CIVDzj+T(X4IJ~=J{5Sh01252;#(yJc;8yT?7slXbUuB?A z>)ZX;WWlp~#?MUjIE>f0Z_9_Gt#1`$5#7j6b{nJ)kir^pDB>t{R9H zQ%SP7e?Pdz`iJ$t&%i?^+FX;UWZ=hb`euJEoPw#ULZCw4@;e|wf=*6 zUs#;%vQx&elfJU zC>38=p!5&v`OF8j1%Iaf&F>HA2h;Y*7Sf%|RQ5eKrYYA5PDI8gB3TdX_b8Xx6l|#Y EZ@Z>zMF0Q*