Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Configuration] Path settings must be valid paths #4023

Merged
merged 9 commits into from
Oct 15, 2019
Merged

[Configuration] Path settings must be valid paths #4023

merged 9 commits into from
Oct 15, 2019

Conversation

johnsaigle
Copy link
Contributor

@johnsaigle johnsaigle commented Oct 23, 2018

Brief summary of changes

I was recently able to develop an exploit where I could upload and execute scripts via manipulating config path settings. This PR ensures that these settings actually correspond to existing paths on the system before changing their values in the database.

To Test

  • Try changing one of the Configuration settings under Paths to an invalid path. You'll get a 400 error.

@johnsaigle johnsaigle added Category: Feature PR or issue that aims to introduce a new feature Category: Security PR or issue that aims to improve security [branch] minor labels Oct 23, 2018
PapillonMcGill
PapillonMcGill previously approved these changes Oct 29, 2018
$err = 'Path ' . htmlspecialchars($value, ENT_QUOTES)
. ' is not valid.';
// Set response code and display error message.
$displayError(400, $err);
Copy link
Contributor

@kongtiaowang kongtiaowang Oct 29, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is not a function name? typo?

@kongtiaowang kongtiaowang added the State: Needs work PR awaiting additional work by the author to proceed label Oct 29, 2018
@kongtiaowang
Copy link
Contributor

When I test it, there is no error message, and all the paths can't be changed.

@johnsaigle
Copy link
Contributor Author

@kongtiaowang You were right. I fixed the problem. Please test again if you have time.

@johnsaigle johnsaigle removed the State: Needs work PR awaiting additional work by the author to proceed label Oct 29, 2018
@ridz1208
Copy link
Collaborator

ridz1208 commented Nov 5, 2018

@paiva can you please test this one ?

@johnsaigle
Copy link
Contributor Author

This might cause issues with the Logs path because I think it's deliberately set up as a partial path (i.e. tools/logs/)

I'm not sure where this is used exactly but I think I'll need to issue another PR to update those usages once this is merged.

PapillonMcGill
PapillonMcGill previously approved these changes Nov 12, 2018
modules/configuration/ajax/process.php Outdated Show resolved Hide resolved
@johnsaigle johnsaigle added the State: Blocked PR or issue awaiting an external event such as the merge or another PR to proceed label Nov 13, 2018
@johnsaigle
Copy link
Contributor Author

This is now blocked by #4087 as it uses the new data type in its query.

@johnsaigle johnsaigle added State: Needs work PR awaiting additional work by the author to proceed and removed State: Blocked PR or issue awaiting an external event such as the merge or another PR to proceed State: Needs work PR awaiting additional work by the author to proceed labels Feb 4, 2019
@johnsaigle johnsaigle dismissed driusan’s stale review February 11, 2019 17:45

Addressed by using new data types.

@PierreEMorin
Copy link

This code does what it is supposed to do.

However, at the moment, default path values such as "/PATH/TO/EXTERNAL/LIBRARY/" or "/PATH/TO/Genomic-Data/" are not allowed anymore so the user is left with either:
1. leave it blank
2. put a valid but inadequate path (i.e. data/%project%/data for genomics)
3. add valid paths to the server that may be never used (i.e. a project not using the genomic module)

Should blank be allowed? or should default values from the ConfigTables schema be allowed?

@johnsaigle
Copy link
Contributor Author

I guess ideally we would have a toggle switch on each of the modules saying whether a project will use them or not...

I think it makes sense to allow blank values in this case. The default params don't really make sense anyway and only some of the paths are configured to have one in the /NOT/REAL/PATH format.

Blank paths will probably result in ConfigurationExceptions at some point in whatever modules use them. I don't know if this is the best solution but I think it's what we have available right now.

modules/configuration/ajax/process.php Outdated Show resolved Hide resolved
foreach ($_POST as $key => $value) {
if (is_numeric($key)) { //update
if ($value == "") {
$DB->delete('Config', array('ID' => $key));
$DB->update('Config', array('Value' => null), array('ID' => $key));
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this changed?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The basic idea of my changes is to verify whether the incoming data is a web_path type in the DB and if so make sure that it's a valid path.

When debugging a problem another reviewer had, i realized that the script was actually deleting values when they are blank.

This is a problem because we decided in a meeting at some point that the paths should be left blank when they're not configured (rather than allowing for /INVALID/PLACEHOLDER/PATHS as a value).

I figured it would make sense to keep the IDs in the database and set them to null rather than delete them. It makes more sense to me intuitively to have a setting be blank/uninitialized than for it to vanish.

Do you see this causing problems?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, when new config settings are added/unchanged from the default they do not have any entry in the Config table. The update statement will return 0 rows and report success but silently do nothing. As a result, no one will ever be able to set a config setting for the first time for any config that doesn't have a non-empty default. Not having a value in the table when the setting is blank is correct behaviour.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

when new config settings are added/unchanged from the default they do not have any entry in the Config table

Aren't defaults stored in the Config table? ConfigSettings doesn't have any information about the value.

@@ -52,20 +63,40 @@
if ($keySplit[0] == 'add') {
if ($value !== "") {
if (countDuplicate($keySplit[1], $value) == '0') {
$DB->insert(
$DB->update(
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will not work when the value isn't in the table

Co-Authored-By: Dave MacFarlane <driusan@gmail.com>
@johnsaigle johnsaigle added the State: Discussion required PR or issue that requires the resolution of a discussion with the relevant parties to proceed label Jul 29, 2019
@driusan
Copy link
Collaborator

driusan commented Aug 1, 2019

@johnsaigle Why did you add "Discussion Required" to this PR?

@johnsaigle
Copy link
Contributor Author

@driusan I replied to your above comment and you didn't follow up.

I think that this PR makes sense the way I've done it. Maybe it makes the most sense for us to discuss it in person so I can walk you through my thinking.

@driusan
Copy link
Collaborator

driusan commented Aug 26, 2019

This PR does not make sense the way it's done. The config tables are normalized. If there is no value, it should be deleted from the value table, not updated to a blank value. Defaults are only stored in the config table of the default schema if the default is non-empty.

@johnsaigle
Copy link
Contributor Author

@driusan I modified this PR to use insert/delete instead of updates, as requested. Please review when you have time.

@johnsaigle johnsaigle removed the State: Discussion required PR or issue that requires the resolution of a discussion with the relevant parties to proceed label Sep 17, 2019
@johnsaigle johnsaigle requested a review from driusan September 18, 2019 15:33
@johnsaigle johnsaigle dismissed driusan’s stale review September 18, 2019 15:33

PR rewritten to address review concerns. New review required.

Copy link
Collaborator

@driusan driusan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

mostly minor things and error handling.

modules/configuration/ajax/process.php Outdated Show resolved Hide resolved
$DB->delete(
'Config',
array('ConfigID' => $ConfigSettingsID)
);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

else throw exception?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

modules/configuration/ajax/process.php Show resolved Hide resolved
johnsaigle and others added 4 commits September 18, 2019 16:15
Co-Authored-By: Dave MacFarlane <driusan@gmail.com>
Co-Authored-By: Dave MacFarlane <driusan@gmail.com>
@johnsaigle
Copy link
Contributor Author

@driusan I made your requested changes.

@johnsaigle johnsaigle requested a review from driusan September 23, 2019 17:19
@johnsaigle johnsaigle dismissed driusan’s stale review October 2, 2019 21:43

request changes have been addressed

@johnsaigle
Copy link
Contributor Author

@driusan Tagging you again because this ideally would go into the next minor release as discussed in the LORIS meeting.

@driusan driusan merged commit a946d2d into aces:minor Oct 15, 2019
@ridz1208 ridz1208 modified the milestones: 21.1.0, 22.0.0 Oct 28, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Category: Feature PR or issue that aims to introduce a new feature Category: Security PR or issue that aims to improve security Passed manual tests PR has been successfully tested by at least one peer
Projects
None yet
Development

Successfully merging this pull request may close these issues.