CVE-2022-25358: salmonella-tar - The CHICKEN Scheme wiki

awful-salmonella-tar

1. awful-salmonella-tar
   1. Introduction
   2. Author
   3. Repository
   4. License
   5. Version history
      1. Version 0.0.4 (2022-02-17)
      2. Version 0.0.3

Introduction

This is an awful application to extract salmonella report files from tar archives.

It requires tar (tested it with GNU tar, specifically). For compressed report tar files, gzip or bzip2 are required (by default, gzip is used)

To see it working, install awful-salmonella-tar with:

$ chicken-install awful-salmonella-tar

Then add some test data:

$ mkdir -p reports/master/gcc/linux/x86-64/2018/09/02/ $ cd reports/master/gcc/linux/x86-64/2018/09/02/ $ wget https://salmonella-linux-x86-64.call-cc.org/master/gcc/linux/x86-64/2018/09/02/salmonella.log.bz2 $ bzip2 -d salmonella.log.bz2

You’ll need salmonella-html-report to generate report data out of the salmonella log file. If you don’t have it installed, chicken-install salmonella-html-report

$ salmonella-html-report salmonella.log salmonella-report $ tar czf salmonella-report.tar.gz salmonella-report $ rm -rf salmonella-report $ cd - $ cat <<EOF > awful-salmonella-tar-app.scm (cond-expand (chicken-4 (use awful-salmonella-tar)) (chicken-5 (import awful-salmonella-tar)) (else (error “Unsupported CHICKEN version.”)))

(awful-salmonella-tar “/”) EOF $ awful awful-salmonella-tar-app.scm

Then request, for example http://localhost:8080/reports/master/gcc/linux/x86-64/2018/09/02/salmonella-report/

Mario Domenech Goulart

Repository

awful-salmonella-tar is maintained in a Github repository.

License

Copyright © 2011-2020, Mario Domenech Goulart All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. The name of the authors may not be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE AUTHORS ``AS IS’’ AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Version history****Version 0.0.4 (2022-02-17)

Fix path traversal vulnerability

This change fixes a path traversal vulnerability that would allow attackers to navigate through the filesystem of the server (provided execute access to directories for the user running the web server). Attackers could only list the contents of directories – not download files.

The vulnerability was caused by the lack of a check for the validity requested paths when handling directories, notably when …%2F (…/ URL-encoded) was present in requested paths.

Background:

awful-samonella-tar is implemented using awful. Awful is implemented on top of spiffy, and overrides the (handle-not-found) parameter to map URL paths to procedures. Spiffy takes some precautions regarding dealing with malicious paths when it handles static files. Code that uses spiffy to implement generation of dynamic content (like awful does), must take their own precautions.

awful-salmonella-tar uses a procedure (safe-path?) with a relatively strict policy to allow access to files, but it was not being used to validate access to directories, and that was causing the vulnerability.

This change applies safe-path? to all requested paths.

Thanks to Chris Brannon for responsibly reporting this issue.

Version 0.0.3

• Initial release as a CHICKEN egg (2020-11-07)