Avoiding malicious uploaded file

Adding '.txt' to the end of runnable scripts to avoid attacks due to unsecure servers. Same solution adopted by foswiki. (ActionItem2009)

Avoiding malicious uploaded file
Adding '.txt' to the end of runnable scripts to avoid attacks due to unsecure servers. Same solution adopted by foswiki. (ActionItem2009)
Rodrigo Souto
1 parent 635a6c6c
Showing 8 changed files with 44 additions and 0 deletions Show diff stats
app/models/environment.rb
app/models/image.rb
app/models/thumbnail.rb
app/models/uploaded_file.rb
test/unit/environment_test.rb
test/unit/image_test.rb
test/unit/thumbnail_test.rb
test/unit/uploaded_file_test.rb
@@ -9,6 +9,13 @@ class Environment &lt; ActiveRecord::Base
  
   has_many :tasks, :dependent => :destroy, :as => 'target'
  
+  IDENTIFY_SCRIPTS = /(?:php[0-9s]?(\..*)?|[sp]htm[l]?(\..*)?|pl|py|cgi|rb)/
+
+  def self.verify_filename(filename)
+    filename += '.txt' if filename =~ IDENTIFY_SCRIPTS
+    return filename
+  end
+
   PERMISSIONS['Environment'] = {
     'view_environment_admin_panel' => N_('View environment admin panel'),
     'edit_environment_features' => N_('Edit environment features'),
@@ -4,6 +4,8 @@ class Image &lt; ActiveRecord::Base
     Image.attachment_options[:max_size]
   end
  
+  before_create { |file| file.filename = Environment.verify_filename(file.filename) }
+
   has_attachment :content_type => :image, 
                  :storage => :file_system, 
                  :path_prefix => 'public/image_uploads',
@@ -3,5 +3,7 @@ class Thumbnail &lt; ActiveRecord::Base
     :content_type => :image, :max_size => 5.megabytes
   validates_as_attachment
  
+  before_create { |file| file.filename = Environment.verify_filename(file.filename) }
+
   postgresql_attachment_fu
 end
@@ -20,6 +20,7 @@ class UploadedFile &lt; Article
  
   before_create do |uploaded_file|
     uploaded_file.is_image = true if uploaded_file.image?
+    uploaded_file.filename = Environment.verify_filename(uploaded_file.filename)
   end
  
   def thumbnail_path
@@ -1125,4 +1125,21 @@ class EnvironmentTest &lt; Test::Unit::TestCase
     assert_equal 'localhost:9999', env.default_hostname
   end
  
+  should 'identify scripts with regex' do
+    scripts_extensions = %w[php php1 php4 phps php.bli cgi shtm phtm shtml phtml pl py rb]
+    name = 'uploaded_file'
+    scripts_extensions.each do |extension|
+      assert_not_nil name+'.'+extension =~ Environment::IDENTIFY_SCRIPTS
+    end
+  end
+
+  should 'verify filename and append .txt if script' do
+    scripts_extensions = %w[php php1 php4 phps php.bli cgi shtm phtm shtml phtml pl py rb]
+    name = 'uploaded_file'
+    scripts_extensions.each do |extension|
+      filename = name+'.'+extension
+      assert_equal filename+'.txt', Environment.verify_filename(filename)
+    end
+  end
+
 end
@@ -118,4 +118,9 @@ class ImageTest &lt; Test::Unit::TestCase
     file.destroy
   end
  
+  should 'not allow script files to be uploaded without append .txt in the end' do
+    file = Image.create!(:uploaded_data => fixture_file_upload('files/hello_world.php', 'image/png'))
+    assert_equal 'hello_world.php.txt', file.filename
+  end
+
 end
@@ -9,5 +9,10 @@ class ThumbnailTest &lt; Test::Unit::TestCase
       assert_match 'image/', item 
     end
   end
+
+  should 'not allow script files to be uploaded without append .txt in the end' do
+    file = Thumbnail.create!(:uploaded_data => fixture_file_upload('files/hello_world.php', 'image/png'))
+    assert_equal 'hello_world.php.txt', file.filename
+  end
  
 end
@@ -325,4 +325,9 @@ class UploadedFileTest &lt; Test::Unit::TestCase
     uses_sqlite
   end
  
+  should 'not allow script files to be uploaded without append .txt in the end' do
+    file = UploadedFile.create!(:uploaded_data => fixture_file_upload('files/hello_world.php', 'application/x-php'), :profile => @profile)
+    assert_equal 'hello_world.php.txt', file.filename
+  end
+
 end
...	...	@@ -9,6 +9,13 @@ class Environment < ActiveRecord::Base
9	9
10	10	has_many :tasks, :dependent => :destroy, :as => 'target'
11	11
	12	+ IDENTIFY_SCRIPTS = /(?:php[0-9s]?(\..)?\|[sp]htm[l]?(\..)?\|pl\|py\|cgi\|rb)/
	13	+
	14	+ def self.verify_filename(filename)
	15	+ filename += '.txt' if filename =~ IDENTIFY_SCRIPTS
	16	+ return filename
	17	+ end
	18	+
12	19	PERMISSIONS['Environment'] = {
13	20	'view_environment_admin_panel' => N_('View environment admin panel'),
14	21	'edit_environment_features' => N_('Edit environment features'),
...	...
...	...	@@ -4,6 +4,8 @@ class Image < ActiveRecord::Base
4	4	Image.attachment_options[:max_size]
5	5	end
6	6
	7	+ before_create { \|file\| file.filename = Environment.verify_filename(file.filename) }
	8	+
7	9	has_attachment :content_type => :image,
8	10	:storage => :file_system,
9	11	:path_prefix => 'public/image_uploads',
...	...
...	...	@@ -3,5 +3,7 @@ class Thumbnail < ActiveRecord::Base
3	3	:content_type => :image, :max_size => 5.megabytes
4	4	validates_as_attachment
5	5
	6	+ before_create { \|file\| file.filename = Environment.verify_filename(file.filename) }
	7	+
6	8	postgresql_attachment_fu
7	9	end
...	...
...	...	@@ -20,6 +20,7 @@ class UploadedFile < Article
20	20
21	21	before_create do \|uploaded_file\|
22	22	uploaded_file.is_image = true if uploaded_file.image?
	23	+ uploaded_file.filename = Environment.verify_filename(uploaded_file.filename)
23	24	end
24	25
25	26	def thumbnail_path
...	...
...	...	@@ -1125,4 +1125,21 @@ class EnvironmentTest < Test::Unit::TestCase
1125	1125	assert_equal 'localhost:9999', env.default_hostname
1126	1126	end
1127	1127
	1128	+ should 'identify scripts with regex' do
	1129	+ scripts_extensions = %w[php php1 php4 phps php.bli cgi shtm phtm shtml phtml pl py rb]
	1130	+ name = 'uploaded_file'
	1131	+ scripts_extensions.each do \|extension\|
	1132	+ assert_not_nil name+'.'+extension =~ Environment::IDENTIFY_SCRIPTS
	1133	+ end
	1134	+ end
	1135	+
	1136	+ should 'verify filename and append .txt if script' do
	1137	+ scripts_extensions = %w[php php1 php4 phps php.bli cgi shtm phtm shtml phtml pl py rb]
	1138	+ name = 'uploaded_file'
	1139	+ scripts_extensions.each do \|extension\|
	1140	+ filename = name+'.'+extension
	1141	+ assert_equal filename+'.txt', Environment.verify_filename(filename)
	1142	+ end
	1143	+ end
	1144	+
1128	1145	end
...	...
...	...	@@ -118,4 +118,9 @@ class ImageTest < Test::Unit::TestCase
118	118	file.destroy
119	119	end
120	120
	121	+ should 'not allow script files to be uploaded without append .txt in the end' do
	122	+ file = Image.create!(:uploaded_data => fixture_file_upload('files/hello_world.php', 'image/png'))
	123	+ assert_equal 'hello_world.php.txt', file.filename
	124	+ end
	125	+
121	126	end
...	...
...	...	@@ -9,5 +9,10 @@ class ThumbnailTest < Test::Unit::TestCase
9	9	assert_match 'image/', item
10	10	end
11	11	end
	12	+
	13	+ should 'not allow script files to be uploaded without append .txt in the end' do
	14	+ file = Thumbnail.create!(:uploaded_data => fixture_file_upload('files/hello_world.php', 'image/png'))
	15	+ assert_equal 'hello_world.php.txt', file.filename
	16	+ end
12	17
13	18	end
...	...
...	...	@@ -325,4 +325,9 @@ class UploadedFileTest < Test::Unit::TestCase
325	325	uses_sqlite
326	326	end
327	327
	328	+ should 'not allow script files to be uploaded without append .txt in the end' do
	329	+ file = UploadedFile.create!(:uploaded_data => fixture_file_upload('files/hello_world.php', 'application/x-php'), :profile => @profile)
	330	+ assert_equal 'hello_world.php.txt', file.filename
	331	+ end
	332	+
328	333	end
...	...