Huge security hole...

[jej]

http://localhost:3000/admin_data/public/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd

displays:

nobody::-2:-2:Unprivileged User:/var/empty:/usr/bin/false root::0:0:System Administrator:/var/root:/bin/sh daemon:*:1:1:System Services:/var/root:/usr/bin/false .../...

:(

Despite the security restrictions in ~/config/initializers/admin_data.rb

:((

Just need to know how deep is /admin_data-1.0.21/lib in the filesystem.

Cheers, Jej

[neerajsingh0101]

Good thing that /public routing is there only in master branch and not in a released gem.

Do you think this fix takes care of that. https://github.com/neerajdotname/admin_data/commit/a56384398fbfaac7effc2231ea04850b0339688a

thanks for reporting.

[jej]

I think the bug exists in the gem version... I am not using the master branch.

Thanks for the patch, but there is a mistake that avoid to get access to the .css/.js. I don't understand why you test for the Rails.root, as the files are hosted in the admin_data lib dir:

13c13,14

< unless Regexp.new(Rails.root.to_s).match(File.expand_path(f))

> > unless Regexp.new(File.join(AdminData::Config.setting[:plugin_dir], 'lib')).match(File.expand_path(f))

Cheers, Jej

[neerajsingh0101]

I released a new version of gem. You are right where gem is installed might not be Rails.root. I am trying to get rid of plugin_dir so I can't use that.

All I need to check is that code must be css or js. that's what it does https://github.com/neerajdotname/admin_data/commit/57b6dbd3989587ab81f25c556fd7ac0c8e3a6380

[jej]

I think you should also forbid ".." in the url.

But as generally consideration, your public_controller is a very bad idea, IMO. You could make a rake task to install these files in the /app/public directory or look for a rails proper solution. That's not your job to emulate the static files serving (in this particular case, js/css), rails does it better.

Well, your plugin is useful but I definitly not include it in the production environment.

Jej

[neerajsingh0101]

I understand but I want admin_data to be 100% non-invasive.

public controller came because of a patch from someone else. Before that admin_data used to read the file itself.

Today I will remove public controller and will read the file internally. That will make things much safer.

[jej]

PS: http://stackoverflow.com/questions/3523173/how-do-i-publish-vendor-public-files http://jonswope.com/2010/07/25/rails-3-engines-plugins-and-static-assets/ http://agilewebdevelopment.com/plugins/plugin_assets

[jej]

So maybe you can have a look at "Rails 3 Engines/Plugins and Static Assets " (http://jonswope.com/2010/07/25/rails-3-engines-plugins-and-static-assets/)

Jej

[neerajsingh0101]

Wow. Now I know what's on agenda for this weekend. I will read up.

[jej]

:)

I think you don't have so much solutions to manage public assets (ActionDispatch::Static). I don't know what is the best practice for rails 2, maybe copying in /app/public is the (worst) best.

Cheers, Jej

[neerajsingh0101]

rails 2 uses plugin version of admin_data which reads the file internally. So public asset is not an issue there.

This gem version is only for rails3. And I am going to use ActionDispatch::Static to serve the files as you mentioned. Thanks. Will update you when I get it working.

[jej]

Thanks for that. Good luck.

Jej

[neerajsingh0101]

The middleware is rendering the data from the main project's public directory. Since I am not copying assets to public directory I can't use middleware approach.

I guess the safest thing would be to go back to old style and kill public controller.

[jej]

Are you sure of that? It seems possible to serve assets from public gem dir. Look at this exemple: https://github.com/krschacht/rails_3_engine_demo

Particularly this commit (including a fix for serving public assets from the built gem): https://github.com/krschacht/rails_3_engine_demo/commit/73b93832e8a134c36e9e79f4095bd0e293e35124

I didn't try this plugin to see if it works as you expect, but it seems to...

Cheers, Jej

ps: I guess #{root} refers to the gem root plugin.

[neerajsingh0101]

well in that case I will I will give a real try . will let u know how that goes. Thanks for the pointer.