search

pmq20 / mathjax-rails

Simple gem to integrate MathJax with Rails and maintains MathJax at a system-wide directory.
MIT License
66 stars 30 forks source link

Path traversal vulnerability without Session #26

Open olivervbk opened 7 years ago

olivervbk commented 7 years ago

Hi,

I've noticed that the function 'def giveOutStaticFile' does not properly sanitize the 'uri' variable:

filename = params[:uri]+ext
filepath = "../../../../vendor/#{Mathjax::Rails::DIRNAME}/#{filename}"

extname = File.extname(filename)[1..-1]
mime_type = Mime::Type.lookup_by_extension(extname)
options = Hash.new
options[:type] = mime_type.to_s unless mime_type.nil?
options[:disposition] = 'inline'
file = File.expand_path(filepath, __FILE__)

So it is possible to inject URLs like: /mathjax/%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F../etc/passwd or on heroku apps: /mathjax/%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F../apps/Gemfile

Suggested fix (please check the PR: https://github.com/pmq20/mathjax-rails/pull/25) return render status: 404 if Pathname.new(filename).cleanpath.to_s != filename Please consider that params[:uri] and params[:ext] could be subject to path traversal since both are included in the 'filename' variable.

If there is anything I can help you with, please feel free to ask.

Best regards, Oliver Kuster