From 71bcc79c20199723e2a906915275938635e2d9a0 Mon Sep 17 00:00:00 2001 From: Dan Puttick Date: Thu, 16 Mar 2017 12:22:26 -0400 Subject: [PATCH 1/2] Remove rtl override char from file dst_path The unicode right to left override character can be used for various attacks. This commit: * Detects this character in the filename on the source key * Strips it from the path before copying it to the dest key * Marks the file as dangerous (this character doesn't belong in a filename) --- bin/filecheck.py | 33 +++++++++++++++++++++++++-------- 1 file changed, 25 insertions(+), 8 deletions(-) diff --git a/bin/filecheck.py b/bin/filecheck.py index 3dc26dd..da7e00b 100644 --- a/bin/filecheck.py +++ b/bin/filecheck.py @@ -130,11 +130,14 @@ def _check_dangerous(self): self.make_dangerous('malicious_extension') def _check_extension(self): - """Guesses the file's mimetype based on its extension. If the file's - mimetype (as determined by libmagic) is contained in the mimetype - module's list of valid mimetypes and the expected mimetype based on its - extension differs from the mimetype determined by libmagic, then it - marks the file as dangerous.""" + """ + Guess the file's mimetype based on its extension. + + If the file's mimetype (as determined by libmagic) is contained in + the `mimetype` module's list of valid mimetypes and the expected + mimetype based on its extension differs from the mimetype determined + by libmagic, then mark the file as dangerous. + """ if self.extension in Config.override_ext: expected_mimetype = Config.override_ext[self.extension] else: @@ -148,9 +151,12 @@ def _check_extension(self): self.make_dangerous('expected_mimetype') def _check_mimetype(self): - """Takes the mimetype (as determined by libmagic) and determines - whether the list of extensions that are normally associated with - that extension contains the file's actual extension.""" + """ + Compare mimetype (as determined by libmagic) to extension. + + Determine whether the extension that are normally associated with + the mimetype include the file's actual extension. + """ if self.mimetype in Config.aliases: mimetype = Config.aliases[self.mimetype] else: @@ -162,8 +168,19 @@ def _check_mimetype(self): # LOG: improve this string self.make_dangerous('expected extensions') + def _check_filename(self): + if self.filename[0] is '.': + # handle dotfiles + pass + right_to_left_override = u"\u202E" + if right_to_left_override in self.filename: + self.make_dangerous('Filename contains dangerous character') + self.dst_path = self.dst_path.replace(right_to_left_override, '') + # TODO: change self.filename and'filename' property? + def check(self): self._check_dangerous() + self._check_filename() if self.has_extension: self._check_extension() if self.has_mimetype: From 2a5decf0ad2defa99bd71ce78748956701ecf85f Mon Sep 17 00:00:00 2001 From: Dan Puttick Date: Thu, 16 Mar 2017 17:34:20 -0400 Subject: [PATCH 2/2] Add rtl sample file to src_invalid --- "tests/src_invalid/testRTL\342\200\256exe.txt" | 1 + 1 file changed, 1 insertion(+) create mode 100644 "tests/src_invalid/testRTL\342\200\256exe.txt" diff --git "a/tests/src_invalid/testRTL\342\200\256exe.txt" "b/tests/src_invalid/testRTL\342\200\256exe.txt" new file mode 100644 index 0000000..3933f42 --- /dev/null +++ "b/tests/src_invalid/testRTL\342\200\256exe.txt" @@ -0,0 +1 @@ +RTL test file generated by D. Puttick \ No newline at end of file