begin of work on pseudo-sandbox mode

Mzack9999 · Mzack9999 · commit 0917068048ec · 2021-04-19T00:40:51.000+02:00
diff --git a/internal/runner/options.go b/internal/runner/options.go
@@ -29,6 +29,8 @@ type Options struct {
 	TCPWithTLS     bool
 	Version        bool
 	Silent         bool
+	Sandbox        bool
+	MaxFileSize    int
 }
 
 // ParseOptions parses the command line options for application
@@ -49,6 +51,8 @@ func ParseOptions() *Options {
 	flag.StringVar(&options.Realm, "realm", "Please enter username and password", "Realm")
 	flag.BoolVar(&options.Version, "version", false, "Show version of the software")
 	flag.BoolVar(&options.Silent, "silent", false, "Show only results in the output")
+	flag.BoolVar(&options.Sandbox, "sandbox", false, "Enable sandbox mode")
+	flag.IntVar(&options.MaxFileSize, "max-file-size", 50, "Max Upload File Size")
 
 	flag.Parse()
 
diff --git a/internal/runner/runner.go b/internal/runner/runner.go
@@ -57,6 +57,8 @@ func New(options *Options) (*Runner, error) {
 		BasicAuthPassword: r.options.password,
 		BasicAuthReal:     r.options.Realm,
 		Verbose:           r.options.Verbose,
+		Sandbox:           r.options.Sandbox,
+		MaxFileSize:       r.options.MaxFileSize,
 	})
 	if err != nil {
 		return nil, err
diff --git a/pkg/httpserver/httpserver.go b/pkg/httpserver/httpserver.go
@@ -1,7 +1,10 @@
 package httpserver
 
 import (
+	"errors"
 	"net/http"
+	"os"
+	"path/filepath"
 
 	"github.com/projectdiscovery/sslcert"
 )
@@ -19,6 +22,8 @@ type Options struct {
 	BasicAuthPassword string
 	BasicAuthReal     string
 	Verbose           bool
+	Sandbox           bool
+	MaxFileSize       int // 50Mb
 }
 
 // HTTPServer instance
@@ -32,9 +37,22 @@ func New(options *Options) (*HTTPServer, error) {
 	var h HTTPServer
 	EnableUpload = options.EnableUpload
 	EnableVerbose = options.Verbose
-	h.layers = h.loglayer(http.FileServer(http.Dir(options.Folder)))
+	folder, err := filepath.Abs(options.Folder)
+	if err != nil {
+		return nil, err
+	}
+	if _, err := os.Stat(folder); os.IsNotExist(err) {
+		return nil, errors.New("path does not exist")
+	}
+	options.Folder = folder
+	var dir http.FileSystem
+	dir = http.Dir(options.Folder)
+	if options.Sandbox {
+		dir = SandboxFileSystem{fs: http.Dir(options.Folder), RootFolder: options.Folder}
+	}
+	h.layers = h.loglayer(http.FileServer(dir))
 	if options.BasicAuthUsername != "" || options.BasicAuthPassword != "" {
-		h.layers = h.loglayer(h.basicauthlayer(http.FileServer(http.Dir(options.Folder))))
+		h.layers = h.loglayer(h.basicauthlayer(http.FileServer(dir)))
 	}
 	h.options = options
 
diff --git a/pkg/httpserver/loglayer.go b/pkg/httpserver/loglayer.go
@@ -6,6 +6,7 @@ import (
 	"net/http"
 	"net/http/httputil"
 	"path"
+	"path/filepath"
 
 	"github.com/projectdiscovery/gologger"
 )
@@ -24,13 +25,54 @@ func (t *HTTPServer) loglayer(handler http.Handler) http.Handler {
 
 		// Handles file write if enabled
 		if EnableUpload && r.Method == http.MethodPut {
-			data, err := ioutil.ReadAll(r.Body)
+			// sandbox - calcolate absolute path
+			if t.options.Sandbox {
+				absPath, err := filepath.Abs(filepath.Join(t.options.Folder, r.URL.Path))
+				if err != nil {
+					gologger.Print().Msgf("%s\n", err)
+					w.WriteHeader(http.StatusBadRequest)
+					return
+				}
+				// check if the path is within the configured folder
+				pattern := t.options.Folder + string(filepath.Separator) + "*"
+				matched, err := filepath.Match(pattern, absPath)
+				if err != nil {
+					gologger.Print().Msgf("%s\n", err)
+					w.WriteHeader(http.StatusBadRequest)
+					return
+				} else if !matched {
+					gologger.Print().Msg("pointing to unauthorized directory")
+					w.WriteHeader(http.StatusBadRequest)
+					return
+				}
+			}
+
+			var (
+				data []byte
+				err  error
+			)
+			if t.options.Sandbox {
+				maxFileSize := toMb(t.options.MaxFileSize)
+				// check header content length
+				if r.ContentLength > maxFileSize {
+					gologger.Print().Msg("request too large")
+					return
+				}
+				// body max length
+				r.Body = http.MaxBytesReader(w, r.Body, maxFileSize)
+			}
+
+			data, err = ioutil.ReadAll(r.Body)
 			if err != nil {
 				gologger.Print().Msgf("%s\n", err)
+				w.WriteHeader(http.StatusInternalServerError)
+				return
 			}
 			err = handleUpload(path.Base(r.URL.Path), data)
 			if err != nil {
 				gologger.Print().Msgf("%s\n", err)
+				w.WriteHeader(http.StatusInternalServerError)
+				return
 			}
 		}
 
diff --git a/pkg/httpserver/sandboxfs.go b/pkg/httpserver/sandboxfs.go
@@ -0,0 +1,55 @@
+package httpserver
+
+import (
+	"errors"
+	"net/http"
+	"path/filepath"
+)
+
+type SandboxFileSystem struct {
+	fs         http.FileSystem
+	RootFolder string
+}
+
+func (sbfs SandboxFileSystem) Open(path string) (http.File, error) {
+	abspath, err := filepath.Abs(filepath.Join(sbfs.RootFolder, path))
+	if err != nil {
+		return nil, err
+	}
+
+	filename := filepath.Base(abspath)
+	// rejects names starting with a dot like .file
+	dotmatch, err := filepath.Match(".*", filename)
+	if err != nil {
+		return nil, err
+	} else if dotmatch {
+		return nil, errors.New("invalid file")
+	}
+
+	// reject symlinks
+	symlinkCheck, err := filepath.EvalSymlinks(abspath)
+	if err != nil {
+		return nil, err
+	}
+	if symlinkCheck != abspath {
+		return nil, errors.New("symlinks not allowed")
+	}
+
+	// check if the path is within the configured folder
+	if sbfs.RootFolder != abspath {
+		pattern := sbfs.RootFolder + string(filepath.Separator) + "*"
+		matched, err := filepath.Match(pattern, abspath)
+		if err != nil {
+			return nil, err
+		} else if !matched {
+			return nil, errors.New("invalid file")
+		}
+	}
+
+	f, err := sbfs.fs.Open(path)
+	if err != nil {
+		return nil, err
+	}
+
+	return f, nil
+}
diff --git a/pkg/httpserver/util.go b/pkg/httpserver/util.go
@@ -0,0 +1,5 @@
+package httpserver
+
+func toMb(n int) int64 {
+	return int64(n) * 1024 * 1024
+}
