pleroma

commit: 18a0c923d0da4c8fb6e33b383dabd1d06bb22968
parent 2d193861db00a548f6339e80f2297b5619e0cb04
Author: Mark Felder <feld@feld.me>
Date:   Thu,  3 Aug 2023 13:08:37 -0400

Resolve information disclosure vulnerability through emoji pack archive download endpoint

The pack name has been sanitized so an attacker cannot upload a media
file called pack.json with their own handcrafted list of emoji files as
arbitrary files on the filesystem and then call the emoji pack archive
download endpoint with a pack name crafted to the location of the media
file they uploaded which tricks Pleroma into generating a zip file of
the target files the attacker wants to download.

The attack only works if the Pleroma instance does not have the
AnonymizeFilename upload filter enabled, which is currently the default.

Reported by: graf@poast.org

Diffstat:
A
changelog.d/emoji-pack-sanitization.security
1
+
M
lib/pleroma/emoji/pack.ex
1
+
M
test/pleroma/emoji/pack_test.exs
4
++++

3 files changed, 6 insertions(+), 0 deletions(-)
diff --git a/changelog.d/emoji-pack-sanitization.security b/changelog.d/emoji-pack-sanitization.security
@@ -0,0 +1 @@
+Emoji pack loader sanitizes pack names
diff --git a/lib/pleroma/emoji/pack.ex b/lib/pleroma/emoji/pack.ex
@@ -285,6 +285,7 @@ defmodule Pleroma.Emoji.Pack do
 
   @spec load_pack(String.t()) :: {:ok, t()} | {:error, :file.posix()}
   def load_pack(name) do
+    name = Path.basename(name)
     pack_file = Path.join([emoji_path(), name, "pack.json"])
 
     with {:ok, _} <- File.stat(pack_file),
diff --git a/test/pleroma/emoji/pack_test.exs b/test/pleroma/emoji/pack_test.exs
@@ -90,4 +90,8 @@ defmodule Pleroma.Emoji.PackTest do
 
     assert updated_pack.files_count == 1
   end
+
+  test "load_pack/1 ignores path traversal in a forged pack name", %{pack: pack} do
+    assert {:ok, ^pack} = Pack.load_pack("../../../../../dump_pack")
+  end
 end