On Wed, Jun 7, 2017 at 11:59 PM, John D. Ament <[email protected]> wrote:
> See email:
> https://lists.apache.org/thread.html/fb174e74b7398059925a070d0441e53eb397f4d137749f57ce3a903c@%3Cprivate.incubator.apache.org%3E
>
> Even though it successfully added David, I receive a 500 ISE pop up.
Relevant portion of the error log:
App 30955 stderr: _ERROR #<SecurityError: Insecure operation - exist?>
App 30955 stderr: _WARN
/x1/srv/whimsy/lib/whimsy/asf/podlings.rb:214:in `exist?'
App 30955 stderr: _WARN
/x1/srv/whimsy/lib/whimsy/asf/podlings.rb:214:in `podlingStatus'
App 30955 stderr: _WARN
/x1/srv/whimsy/www/roster/models/ppmc.rb:50:in `serialize'
App 30955 stderr: _WARN
/x1/srv/whimsy/www/roster/views/actions/ppmc.json.rb:123:in
`_evaluate'
Extract from ppmc.json:
# return updated committee info to the client
PPMC.serialize(@project, env)
Extract from podlings.rb:
def podlingStatus
incubator_content = ASF::SVN['asf/incubator/public/trunk/content']
resource_yml = "#{incubator_content}/podlings/#{@resource}.yml"
if File.exist?(resource_yml)
Conclusion: resource_yml is constructed using at least one source that
can't automatically be trusted. @resource is read from a file, and
could contain a dangerous value (e.g. "../../../../../etc/passwd").
Solution is something along the lines of:
@resource.untaint if @resource =~ /\A\w+\Z/
Adjust the regular expression as needed.
> John
- Sam Ruby
