diff options
-rw-r--r-- | gemini/gemlog/2021-04-08-devlog-5-fun-bug.gmi | 47 | ||||
-rw-r--r-- | gemini/gemlog/index.gmi | 2 | ||||
-rw-r--r-- | gemini/index.gmi | 11 | ||||
-rwxr-xr-x | stats/calc.sh | 21 |
4 files changed, 76 insertions, 5 deletions
diff --git a/gemini/gemlog/2021-04-08-devlog-5-fun-bug.gmi b/gemini/gemlog/2021-04-08-devlog-5-fun-bug.gmi new file mode 100644 index 0000000..9adbf8a --- /dev/null +++ b/gemini/gemlog/2021-04-08-devlog-5-fun-bug.gmi @@ -0,0 +1,47 @@ +# Devlog 5 - Fun Bug + +I fudged up the title for devlog 4, but today I found a fun bug. + +I was looking through the logs for my server and I saw some interesting errors. Mainly with people using invalid uris. But then I thought more about URIs. + +## Relative paths + +I realized the logic I had to take a requested URI and translate it to a file was flawed. It took the URI as provided, grabbed it's path then just combined that with the document root. + +That's very much a bad idea + +## Escaping the capsule + +The capsule was configured to serve files from /var/gemini so if you requested /gemlog/a-post.gmi you'd be served: /var/gemini/gemlog/a-post.gmi + +Now if you requested: /gemlog/../file.gmi you'd be served: /var/gemini/file.gmi + +But where this becomes an issue is: /../../file.txt you've now requested /file.txt which is from the root of the filesystem. Which means with two back paths you can request any file on the system. + +## The fix + + +```java diff +- Path docPath = Paths.get(docRoot, path); ++ // Normalize the URI path before we append it to our docRoot ++ // This will ensure you can' /var/gemini/../../etc/passwd for example ++ Path docPath = Paths.get(docRoot, Path.of(path).normalize().toString()).normalize(); +``` + +=> https://github.com/s3nd3r5/java-gemini-server/compare/8e69a376...bb1b8fd4 [https] Source Diff + +## I was lucky + +I looked at all the files requested and no one in the 400 or so requests (100 or so of are my own) and no one used a back path. + +While I don't actually serve any sensitive content and I was serving data from a docker container so it was sandboxed. + +## Check your server + +If you rolled your own server, or are using a super lightweight server, check how it handles relative paths or things like symlinks and other tricky file system features that could provide a way for some malicious or curious user to do what you weren't expecting. + +# Links + +=> https://github.com/s3nd3r5/java-gemini-server [https] Java Gemini Server Source +=> /gemlog/ Gemlog +=> / Home
\ No newline at end of file diff --git a/gemini/gemlog/index.gmi b/gemini/gemlog/index.gmi index 9e52eca..cf69e6e 100644 --- a/gemini/gemlog/index.gmi +++ b/gemini/gemlog/index.gmi @@ -4,6 +4,8 @@ Welcome to my gemlog. I post whenever I do something I feel is worth writing abo ## My posts + +=> 2021-04-08-devlog-5-fun-bug.gmi 2021-04-08 - Devlog 5 - Fun Bug => 2021-04-07-devlog-4-deployed-in-production.gmi 2021-04-07 - Deployed in Production => cert-migration-done-2021-04-06.gmi 2021-04-06 - Cert Migration Done => 2021-04-05-skateboarding.gmi 2021-04-05 - Skateboarding diff --git a/gemini/index.gmi b/gemini/index.gmi index 5733ac1..f4ea114 100644 --- a/gemini/index.gmi +++ b/gemini/index.gmi @@ -19,10 +19,6 @@ Thank you for visiting my capsule! Currently my gemlog is my main page so check it out! -## Cert migration - -I migrated my cert! Sorry for the inconvenience! - ## Highlighted post => /gemlog/2021-03-21-music-spotlight-top-album-2020.gmi Music Spotlight: Top Album of 2020 @@ -38,7 +34,7 @@ I am a software engineer, whose career has focused around infrastructure and dev * sci-fi (books, tv, movies) * and other general nerd things -So far I've kept a consistent gemlog about all of thsoe topics, even posting my own music and other media to accompy some of them. +So far I've kept a consistent gemlog about all of those topics, even posting my own music and other media to accompany some of them. I am in the Eastern North America timezone (EST/EDT) so you'll find me active during those hours. I lurk the IRC and mailing list, so you may find me there. @@ -57,4 +53,9 @@ and you can find me on the gemini IRC. And if there is anything critical about this capsule/hosting/security please send anything to: => mailto:admin@senders.io [mailto] admin <at> senders.io + Thanks! And if you sub, shoot me an email and I'll happily sub back :) + +## P.S - Cert migration (2021-04-06) + +I migrated my cert! Sorry for the inconvenience! diff --git a/stats/calc.sh b/stats/calc.sh new file mode 100755 index 0000000..e0005bf --- /dev/null +++ b/stats/calc.sh @@ -0,0 +1,21 @@ +#!/usr/bin/env bash + +LOGFILE=$1 +OUTFILE=$2 + +if [ $# -lt 2 ]; then + echo "Usage: + ./calc.sh logs/access.log gemini/stats.gmi + " +fi + +TODAY=$(date -Id) +echo -e "Stats for day:\t$TODAY" > $OUTFILE +echo -e "Total Reqs:\t"$(grep 'OUT' ${LOGFILE} | grep "${TODAY}" | wc -l) >> $OUTFILE +echo -e "Gemlog Reads:\t"$(grep 'IN' ${LOGFILE} | grep "${TODAY}" | grep "gemlog" | grep "gmi" | wc -l) >> $OUTFILE +echo "Top 5 Gemlogs" >> $OUTFILE +echo "--------------" >> $OUTFILE +grep "IN" ${LOGFILE} | grep "${TODAY}" | cut -f4 | grep "gemlog" | grep ".gmi" | sort | uniq -c | sort -rn | head -n5 >> $OUTFILE +echo -e "\n// generated $(date -u -Is)" >> $OUTFILE + + |