summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--gemini/gemlog/2021-04-08-devlog-5-fun-bug.gmi47
-rw-r--r--gemini/gemlog/index.gmi2
-rw-r--r--gemini/index.gmi11
-rwxr-xr-xstats/calc.sh21
4 files changed, 76 insertions, 5 deletions
diff --git a/gemini/gemlog/2021-04-08-devlog-5-fun-bug.gmi b/gemini/gemlog/2021-04-08-devlog-5-fun-bug.gmi
new file mode 100644
index 0000000..9adbf8a
--- /dev/null
+++ b/gemini/gemlog/2021-04-08-devlog-5-fun-bug.gmi
@@ -0,0 +1,47 @@
+# Devlog 5 - Fun Bug
+
+I fudged up the title for devlog 4, but today I found a fun bug.
+
+I was looking through the logs for my server and I saw some interesting errors. Mainly with people using invalid uris. But then I thought more about URIs.
+
+## Relative paths
+
+I realized the logic I had to take a requested URI and translate it to a file was flawed. It took the URI as provided, grabbed it's path then just combined that with the document root.
+
+That's very much a bad idea
+
+## Escaping the capsule
+
+The capsule was configured to serve files from /var/gemini so if you requested /gemlog/a-post.gmi you'd be served: /var/gemini/gemlog/a-post.gmi
+
+Now if you requested: /gemlog/../file.gmi you'd be served: /var/gemini/file.gmi
+
+But where this becomes an issue is: /../../file.txt you've now requested /file.txt which is from the root of the filesystem. Which means with two back paths you can request any file on the system.
+
+## The fix
+
+
+```java diff
+- Path docPath = Paths.get(docRoot, path);
++ // Normalize the URI path before we append it to our docRoot
++ // This will ensure you can' /var/gemini/../../etc/passwd for example
++ Path docPath = Paths.get(docRoot, Path.of(path).normalize().toString()).normalize();
+```
+
+=> https://github.com/s3nd3r5/java-gemini-server/compare/8e69a376...bb1b8fd4 [https] Source Diff
+
+## I was lucky
+
+I looked at all the files requested and no one in the 400 or so requests (100 or so of are my own) and no one used a back path.
+
+While I don't actually serve any sensitive content and I was serving data from a docker container so it was sandboxed.
+
+## Check your server
+
+If you rolled your own server, or are using a super lightweight server, check how it handles relative paths or things like symlinks and other tricky file system features that could provide a way for some malicious or curious user to do what you weren't expecting.
+
+# Links
+
+=> https://github.com/s3nd3r5/java-gemini-server [https] Java Gemini Server Source
+=> /gemlog/ Gemlog
+=> / Home \ No newline at end of file
diff --git a/gemini/gemlog/index.gmi b/gemini/gemlog/index.gmi
index 9e52eca..cf69e6e 100644
--- a/gemini/gemlog/index.gmi
+++ b/gemini/gemlog/index.gmi
@@ -4,6 +4,8 @@ Welcome to my gemlog. I post whenever I do something I feel is worth writing abo
## My posts
+
+=> 2021-04-08-devlog-5-fun-bug.gmi 2021-04-08 - Devlog 5 - Fun Bug
=> 2021-04-07-devlog-4-deployed-in-production.gmi 2021-04-07 - Deployed in Production
=> cert-migration-done-2021-04-06.gmi 2021-04-06 - Cert Migration Done
=> 2021-04-05-skateboarding.gmi 2021-04-05 - Skateboarding
diff --git a/gemini/index.gmi b/gemini/index.gmi
index 5733ac1..f4ea114 100644
--- a/gemini/index.gmi
+++ b/gemini/index.gmi
@@ -19,10 +19,6 @@
Thank you for visiting my capsule! Currently my gemlog is my main page so check it out!
-## Cert migration
-
-I migrated my cert! Sorry for the inconvenience!
-
## Highlighted post
=> /gemlog/2021-03-21-music-spotlight-top-album-2020.gmi Music Spotlight: Top Album of 2020
@@ -38,7 +34,7 @@ I am a software engineer, whose career has focused around infrastructure and dev
* sci-fi (books, tv, movies)
* and other general nerd things
-So far I've kept a consistent gemlog about all of thsoe topics, even posting my own music and other media to accompy some of them.
+So far I've kept a consistent gemlog about all of those topics, even posting my own music and other media to accompany some of them.
I am in the Eastern North America timezone (EST/EDT) so you'll find me active during those hours. I lurk the IRC and mailing list, so you may find me there.
@@ -57,4 +53,9 @@ and you can find me on the gemini IRC.
And if there is anything critical about this capsule/hosting/security please send anything to:
=> mailto:admin@senders.io [mailto] admin <at> senders.io
+
Thanks! And if you sub, shoot me an email and I'll happily sub back :)
+
+## P.S - Cert migration (2021-04-06)
+
+I migrated my cert! Sorry for the inconvenience!
diff --git a/stats/calc.sh b/stats/calc.sh
new file mode 100755
index 0000000..e0005bf
--- /dev/null
+++ b/stats/calc.sh
@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+
+LOGFILE=$1
+OUTFILE=$2
+
+if [ $# -lt 2 ]; then
+ echo "Usage:
+ ./calc.sh logs/access.log gemini/stats.gmi
+ "
+fi
+
+TODAY=$(date -Id)
+echo -e "Stats for day:\t$TODAY" > $OUTFILE
+echo -e "Total Reqs:\t"$(grep 'OUT' ${LOGFILE} | grep "${TODAY}" | wc -l) >> $OUTFILE
+echo -e "Gemlog Reads:\t"$(grep 'IN' ${LOGFILE} | grep "${TODAY}" | grep "gemlog" | grep "gmi" | wc -l) >> $OUTFILE
+echo "Top 5 Gemlogs" >> $OUTFILE
+echo "--------------" >> $OUTFILE
+grep "IN" ${LOGFILE} | grep "${TODAY}" | cut -f4 | grep "gemlog" | grep ".gmi" | sort | uniq -c | sort -rn | head -n5 >> $OUTFILE
+echo -e "\n// generated $(date -u -Is)" >> $OUTFILE
+
+