security hardening

Author: MikhailTymchukDX

AjaxControlToolkit.SampleSite/AjaxFileUpload/AjaxFileUpload.aspx

@@ -38,7 +38,7 @@
 
         function createFileInfo(e) {
             var holder = document.createElement('div');
-            holder.appendChild(document.createTextNode(e.get_fileName() + ' with size ' + e.get_fileSize() + ' bytes'));
+            holder.appendChild(document.createTextNode(e.get_fileName() + ' with size ' + (e.get_fileSize() / 1024).toFixed(2) + ' KB'));
 
             return holder;
         }

AjaxControlToolkit.SampleSite/Global.asax

@@ -1,6 +1,7 @@
 <%@ Application Language="C#" %>
 <%@ Import Namespace="System.Web.Optimization" %>
 <%@ Import Namespace="AjaxControlToolkit" %>
+<%@ Import Namespace="System.IO" %>
 
 <script RunAt="server">
 
@@ -12,6 +13,13 @@
             "~/Scripts/WebForms/MsAjax/MicrosoftAjaxWebForms.js"));
 
         BundleTable.EnableOptimizations = true;
+
+        var tempFolder = Server.MapPath(ToolkitConfig.TempFolder);
+        foreach(var dir in Directory.EnumerateDirectories(tempFolder)) {
+            try {
+                Directory.Delete(dir, true);
+            } catch { }
+        }
     }
 
 </script>

AjaxControlToolkit.SampleSite/Web.config

@@ -12,6 +12,16 @@
     renderStyleLinks="false"
     htmlSanitizer="AjaxControlToolkit.HtmlEditor.Sanitizer.DefaultHtmlSanitizer, AjaxControlToolkit.HtmlEditor.Sanitizer"
     tempFolder="~/Temp"/>
+  <location path="Temp">
+    <system.webServer>
+      <handlers>
+        <clear/>
+      </handlers>
+      <modules>
+        <clear/>
+      </modules>
+    </system.webServer>
+  </location>
   <system.web>
     <compilation debug="true" targetFramework="4.0"/>
     <machineKey validation="SHA1" decryptionKey="7EE421F6987EAFF4998E0F2ED5544AF1B931C82A1602BC2E" validationKey="5278D83EDD8E36C27E019D3E975D62A3FDF0E8EF50DB69F659D03EB18A4459D2B3271AA075173012EF122E2B7BFA49CDE16CC0DCC68F3E862E1EEE491D300DC9" />

AjaxControlToolkit.Tests/AjaxControlToolkit.Tests.csproj

@@ -81,6 +81,7 @@
     <Folder Include="Properties\" />
   </ItemGroup>
   <ItemGroup>
+    <Compile Include="AjaxFileUploadTests.cs" />
     <Compile Include="BaseValidatorTests.cs" />
     <Compile Include="BundleResolverTests.cs" />
     <Compile Include="JasmineTests.cs" />
@@ -96,6 +97,7 @@
     <Compile Include="LocalizationTests.cs" />
     <Compile Include="HtmlSanitizer\DefaultHtmlSanitizerTests.cs" />
     <Compile Include="MultipartFormDataParserTests.cs" />
+    <Compile Include="WorkerRequest.cs" />
   </ItemGroup>
   <ItemGroup>
     <ProjectReference Include="..\AjaxControlToolkit.HtmlEditor.Sanitizer\AjaxControlToolkit.HtmlEditor.Sanitizer.csproj">

AjaxControlToolkit.Tests/AjaxFileUploadTests.cs

@@ -0,0 +1,64 @@
+using NUnit.Framework;
+using System;
+using System.IO;
+using System.Web;
+using System.Web.Hosting;
+
+namespace AjaxControlToolkit.Tests {
+
+    [TestFixture]
+    public class AjaxFileUploadTests {
+        string _tempFolder;
+
+        [OneTimeSetUp]
+        public void Init() {
+            _tempFolder = AjaxFileUpload.GetRootTempFolder();
+        }
+
+        [SetUp]
+        public void ClearTempFoder() {
+            if(Directory.Exists(_tempFolder))
+                Directory.Delete(_tempFolder, true);
+        }
+
+        [Test]
+        public void NotAllowedFileExtensionIsBlocked() {
+            var request = new WorkerRequest("", "fileName=aaa.exe", "");
+            var context = new HttpContext(request);
+            Assert.Throws<Exception>(() => AjaxFileUploadHelper.Process(context));
+        }
+        
+        [Test]
+        public void AllowedFileExtensionIsAccepted() {
+            var request = new WorkerRequest("------WebKitFormBoundaryCqenIHPHe1ZTCr0d\r\nContent-Disposition: form-data; name=\"act-file-data\"; filename=\"zero.jpg\"\r\nContent-Type: image/jpeg\r\n\r\n\r\n------WebKitFormBoundaryCqenIHPHe1ZTCr0d--\r\n", "filename=aaa.jpg&fileId=E63F2078-D5C7-66FA-5CAD-02C169149BD5", "multipart/form-data; boundary=----WebKitFormBoundaryCqenIHPHe1ZTCr0d");
+            var context = new HttpContext(request);
+            AjaxFileUploadHelper.Process(context);
+            Assert.True(File.Exists(Path.Combine(_tempFolder, "E63F2078-D5C7-66FA-5CAD-02C169149BD5", "aaa.jpg.tmp")));
+        }
+
+        [Test, Timeout(5000)]
+        public void EmptyBodyDoesNotHangHandler() {
+            var request = new WorkerRequest("", "filename=aaa.jpg", "");
+            var context = new HttpContext(request);
+            AjaxFileUploadHelper.Process(context);            
+        }
+
+        [Test]
+        public void CheckTempFileExtension() {
+            var root = AjaxFileUpload.GetRootTempFolder();
+            Assert.Throws<Exception>(() => AjaxFileUpload.CheckTempFilePath(Path.Combine(root, @"E63F2078-D5C7-66FA-5CAD-02C169149BD5\a.exe")));
+        }
+
+        [Test]
+        public void CheckTempFolderMask() {
+            var root = AjaxFileUpload.GetRootTempFolder();
+            Assert.Throws<Exception>(() => AjaxFileUpload.CheckTempFilePath(Path.Combine(root, @"b\a.tmp")));
+        }
+
+        [Test]
+        public void CheckTempFolderNesting() {
+            var root = AjaxFileUpload.GetRootTempFolder();
+            Assert.Throws<Exception>(() => AjaxFileUpload.CheckTempFilePath(Path.Combine(root, @"extraFolder\E63F2078-D5C7-66FA-5CAD-02C169149BD5\a.tmp")));
+        }
+    }
+}

AjaxControlToolkit.Tests/WorkerRequest.cs

@@ -0,0 +1,38 @@
+using System.Globalization;
+using System.IO;
+using System.Net;
+using System.Text;
+using System.Web.Hosting;
+
+namespace AjaxControlToolkit.Tests {
+    public class WorkerRequest : SimpleWorkerRequest {
+        Stream _data;
+        string _size;
+        string _contentType;
+
+        public WorkerRequest(string body, string query, string contentType)
+            : base("", "", "", query, new StringWriter()) {
+            _data  = new MemoryStream(Encoding.ASCII.GetBytes(body));
+            _size = _data.Length.ToString(CultureInfo.InvariantCulture);
+            _contentType = contentType;
+        }
+
+        public override string GetKnownRequestHeader(int index) {
+            switch((HttpRequestHeader)index) {
+                case HttpRequestHeader.ContentLength:
+                    return _size;
+                case HttpRequestHeader.ContentType:
+                    return _contentType;
+            }
+            return base.GetKnownRequestHeader(index);
+        }
+
+        public override int ReadEntityBody(byte[] buffer, int offset, int size) {
+            return _data.Read(buffer, offset, size);
+        }
+
+        public override int ReadEntityBody(byte[] buffer, int size) {
+            return ReadEntityBody(buffer, 0, size);
+        }
+    }
+}

AjaxControlToolkit/AjaxControlToolkitConfigSection.cs

@@ -31,6 +31,12 @@ public string TempFolder {
             set { base["tempFolder"] = value; }
         }
 
+        [ConfigurationProperty("additionalUploadFileExtensions", IsRequired = false)]
+        public string AdditionalUploadFileExtensions {
+            get { return (string)base["additionalUploadFileExtensions"]; }
+            set { base["additionalUploadFileExtensions"] = value; }
+        }
+
         [ConfigurationProperty("customControls", IsDefaultCollection = false)]
         [ConfigurationCollection(typeof(CustomControlsCollection))]
         public CustomControlsCollection CustomControls {

AjaxControlToolkit/AjaxFileUpload/AjaxFileUpload.cs

@@ -10,6 +10,7 @@
 using System.Web.UI.HtmlControls;
 using System.Drawing;
 using System.Collections.ObjectModel;
+using System.Text.RegularExpressions;
 
 namespace AjaxControlToolkit {
 
@@ -301,34 +302,23 @@ public void SaveAs(string fileName) {
         }
 
         public static void CleanAllTemporaryData() {
-            var dirInfo = new DirectoryInfo(BuildRootTempFolder());
+            var dirInfo = new DirectoryInfo(GetRootTempFolder());
             foreach(var dir in dirInfo.GetDirectories()) {
                 dir.Delete(true);
             }
         }
 
-        public static string BuildTempFolder(string fileId) {
-            return Path.Combine(BuildRootTempFolder(), fileId);
+        public static string GetTempFolder(string fileId) {
+            return Path.Combine(GetRootTempFolder(), fileId);
         }
 
-        public static string BuildRootTempFolder() {
+        public static string GetRootTempFolder() {
             var userPath = ToolkitConfig.TempFolder;
 
-            if(!String.IsNullOrWhiteSpace(userPath)) {
-                var physicalPath = GetPhysicalPath(userPath);
-
-                if(!Directory.Exists(physicalPath))
-                    throw new IOException(String.Format("Temp directory '{0}' does not exist.", physicalPath));
-
-                return physicalPath;
-            }
-
-            var defaultPath = Path.Combine(Path.GetTempPath(), DefaultTempSubDir);
-
-            if(!Directory.Exists(defaultPath))
-                Directory.CreateDirectory(defaultPath);
-
-            return defaultPath;
+            if(!String.IsNullOrWhiteSpace(userPath))
+                return GetPhysicalPath(userPath);
+                
+            return Path.Combine(Path.GetTempPath(), DefaultTempSubDir);
         }
 
         static string GetPhysicalPath(string path) {
@@ -504,6 +494,33 @@ static string CombineUrl(string part1, string part2) {
             return part1 + part2;
         }
 
+        public static void CheckTempFilePath(string tmpFilePath) {
+            if(!IsValidExtension(tmpFilePath)
+                || !IsValidLastFolderName(tmpFilePath)
+                || !IsImmediateFolder(tmpFilePath))
+                throw new Exception("Insecure operation prevented");
+        }
+
+        static bool IsImmediateFolder(string tmpFilePath) {
+            var rootTempFolderFromParam = Path.GetFullPath(GetGrandParentDirectoryName(tmpFilePath));
+            var rootTempFolder = Path.GetFullPath(GetRootTempFolder());
+
+            return String.Compare(rootTempFolder, rootTempFolderFromParam, true) == 0;
+        }
+        
+        static bool IsValidLastFolderName(string tmpFilePath) {
+            var directory = Path.GetFullPath(Path.GetDirectoryName(tmpFilePath));
+            return Regex.IsMatch(directory, @"[\w-]{36}$", RegexOptions.IgnoreCase);
+        }
+
+        static bool IsValidExtension(string tmpFilePath) {
+            return String.Compare(Path.GetExtension(tmpFilePath), Constants.UploadTempFileExtension, true) == 0;
+        }
+
+        static string GetGrandParentDirectoryName(string tmpFilePath) {
+            return Path.GetDirectoryName(Path.GetDirectoryName(tmpFilePath));
+        }
+
         class UploadRequestProcessor {
             public HttpContext Context;
 
@@ -619,7 +636,7 @@ void XhrComplete() {
             void XhrDone(string fileId) {
                 AjaxFileUploadEventArgs args;
 
-                var tempFolder = BuildTempFolder(fileId);
+                var tempFolder = GetTempFolder(fileId);
                 if(!Directory.Exists(tempFolder))
                     return;
 
@@ -628,18 +645,24 @@ void XhrDone(string fileId) {
                     return;
 
                 var fileInfo = new FileInfo(files[0]);
-                SetUploadedFilePath(fileInfo.FullName);
 
+                CheckTempFilePath(fileInfo.FullName);
+                SetUploadedFilePath(fileInfo.FullName);
+                var originalFilename = StripTempFileExtension(fileInfo.Name);
                 args = new AjaxFileUploadEventArgs(
-                    fileId, AjaxFileUploadState.Success, "Success", fileInfo.Name, (int)fileInfo.Length,
-                    fileInfo.Extension);
+                    fileId, AjaxFileUploadState.Success, "Success", originalFilename, (int)fileInfo.Length,
+                    Path.GetExtension(originalFilename));
 
                 if(UploadComplete != null)
                     UploadComplete(this, args);
 
                 Response.Write(new JavaScriptSerializer().Serialize(args));
             }
 
+            static string StripTempFileExtension(string fileName) {
+                return fileName.Substring(0, fileName.Length - Constants.UploadTempFileExtension.Length);
+            }
+
             void XhrCancel(string fileId) {
                 AjaxFileUploadHelper.Abort(Context, fileId);
             }

AjaxControlToolkit/AjaxFileUpload/AjaxFileUploadEventArgs.cs

@@ -63,12 +63,14 @@ public byte[] GetContents() {
         }
 
         public Stream GetStreamContents() {
-            var dir = AjaxFileUpload.BuildTempFolder(this._fileId);
-            return File.OpenRead(Path.Combine(dir, this._fileName));
+            var dir = AjaxFileUpload.GetTempFolder(this._fileId);
+            var filePath = Path.Combine(dir, this._fileName) + Constants.UploadTempFileExtension;
+            AjaxFileUpload.CheckTempFilePath(filePath);
+            return File.OpenRead(filePath);
         }
 
         public void DeleteTemporaryData() {
-            var dirInfo = new DirectoryInfo(AjaxFileUpload.BuildTempFolder(this._fileId));
+            var dirInfo = new DirectoryInfo(AjaxFileUpload.GetTempFolder(this._fileId));
             if(dirInfo.Exists)
                 dirInfo.Delete(true);
         }