fix: block path traversal in /cgi-bin/temp/get (#1304)

lib/service/service.js

@@ -458,6 +458,8 @@ function sessionsHandler() {
     var filename = req.query.filename;
     if (common.isTempFile(filename)) {
       filename = path.join(TEMP_FILES_PATH, filename);
+    } else if (!config.username || !config.password) {
+      return common.sendGzip(req, res, { ec: 0, value: '', forbidden: true });
     }
     getFile(filename, function(em, data) {
       if (em) {

test/assets/certs/_.cert.w2.org.crt

@@ -1,19 +1,22 @@
------BEGIN CERTIFICATE-----
-MIIC/TCCAmagAwIBAgIBATANBgkqhkiG9w0BAQsFADCBjDEoMCYGA1UEAxMfV0hJ
-U1RMRShyb290QDAwOjE2OjNlOjAwOjBhOjJhKTELMAkGA1UEBhMCQ04xCzAJBgNV
-BAgTAlpKMQswCQYDVQQHEwJIWjEoMCYGA1UEChMfV0hJU1RMRShyb290QDAwOjE2
-OjNlOjAwOjBhOjJhKTEPMA0GA1UECxMGV1BST1hZMB4XDTE2MDcxODE0NDIyNloX
-DTI2MDcxODE0NDIyNlowgYwxKDAmBgNVBAMTH1dISVNUTEUocm9vdEAwMDoxNjoz
-ZTowMDowYToyYSkxCzAJBgNVBAYTAkNOMQswCQYDVQQIEwJaSjELMAkGA1UEBxMC
-SFoxKDAmBgNVBAoTH1dISVNUTEUocm9vdEAwMDoxNjozZTowMDowYToyYSkxDzAN
-BgNVBAsTBldQUk9YWTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApf+IJO8v
-Cc20oDR+9RaBEUd1wgTmS7yfS/Fwnv/N7xdmf2k0C/2m21bAB5JJ42aqcnr3+akw
-PFF3VZg1lhxIZWitJGhwtxETGT/nOZ9xjubUCsZUvDN2RKjOYiVnKbFzYl97IKuH
-B+74Jm91V9JJz5rs46jjM6aHJ0cynzc9TKcCAwEAAaNtMGswDAYDVR0TBAUwAwEB
-/zALBgNVHQ8EBAMCAvQwOwYDVR0lBDQwMgYIKwYBBQUHAwEGCCsGAQUFBwMCBggr
-BgEFBQcDAwYIKwYBBQUHAwQGCCsGAQUFBwMIMBEGCWCGSAGG+EIBAQQEAwIA9zAN
-BgkqhkiG9w0BAQsFAAOBgQBW5oM2eJClAXzAtSRyXKKNPbqh/tbO9xasXETm2nK4
-z+g/wQZfoeDhZRdPzT+rzmFF9Y6kRhVlvrx3xrq4kS9GoHsjYtI0xPtX2IqLA+4M
-CIQwYoeqTFVDmoHqUytbJGWHa+VmMI6aYIqz9Sld2Dw39qfSViEv6LKQURrmTE+d
-tA==
------END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDqzCCApOgAwIBAgIURu+Iu6t0tl1DLuSPMi6duZrm/TcwDQYJKoZIhvcNAQEL
+BQAwZTEWMBQGA1UEAwwNKi5jZXJ0LncyLm9yZzELMAkGA1UEBhMCQ04xCzAJBgNV
+BAgMAlpKMQswCQYDVQQHDAJIWjEVMBMGA1UECgwMd2hpc3RsZS10ZXN0MQ0wCwYD
+VQQLDAR0ZXN0MB4XDTI2MDQwNjEyMTk1MloXDTM2MDQwMzEyMTk1MlowZTEWMBQG
+A1UEAwwNKi5jZXJ0LncyLm9yZzELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAlpKMQsw
+CQYDVQQHDAJIWjEVMBMGA1UECgwMd2hpc3RsZS10ZXN0MQ0wCwYDVQQLDAR0ZXN0
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo93UE7vVCtVQiwY+SIql
+B0nnXWLw5CmBJvHGGV3giK9onKH2Ie54PtMIUW5OwnpFqxMJFkXIhAsAfCc5cqNZ
+ZGoFvioldEzHYioGC1GOUuoJhSq0LzCfw9zdHSrS0AE+ujsXgilojWTk/r2b29F8
+wYKFIwq7/X4UiAZaYkJW/fDZzpaZieO7pZ7+WroHSvx8eBgP0lyn3J6bOrwsiHhn
+xVk/Blj9iPb7L8PLkMpm5hKT22eS29MtO2K7K1rNHB9g0AC2KPGtFj51J7jYZ+ml
+9TF7FtoNgtZ2//QTVDZw+oMPiZltw9aJovVZcwDrrfci1lBDG5A4BbbzcWvaJ+ts
+fwIDAQABo1MwUTAdBgNVHQ4EFgQU5IGKSZ7OzJvMjkeh9wPTdDfnstUwHwYDVR0j
+BBgwFoAU5IGKSZ7OzJvMjkeh9wPTdDfnstUwDwYDVR0TAQH/BAUwAwEB/zANBgkq
+hkiG9w0BAQsFAAOCAQEAQQbjHVHw4RLCR1pYEkrKbmfTA+6Ip3iau+oCxwEErFBR
+NwoL+9JKnHgZyxJj44vqko9SIvqFGqYzQI0pCjWsfh6diOxgHh3ACHXRt+rdpfbg
+ZChZ8dUuLBbEga+WKvHcfiF6kDnZOK8l3lm1Z4dHLCt3sEHXxctXiuhVl3UKMRYt
+ljyEqsuyrQmHNp/0X0eWMbcSzT3iaAPN+MWGTLTi9TZTasJSffiE3pgL/elSOJob
+m4Vlt+qh5fAmrR9TEznSoN/0Pp1D6hVEqmJWVSEQPmyVeGFiHJr4P6Cnzn7sUObv
+tVpilgSnNSY2udJeBIK/Cu6jtTZ6dMyBmzHNrTLzbQ==
+-----END CERTIFICATE-----

test/assets/certs/_.cert.w2.org.key

@@ -1,15 +1,28 @@
------BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQCl/4gk7y8JzbSgNH71FoERR3XCBOZLvJ9L8XCe/83vF2Z/aTQL
-/abbVsAHkknjZqpyevf5qTA8UXdVmDWWHEhlaK0kaHC3ERMZP+c5n3GO5tQKxlS8
-M3ZEqM5iJWcpsXNiX3sgq4cH7vgmb3VX0knPmuzjqOMzpocnRzKfNz1MpwIDAQAB
-AoGAOBafadtniWh4H6mdPDLeaXg70dLV/cE+EesCorbMXn0JpQNnEqYiOvqU5/oF
-/VAzR3tFTpZcNgVQzRshABeOXilnQeVnNdxYV7rtPe7DpqM5Wvp6izUorJWqNGet
-sIrC/hlQupaYDXciYl9AP3yGs70CLMeorxTn0OSHy8e1sAECQQDlSiqFiTNVErEz
-j+47wsPrPbU/vnoPKK9HuZL93z1OmjzMekNWjBLh8l49VZfUTvNxxrD2LOp7n0EB
-X0AMBA53AkEAuVXlw1qfEan6UpKRWskuavCe6jj3mhWzu9LX04ektGEu3Y9uonPh
-o2fkSuE+jLTAvfuKoXJS0GAQTa3Rq/JPUQJATn3kLpB4PSBH/xG/iT+0V/xo5qhr
-GnNgBZq2gigA0b6lH46fLKqI8EZLEo4RisF4PzO4cp2Pq8ApvbGAuFxPIwJBAKAS
-E1bNfxOHhn8ovcf2eFO+rNJJD3kSg2CWcvfscJGmWg7cIcbHZTt3sJIHxrlKKCou
-Bgb4sZPtVEdy9+OVbXECQBN1jXBPaSVGPQeqjvEHymU6G2ulJqzXMDZciZLpHAwz
-GbjNIDkDzWdRLqmmRUqUXcA0mD2dxdWvkxBWRjntKsY=
------END RSA PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCj3dQTu9UK1VCL
+Bj5IiqUHSeddYvDkKYEm8cYZXeCIr2icofYh7ng+0whRbk7CekWrEwkWRciECwB8
+Jzlyo1lkagW+KiV0TMdiKgYLUY5S6gmFKrQvMJ/D3N0dKtLQAT66OxeCKWiNZOT+
+vZvb0XzBgoUjCrv9fhSIBlpiQlb98NnOlpmJ47ulnv5augdK/Hx4GA/SXKfcnps6
+vCyIeGfFWT8GWP2I9vsvw8uQymbmEpPbZ5Lb0y07YrsrWs0cH2DQALYo8a0WPnUn
+uNhn6aX1MXsW2g2C1nb/9BNUNnD6gw+JmW3D1omi9VlzAOut9yLWUEMbkDgFtvNx
+a9on62x/AgMBAAECggEADC8tWr5HrAOKdpvjO6+bb7xOCMKXmM+BO+0URsSVMnSg
+ea0NSR6bMEiuwKdMEefXkE3dChvsOe07fv/HpL+CoRXFEYu+tzQSSzlGs8a/p2ih
+hpZTSYL7Diw5ALczb6X4DQ7hw5rinEjZQhvFIAYmmZjj32Qn8ERUsHyQcefu4fjN
+Bz5QOYBYQQRalHHVvnW/FPUZbhU47F3cd0aN2eHutunRDLqW3iWsz4UuqfNvPOk9
+wudHKTIGJxl4CBq8pmoSiXEORPXsySWeVhqK92h9u9gpgvKg/8zzSJPq5FMrvz5I
+NVqDetdA7JQ7j1HD113qD4iuqkyM7jitSfgHkVqTcQKBgQDj5w4tglirraVvaFvb
+BWC2rCOcEiBLkygRLfoSl96oCwN04kq7MsNVPVFmpbJ7FpvoIuAE9O21ca7/MfIg
+qdmFzyn7SsR4AajliMQ366VVnK3avUyS0cu1BPfjqBvO/pCyWpZCo9pebj3x75QC
+1qpxJdhQ6PIknG/qI7SnbBUyZwKBgQC4EbM2gbVQGBgMrA4Zw6pL09NVy/geNoJr
+uvYNGTiU3jAtTA2mYEKEhmJPHAzhBc+71114jFFACt1VqOLGwhZQfuPg9FX8woEZ
+icpitSM1sXXX+lpduPo0ekPsamFXGdZW5g6GTlWYOTnkdrHuZxlYdmEH18YzNN5p
+4V99eFKWKQKBgQCGuxoOnXh+RfH/otpq6Qr781g59B1TkHOndF7ajx36ikhI2V8E
+vEXuJonw/RQ+4GbbHYMCayn8knC6PXS/CqqmCIrxHIp5x8FpsSkPRihALJg7MJ4M
+Tir3oTBLTh7iiGxShGtAik2WdeX5GYGPDAlHSvBPJOfB7Rncea9bKvJ9EQKBgFXJ
+agztRuOdVxgQ2EGJv8S3ZLeH6IusO/yZljNkncpEA5AY8gOouVeqigb0u8vkOX0C
+Ur3sJ7IBXkad/5NCwcOiX/Jn7etve1u7rGd0pIRRwOp388XagEIU+bMloVhG4m59
+qidOOvZHNYQVDbhetKFWCsLs/aK/8SjHsQl5GoSBAoGBAIKWjCzWMoqNWm3owhik
+QbB3jzF5UURYmm9h9HAxJf/iheV1GpAlsCt1MS4zMO9JbBLUScjWAgBjtjhU4LvY
+RIDgbBZqNSTFcM7u5CA/icX0ZwUCPSljrNwByJLy7oBXFY/W1cFFPEc1uuXTChSH
+S6e2y+JDRTJZrferMnqGzA9a
+-----END PRIVATE KEY-----

test/assets/certs/cert.w2.org.key

@@ -1,15 +1,28 @@
------BEGIN RSA PRIVATE KEY-----
-MIICXgIBAAKBgQCkl91qX33cnRX3gTTfUi72r8t/D1HavEm0McCaMVDQGJBX0VgV
-swLNIMGEyAcVmSMVleJAgu225M7rtpl9TKzSrOhdHAj7/AjZWOL5GJEuxu0LsuH8
-ZG9J6sS7HnVO//ZGJGjS5gGWk/gAfiII64+gurwasS7xiBHYYZOFTjRARwIDAQAB
-AoGBAIDuOVJfNQ+AublkrA8XqJQyxtxkGsGWZsHRi0b9xIkOBNvVsANnc5VNyGmD
-6xC/IZ2CCHZyWVXATFqWcguV6XXouF9R8TN+HcEaiZ9epEOnwOSPz4DdEtB+TZp+
-Ih3l/NEzLRNxp7XVqI1k9OG5yguctyzfYcydFem/ZRWcMaxhAkEA0Rb+qGF7jb84
-xRBxFXxnKJVa6C2OSuDG1eecepMcYqNiUTimbk1/3qzJZqXmNBcIAfG/3a5dyM0O
-l1f2xeZ41wJBAMmFOPXkqS4gx8vItUJ36HSgXVOePbdmpBFRWD9R0uj83TuNc3V/
-pD9jKnU/ZQ0DacI57F5zvIxtVy9iAP1iVhECQEJ5sRUPiRyTwxTEGW/fUVzRv0k5
-0pdzx0OSk2lVBB1IHKX+AMvoz9KX1KBR9lJxUBZuKbXtDdwddZogWVCp6ZkCQQC9
-kXcdyPZlEC0ixDHOzyF65Igmass/xWw9ZjoPhpdS2Nv8c3nTZDlL76s3FGWosjdA
-oGB8EX+i0hCb4CNyOJkhAkEADdZsXlSL7e0qy7iE1IP7uHrfse1ZZhIX48DSK+Yg
-nqZ8YdcUsS3RlVOgahqizD723klbKeGq8Pi9t0wHamjHjg==
------END RSA PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC4xvBZEwVb+Jeq
+ZVH/1AmottRQvXLvljxBoAdzW2N5/IEiAk2fviPqg4JRD0oYUGPFqRrKf9oK1rAY
+AxwUOFvzO575cNEa6JQ3O3aNiNIYTWE55tEizc3WwYW8TCO3k86D1i1LQRof83xI
+R7vD+016P1sHjeYDxTUiUD/kWU7a2ZSO/fX2RGyS5ADfyAUtjhjoJj6j/Tb3dplB
+g2gf1iy/DMaYC3k95dXmi1U/YAJeW4A/sQTfSHTr1fNsf9EJCMnK2bHjurE5Fnr8
+9+SIJu3xns2CVt4RDaMtj6ASbijwjJtimwMUrM3SoFlx//DpXAuMX88C020vW1XK
+opxCpt1tAgMBAAECggEAGas3SeSAztdAuIDlTIkYA2pMod/DlwFzovk4d7/HGLPp
+e4A+6NVY93Pn91tMo4aNabDVgjKTJ4TOBzPtY2i161sJuWTBA8AyEN8vl7ddWldr
+jYfhXzigYvhU3ATmxFKh8oIfHjBv0Ob6Ca9/Z9kiGPyyqGC/xp/PgxILYi0+7Vtl
+27OEtowl+nXBiSNqVu1wN7b20Ry/uigrg9WF6pGWxIjD1IKnxM/UTg61oH6B7BGa
+rRDbotLMW6FHJWG8bJrUcCLIDAnjM6EY9RJucgvrIIDsS1jtefBI0Tbxy6GjqDx5
+I1E/uVYseoxpGkn8+/3K16xfPH4slblTA/Co0bhqwQKBgQD/ENF3+Bn00PvVHR28
+wUd5HIvST5QA044ik6Q5P1JFgafxqfDfK7hd598u7UCuaWWHzzOd8Vi+r9APqtIj
+3iw5u14Lom9vYaA3WCg3JYYElCFlevsAbBgtQ1SLf8pATyf+FCDOCGEI8XYK/vSS
+/MBbEH45WU6/+/35ETGHgz/IQQKBgQC5dDWMfkPCh3ZqrdZsQ8NVcCRUozY+Zx1f
+BjESZ3peXINr9k7Wro6kz+6DAiuFEGk3GrEM7inFng/rmOGm//WUhnmu2bMJZI92
+lUkp7ki58fSUSXzlbhPpvG6bj8uKfg7kGfKeFUoxTJT6RwIGFsOxZhN73fZUjydh
+rg5FhBYqLQKBgEKpOpWIGgCJvcds3KDAQtW8SC6m7Z9pqvQOchUkH3Ra9nGKYJFy
+87RXLVUuXIE4unhMBsl4kiEEAfSWSGVnY1eTSHjx8v3BHgZY2+nNvMDllfTXt1Hc
+7lSmDCqJM2qrRWB6EjjGp9WWhatKBtGDjSI/pT2HwbUbPr0haThpbPoBAoGAE6n7
+x5LX0neUmckm9EHXI2cJoyPPK5y5Y4r/hwkL05eRo8/xGhhWLamSi7eeL7TGwz4E
+Se+y5C5XV87VFmULgB0mJ+ETd8p+378Ci/ylH3pFSbflE1qxp9YAEGSV23B0WcFa
+lWKChGmvXj5LO6QMSfId3MNzTBIFxfizsLFJvF0CgYEAhFHsscA3sfQ0dFpK6B9F
++InyQjg3VN+wuYWEOGZQDHS4mA2OoBQu2gtN8xuoI1Z9zzT0jfMVNTaDRjViLBI9
+GpHvB477QtyaxlkZZRDTiYSXtyJ0/iTbzBmjX6x0fwaRv/CApCqKRetAQbwpCkWo
+EMag0SaHv95pHPWv1HBvHX0=
+-----END PRIVATE KEY-----

test/config.test.js

@@ -2,7 +2,7 @@
 module.exports = {
   port: 6666,
   serverPort: 8080,
-  wsPort: 8081,
+  wsPort: 18081,
   httpsPort: 5566,
   socksPort: 1080,
   authSocksPort: 1118,

test/index.test.js

@@ -130,11 +130,11 @@ var socksServer = socks.createServer(function(info, accept, deny) {
     }
     return;
   }
-  if (info.dstPort === 8081) {
+  if (info.dstPort === 18081) {
     if (socket = accept(true)) {
       client = net.connect({
         host: '127.0.0.1',
-        port: 8081
+        port: 18081
       }, function() {
         socket.pipe(client).pipe(socket);
       });

test/plugins/whistle.test/rules.txt

@@ -17,7 +17,7 @@
 
 /proxy/ proxy://127.0.0.1:8080
 
-/connect/ host://127.0.0.1:8081
+/connect/ host://127.0.0.1:18081
 /testrule5\.([^\/]+)\/([^?]*\/?)\?.*test=([^&]+)/ host.$1/$2?test=$3
 /testrule6\.([^\/]+)\/([^?]*\/?)\?.*test=([^&]+)/ $1/$2?test=$3
 

test/units/proxy.test.js

@@ -12,16 +12,16 @@ module.exports = function() {
   }, function(res, data) {
     data.should.have.property('url', 'http://proxy.test.whistlejs.com/index.html');
   });
-  util.request('ws://ws2.w2.org:8081/index.html', function(res, data) {
+  util.request('ws://ws2.w2.org:18081/index.html', function(res, data) {
     res.type.should.be.equal('server');
   });
-  util.request('ws://ws3.w2.org:8081/index.html', function(res, data) {
+  util.request('ws://ws3.w2.org:18081/index.html', function(res, data) {
     res.type.should.be.equal('server');
   });
-  util.request('ws://ws4.w2.org:8081/index.html', function(res, data) {
+  util.request('ws://ws4.w2.org:18081/index.html', function(res, data) {
     res.type.should.be.equal('server');
   });
-  util.request('ws://ws5.w2.org:8081/index.html', function(res, data) {
+  util.request('ws://ws5.w2.org:18081/index.html', function(res, data) {
     res.type.should.be.equal('server');
   });
   util.request('http://127.0.0.1:8080/xproxy.html', function(res, data) {

test/units/temp-get.test.js

@@ -0,0 +1,22 @@
+
+var util = require('../util.test');
+
+module.exports = function() {
+  // Path traversal: absolute path should be blocked (no auth configured)
+  util.request('http://local.whistlejs.com/cgi-bin/temp/get?filename=/etc/passwd', function(res, data) {
+    data.should.have.property('forbidden', true);
+  });
+  // Path traversal: relative path should be blocked
+  util.request('http://local.whistlejs.com/cgi-bin/temp/get?filename=../../etc/passwd', function(res, data) {
+    data.should.have.property('forbidden', true);
+  });
+  // Empty filename should be blocked
+  util.request('http://local.whistlejs.com/cgi-bin/temp/get?filename=', function(res, data) {
+    data.should.have.property('forbidden', true);
+  });
+  // Valid temp file (64-char hex) should not be forbidden (file not found is ok)
+  util.request('http://local.whistlejs.com/cgi-bin/temp/get?filename=a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2', function(res, data) {
+    data.should.have.property('ec');
+    data.should.not.have.property('forbidden');
+  });
+};