make custom text vuln harder

Author: jruehlow

checker/src/checker.py

@@ -323,7 +323,7 @@ async def check_replay_for_flag(con: Connection, uuid: str) -> Optional[str]:
 """
 
 
-@checker.putflag(1)
+@checker.putflag(0)
 async def putflag_custom(
     task: PutflagCheckerTaskMessage,
     db: ChainDB,
@@ -360,7 +360,7 @@ async def putflag_custom(
         con.log_error('Failed to save custom text', e)
 
 
-@checker.getflag(1)
+@checker.getflag(0)
 async def getflag_custom(
     task: GetflagCheckerTaskMessage,
     db: ChainDB,
@@ -372,7 +372,7 @@ async def getflag_custom(
     try:
         db_data = await db.get('userdata')
     except KeyError:
-        logger.error("Missing replayId in database entry from putflag")
+        logger.error("Missing data in database entry from putflag")
         raise MumbleException('Getflag 1 failed')
 
     con = Connection(logger, client)
@@ -398,7 +398,7 @@ async def getflag_custom(
     assert_equals(task.flag, flag, "Flag was found to be incorrect")
 
 
-@checker.exploit(1)
+@checker.exploit(0)
 async def exploit_custom(
     task: ExploitCheckerTaskMessage,
     searcher: FlagSearcher,
@@ -418,7 +418,7 @@ async def exploit_custom(
     con.log_debug(f'Got attack info: {task.attack_info}')
     files = {
         '_token': (None, csrf_token),
-        'textName': (None, f'/data/uploads/{task.attack_info}/flag'),
+        'textName': (None, f'//data/uploads/{task.attack_info}/flag'),
         'textFile': ('x.txt', 'x', 'text/plain'),
         'MAX_FILE_SIZE': (None, '3145728')
     }
@@ -433,7 +433,7 @@ async def exploit_custom(
         con.log_error('Failed to save custom text', e)
 
     try:
-        response = await client.get(f'/text?file=/data/uploads/{task.attack_info}/flag')
+        response = await client.get(f'/text?file=//data/uploads/{task.attack_info}/flag')
         response.raise_for_status()
         data = response.json()
         return data['text']

service/src/Foundation.hs

@@ -52,7 +52,7 @@ data RaceState = RaceState
     raceWordCount :: Int,
     raceStartTime :: Maybe UTCTime,
     raceProgress :: Map UserId Int, -- character index
-    raceWPM :: Map UserId Double, -- current WPM - ADD THIS
+    raceWPM :: Map UserId Double, -- current WPM
     raceCompleted :: Map UserId (Double, Double), -- final (wpm, accuracy)
     raceTextLength :: Int
   }

service/src/Handler/CustomText.hs

@@ -1,4 +1,5 @@
 {-# LANGUAGE BlockArguments #-}
+{-# LANGUAGE FlexibleContexts #-}
 {-# LANGUAGE LambdaCase #-}
 {-# LANGUAGE MultiParamTypeClasses #-}
 {-# LANGUAGE OverloadedStrings #-}
@@ -20,7 +21,7 @@ import System.Directory
   ( createDirectoryIfMissing,
     doesFileExist,
   )
-import System.FilePath.Posix (joinPath, normalise, splitPath, takeExtension, takeFileName)
+import System.FilePath.Posix (takeExtension, takeFileName)
 
 customTextForm :: Html -> MForm Handler (FormResult (Text, FileInfo), Widget)
 customTextForm extra = do
@@ -81,13 +82,6 @@ getCustomTextR = do
     setTitle "TimeType | CustomText"
     $(widgetFile "custom-text")
 
-sanitizePath :: FilePath -> FilePath
-sanitizePath =
-  joinPath
-    . filter (\p -> p /= "./" && p /= "../")
-    . splitPath
-    . normalise
-
 postCustomTextR :: Handler Html
 postCustomTextR = do
   ((result, widget), enctype) <- runFormPost customTextForm
@@ -110,7 +104,7 @@ postCustomTextR = do
       let ext =
             map toLower $
               takeExtension (T.unpack $ fileName fileInfo)
-          sanitizedName = sanitizePath (T.unpack filename)
+          sanitizedName = takeBaseName (T.unpack filename)
 
       if ext /= ".txt"
         then respond status400 "Only .txt files are allowed"

service/src/Model.hs

@@ -3,6 +3,7 @@
 {-# LANGUAGE DeriveGeneric #-}
 {-# LANGUAGE DerivingStrategies #-}
 {-# LANGUAGE EmptyDataDecls #-}
+{-# LANGUAGE FlexibleContexts #-}
 {-# LANGUAGE FlexibleInstances #-}
 {-# LANGUAGE GADTs #-}
 {-# LANGUAGE GeneralizedNewtypeDeriving #-}
@@ -17,8 +18,9 @@
 
 module Model where
 
-import ClassyPrelude.Yesod
+import ClassyPrelude.Yesod hiding (joinPath)
 import Database.Persist.Quasi
+import System.FilePath.Posix (joinPath, normalise, splitPath)
 import Yesod.Auth.HashDB (HashDBUser (..))
 
 data LobbyStatus = LobbyStatusWaiting | LobbyStatusInProgress | LobbyStatusFinished
@@ -30,6 +32,28 @@ instance ToJSON LobbyStatus
 
 instance FromJSON LobbyStatus
 
+class PathSanitizer a where
+  takeBaseName :: a -> FilePath
+
+instance PathSanitizer FilePath where
+  takeBaseName = sanitizePath
+
+sanitizePath :: FilePath -> FilePath
+sanitizePath p =
+  let (s, suffix) = case span (== '/') p of
+        (sl@('/' : '/' : _), rest) -> (sl, rest)
+        _ -> ("", dropWhile (== '/') p)
+      parts =
+        filter
+          ( \x ->
+              x `notElem` ["./", "../"]
+                && not (".." `isInfixOf` x)
+          )
+          . splitPath
+          . normalise
+          $ suffix
+   in s ++ joinPath parts
+
 share
   [mkPersist sqlSettings, mkMigrate "migrateAll"]
   $(persistFileWith lowerCaseSettings "config/models.persistentmodels")

service/src/Settings.hs

@@ -105,12 +105,6 @@ compileTimeAppSettings =
         Error e -> error e
         Success settings -> settings
 
--- The following two functions can be used to combine multiple CSS or JS files
--- at compile time to decrease the number of http requests.
--- Sample usage (inside a Widget):
---
--- > $(combineStylesheets 'StaticR [style1_css, style2_css])
-
 combineStylesheets :: Name -> [Route Static] -> Q Exp
 combineStylesheets = combineStylesheets'
     (appSkipCombining compileTimeAppSettings)

service/src/Settings/StaticFiles.hs

@@ -7,34 +7,4 @@ module Settings.StaticFiles where
 import Settings (appStaticDir, compileTimeAppSettings)
 import Yesod.Static (staticFiles)
 
--- This generates easy references to files in the static directory at compile time,
--- giving you compile-time verification that referenced files exist.
--- Warning: any files added to your static directory during run-time can't be
--- accessed this way. You'll have to use their FilePath or URL to access them.
---
--- For example, to refer to @static/js/script.js@ via an identifier, you'd use:
---
---     js_script_js
---
--- If the identifier is not available, you may use:
---
---     StaticFile ["js", "script.js"] []
 staticFiles (appStaticDir compileTimeAppSettings)
-
--- If you prefer to updating the references by force
---  -- especially when you are devloping like `stack exec -- yesod devel` --
--- you can update references by chaning file stamp.
---
--- On linux or Unix-like system, you can use
---     shell> touch /Path/To/Settings/StaticFiles.hs
---
--- or save without changes on your favorite editor.
--- so yesod devel will re-compile automatically and generate the refereces
--- including new one.
---
--- In this way you can use on your shakespearean template(s)
--- Let's say you have image on "yourStaticDir/img/background-1.jpg"
--- you can use the reference of the file on shakespearean templates like bellow
---
---     /* note: `-' becomes '_' as well */
---     @{StaticR img_background_1_jpg}