Skip to content
This repository has been archived by the owner on Nov 20, 2018. It is now read-only.

Ensure secrets ID does not contain invalid file name characters #229

Closed
LordMike opened this issue Nov 14, 2016 · 8 comments
Closed

Ensure secrets ID does not contain invalid file name characters #229

LordMike opened this issue Nov 14, 2016 · 8 comments
Assignees
@natemcmaster
Labels
3 - Done bug closed-fixed tool: user-secrets
Milestone
2.0.0-preview1

Comments

@LordMike
Copy link

A quick test showed that I could trick "dotnet user-secrets" to operate outside the defined directory (in the Roaming folder).

By setting the userSecretsId property in the project.json file to f.ex.

"userSecretsId": "..",

.. the tool now reads in the parent folder to where it normally would operate. This can be extended as necessary to go further up and into other directories, and even to other drives.

The parameter probably shouldn't accept paths in general (just a file name, or exclude elements not allowed in file names).
@natemcmaster
Copy link
Contributor

natemcmaster commented Nov 14, 2016
edited
Loading

This is technically a valid use of user secrets. Altering this behavior could be a breaking change.

Thoughts? @divega @muratg

cref the code: https://github.com/aspnet/Configuration/blob/a8b6008d3798693d03bb00d35238ce251c267ab7/src/Microsoft.Extensions.Configuration.UserSecrets/PathHelper.cs#L86-L114

@Genbox
Copy link

Genbox commented Nov 14, 2016

@natemcmaster Setting the userSecretsId to "../../../../Evil.json" escapes the %AppData% folder, which does not seem to be intended behavior to me. It is in fact a security vulnerability classified as a Directory Traversal.

@Eilon
Copy link
Member

Eilon commented Nov 14, 2016

Only the app developer can set the userSecretsId, but then the app developer can just call File.Open("../../whatever.json") anyway. So, there is no security bug here that we can see.

There is, however, perhaps a bug here, where maybe there could be more rules about valid user secrets ids.

@natemcmaster
Copy link
Contributor

We already validate the user id against Path.GetInvalidPathChars(). We could add / and \ to the set of invalid chars.

@Eilon
Copy link
Member

Eilon commented Nov 14, 2016

@natemcmaster that does seem reasonable. We of course never intended those to be permitted.

@muratg muratg added the bug label Nov 14, 2016
@divega
Copy link

divega commented Nov 17, 2016
edited
Loading

I wonder if using a PhysicalFileProvider in the right path (e.g. Environment.GetEnvironmentVariable("APPDATA") ?? Environment.GetEnvironmentVariable("HOME")) instead of parsing and flowing the id as an arbitrary path would lead to a more robust solution. We end up using PhysicalFileProvider anyway.

@Eilon
Copy link
Member

Eilon commented Nov 17, 2016

I'm also fine if we just close this bug 😄

@natemcmaster natemcmaster mentioned this issue Nov 21, 2016
Merged
@natemcmaster
Copy link
Contributor

Proposed fix aspnet/Configuration#558

@natemcmaster natemcmaster self-assigned this Nov 21, 2016
@natemcmaster natemcmaster added this to the 1.2.0 milestone Nov 28, 2016
@natemcmaster natemcmaster changed the title userSecretsId can contain ".." and drive letters Ensure secrets ID does not contain invalid file name characters Nov 28, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@natemcmaster natemcmaster

Labels
3 - Done bug closed-fixed tool: user-secrets
Projects
None yet
Milestone
2.0.0-preview1
Development

No branches or pull requests
6 participants
@Eilon @Genbox @LordMike @divega @muratg @natemcmaster