Thanks to visit codestin.com
Credit goes to github.com

Skip to content

fix: lock users in chroot jail #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
sstur merged 1 commit into from
Jan 29, 2014
Merged

fix: lock users in chroot jail #5

sstur merged 1 commit into from
Jan 29, 2014

Conversation

@asylumfunk
Copy link
Collaborator

@asylumfunk asylumfunk commented Jan 28, 2014

Please reference comments on asylumfunk#5 and asylumfunk@6608b2d

This is a heftier commit than I've pushed before, so please ask away if anything is unclear.

I've tested this on both *NIX and WIN machines (as it deals with path separators), but please be diligent as this touches every(?) filesystem access method (implicitly or explicitly).

@sstur
Copy link
Collaborator

sstur commented Jan 28, 2014

Awesome work. Refactoring like that will really push this project forward. However I think we need good tests to make sweeping changes. We do have some tests in the specs directory but our test coverage is pretty low. We really should have feature-to-test parity and be committing tests along with code updates.

I think what I'll do is accept this in master and create a stable branch. Then we (myself included) should work on some tests before merging master into stable.

@asylumfunk
Copy link
Collaborator Author

asylumfunk commented Jan 28, 2014

Thanks.

Now that I have a sense of the project and expectations, I'll look into adding additional test coverage before pushing on with refactoring/extending.

We could hold off on this pull request until it has corresponding testing and, instead, I can put together a localized fix to withCwd(...) that simply ensures that a pathname never reaches outside of the chroot (without the additional refactoring and altering of additional methods or any of the TVFS logic).

Your call, though.

@sstur
Copy link
Collaborator

sstur commented Jan 28, 2014

Good call with the localized fix to withCwd. Go for it. And thanks for finding this serious vulnerability.

@addrummond
Copy link
Collaborator

addrummond commented Jan 28, 2014

Yes, I second Simon's thanks. Agree with you guys on how to proceed.

@asylumfunk
Copy link
Collaborator Author

asylumfunk commented Jan 29, 2014

Alright, we should be good to go now. BTW, what's the philosophy here on versioning/tagging/etc? This seems to be a good point to update the npm package. Thoughts?

sstur added a commit that referenced this pull request Jan 29, 2014
@sstur
Merge pull request #5 from asylumfunk/issue-5
96a0ce3 
fix: prevent users from traversing out of chroot directory
@sstur sstur merged commit 96a0ce3 into nodeftpd:master Jan 29, 2014
@asylumfunk asylumfunk deleted the issue-5 branch January 31, 2014 02:21
@asylumfunk asylumfunk mentioned this pull request Mar 7, 2014
Closed
asylumfunk added a commit to asylumfunk/nodeftpd that referenced this pull request Mar 7, 2014
@asylumfunk
Confine MDTM request to files in CHROOT jail
322cf37 
This commit properly resolves MDTM request filenames to locations within
the CHROOT jail. Previously, requests were made relative to the
filesystem root (/), instead of the server root (/srv/files/from/here).

This allowed users to request MDTM on potentially sensitive files
(/root, /home), while simultaneously denying legitimate requests within
the shared directory.

Note: all filesystem calls *must* be joined with the path to the server
root (pathModule.join(self.root, filename)).

fix #28
ref nodeftpd@57a9e5f
ref nodeftpd#5
ref nodeftpd#9
mk-pmb pushed a commit to mk-pmb/nodeftpd that referenced this pull request Feb 5, 2021
@svrooij
fix: Small fixes and more tests
d248b41 
Merge pull request nodeftpd#5 from LolHens/master
Fixed nearly all tests

With this commit the code coverage goes to 57 percent. So still not perfect but we're getting there!
:tada:
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@asylumfunk @sstur @addrummond