CVE-2023-35852-1

commit aee1523b4591430ebed1ded0bb95508e6717a335
Author: Jason Ish <jason.ish@oisf.net>
Date:   Tue May 23 15:17:59 2023 -0600

    datasets: don't allow absolute or paths with directory traversal

    For dataset filenames coming from rules, do not allow filenames that
    are absolute or contain a directory traversal with "..". This prevents
    datasets from escaping the define data-directory which may allow a bad
    rule to overwrite any file that Suricata has permission to write to.

    Add a new configuration option,
    "datasets.rules.allow-absolute-filenames" to allow absolute filenames
    in dataset rules. This will be a way to revert back to the pre 6.0.13
    behavior where save/state rules could use any filename.

    Ticket: #6118

Gbp-Pq: Name CVE-2023-35852-1.patch

diff --git a/src/detect-dataset.c b/src/detect-dataset.c
index e3de8c00cb838dea396e66ee8ec631c51149308e..de1a5b416a020447a92479e261462829550a4307 100644 (file)
--- a/src/detect-dataset.c
+++ b/src/detect-dataset.c
@@ -307,8 +307,20 @@ static int SetupSavePath(const DetectEngineCtx *de_ctx,
 {
     SCLogDebug("save %s", save);
 
-    if (PathIsAbsolute(save)) {
-        return 0;
+    int allow_absolute = 0;
+    (void)ConfGetBool("datasets.rules.allow-absolute-filenames", &allow_absolute);
+    if (allow_absolute) {
+        SCLogNotice("Allowing absolute filename for dataset rule: %s", save);
+    } else {
+        if (PathIsAbsolute(save)) {
+            SCLogError(SC_ERR_INVALID_ARGUMENT, "Absolute paths not allowed: %s", save);
+            return -1;
+        }
+
+        if (SCPathContainsTraversal(save)) {
+            SCLogError(SC_ERR_INVALID_ARGUMENT, "Directory traversals not allowed: %s", save);
+            return -1;
+        }
     }
 
     // data dir

diff --git a/src/util-path.c b/src/util-path.c
index de2068dd0eec09af5f33579bb8a1a9a8b85e60f8..22d5e94e0b22e68f1ef1b8724115e3e9468fe7c5 100644 (file)
--- a/src/util-path.c
+++ b/src/util-path.c
@@ -247,3 +247,20 @@ const char *SCBasename(const char *path)
 
     return final + 1;
 }
+
+/**
+ * \brief Check for directory traversal
+ *
+ * \param path The path string to check for traversal
+ *
+ * \retval true if directory traversal is found, otherwise false
+ */
+bool SCPathContainsTraversal(const char *path)
+{
+#ifdef OS_WIN32
+    const char *pattern = "..\\";
+#else
+    const char *pattern = "../";
+#endif
+    return strstr(path, pattern) != NULL;
+}

diff --git a/src/util-path.h b/src/util-path.h
index 8030b3adb15f8100a1ebe3eabb75d399cd8edd84..6f788a8f2513b7880b7deb91668791d339a30b46 100644 (file)
--- a/src/util-path.h
+++ b/src/util-path.h
@@ -41,5 +41,6 @@ bool SCIsRegularDirectory(const struct dirent *const dir_entry);
 bool SCIsRegularFile(const struct dirent *const dir_entry);
 char *SCRealPath(const char *path, char *resolved_path);
 const char *SCBasename(const char *path);
+bool SCPathContainsTraversal(const char *path);
 
 #endif /* __UTIL_PATH_H__ */

diff --git a/suricata.yaml.in b/suricata.yaml.in
index fc18cc7f71c48c06c171ab94243e44a64e141151..8dd81215a1e57b6929da318a5c15461182f35c67 100644 (file)
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -976,6 +976,12 @@ asn1-max-frames: 256
 #   defaults:
 #     memcap: 100mb
 #     hashsize: 2048
+#
+#  rules:
+#    # Set to true to allow absolute filenames and filenames that use
+#    # ".." components to reference parent directories in rules that specify
+#    # their filenames.
+#    #allow-absolute-filenames: false
 
 ##############################################################################
 ##