I realized that the __came_from and __redirect_to url parameters I

rouilj · rouilj · commit 002951bf054b · 2016-07-23T14:00:49.000-04:00
added to handle issues with the LoginAction and NewItemAction could
be used for XSS or other purposes.

So I check them using a new clean_url(url) function. This tries to
validate that the url is under the tracker's base url and that the
components of the url are properly url encoded. If it thinks something
is wrong with the url, it will raise a ValueError. I decided to not
attempt to fix the url's if there is an issue, better to bring it to the
tracker admin's attention.

Changed the code paths in NewItemAction and LoginAction that deal with
the form parameters to use the clean_url function on the form input
first.
diff --git a/doc/customizing.txt b/doc/customizing.txt
@@ -1718,10 +1718,13 @@ None of the above (ie. just a simple form value)
 Any of the form variables may be prefixed with a classname or
 designator.
 
-Setting the form variable: ``__redirect_to=`` to a url when @action=new
-redirects the user to the specified url after successfully creating
-the new item. This is useful if you want the user to create another
-item rather than edit the newly created item.
+Setting the form variable: ``__redirect_to=`` to a url when
+@action=new redirects the user to the specified url after successfully
+creating the new item. This is useful if you want the user to create
+another item rather than edit the newly created item.  Note that the
+url assigned to ``__redirect_to`` must be url encoded/quoted and be
+under the tracker's base url. If the base_url uses http, you can set
+the url to https.
 
 Two special form values are supported for backwards compatibility:
 
diff --git a/doc/upgrading.txt b/doc/upgrading.txt
@@ -130,7 +130,10 @@ Login from a search or after logout works better
 The login form has been improved to work with some back end code
 changes. Now when a user logs in they stay on the same page where they
 started the login. To make this work, you must change the tal that is
-used to set the ``__came_from`` form variable.
+used to set the ``__came_from`` form variable. Note that the url
+assigned to __came_from must be url encoded/quoted and be under the
+tracker's base url. If the base_url uses http, you can set the url to 
+https.
 
 Replace the existing code in the tracker's html/page.html page that
 looks similar to (look for name="__came_from")::
@@ -200,7 +203,9 @@ The key component here is support for the '__redirect_to' query
 property. It is a url which can be used when creating any new item
 (issue, user, keyword ....). It controls the next page displayed after
 creating the item. If '__redirect_to' is not set, then you end up on
-the page for the newly created item.
+the page for the newly created item. The url value assigned to
+__redirect_to must be under the tracker's base url and must be properly
+url encoded.
 
 html/_generic.404.html in trackers use page template
 ----------------------------------------------------
diff --git a/roundup/cgi/actions.py b/roundup/cgi/actions.py
@@ -40,6 +40,99 @@ def execute(self):
         self.permission()
         return self.handle()
 
+    def clean_url(self, url):
+        '''Return URL validated to be under self.base and properly escaped
+
+        If url not properly escaped or validation fails raise ValueError.
+
+        To try to prevent XSS attacks, validate that the url that is
+        passed in is under self.base for the tracker. This is used to
+        clean up "__came_from" and "__redirect_to" form variables used
+        by the LoginAction and NewItemAction actions.
+
+        The url that is passed in must be a properly url quoted
+        argument. I.E. all characters that are not valid according to
+        RFC3986 must be % encoded. Schema should be lower case.
+
+        It parses the passed url into components.
+
+        It verifies that the scheme is http or https (so a redirect can
+        force https even if normal access to the tracker is via http).
+        Validates that the network component is the same as in self.base.
+        Validates that the path component in the base url starts the url's
+        path component. It not it raises ValueError. If everything
+        validates:
+
+        For each component, Appendix A of RFC 3986 says the following
+        are allowed:
+
+        pchar         = unreserved / pct-encoded / sub-delims / ":" / "@"
+        query         = *( pchar / "/" / "?" )
+        unreserved    = ALPHA / DIGIT / "-" / "." / "_" / "~"
+        pct-encoded   = "%" HEXDIG HEXDIG
+        sub-delims    = "!" / "$" / "&" / "'" / "(" / ")"
+                         / "*" / "+" / "," / ";" / "="
+
+        Checks all parts with a regexp that matches any run of 0 or
+        more allowed characters. If the component doesn't validate,
+        raise ValueError. Don't attempt to urllib_.quote it. Either
+        it's correct as it comes in or it's a ValueError.
+
+        Finally paste the whole thing together and return the new url.
+        '''
+
+        parsed_url_tuple = urllib_.urlparse(url)
+        parsed_base_url_tuple = urllib_.urlparse(self.base)
+
+        info={ 'url': url,
+               'base_url': self.base,
+               'base_scheme': parsed_base_url_tuple.scheme,
+               'base_netloc': parsed_base_url_tuple.netloc,
+               'base_path': parsed_base_url_tuple.path,
+               'url_scheme': parsed_url_tuple.scheme,
+               'url_netloc': parsed_url_tuple.netloc,
+               'url_path': parsed_url_tuple.path,
+               'url_params': parsed_url_tuple.params,
+               'url_query': parsed_url_tuple.query,
+               'url_fragment': parsed_url_tuple.fragment }
+
+        if parsed_base_url_tuple.scheme == "https":
+            if parsed_url_tuple.scheme != "https":
+                raise ValueError(self._("Base url %(base_url)s requires https. Redirect url %(url)s uses http.")%info)
+        else:
+            if parsed_url_tuple.scheme not in ('http', 'https'):
+                raise ValueError(self._("Unrecognized scheme in %(url)s")%info)
+
+        if parsed_url_tuple.netloc <> parsed_base_url_tuple.netloc:
+            raise ValueError(self._("Net location in %(url)s does not match base: %(base_netloc)s")%info)
+
+        if parsed_url_tuple.path.find(parsed_base_url_tuple.path) <> 0:
+            raise ValueError(self._("Base path %(base_path)s is not a prefix for url %(url)s")%info)
+
+        # I am not sure if this has to be language sensitive.
+        # Do ranges depend on the LANG of the user??
+        # Is there a newer spec for URI's than what I am referencing?
+
+        # Also it really should be % HEXDIG HEXDIG that's allowed
+        # If %%% passes, the roundup server should be able to ignore/
+        # quote it so it doesn't do anything bad otherwise we have a
+        # different vector to handle.
+        allowed_pattern = re.compile(r'''^[A-Za-z0-9@:/?._~%!$&'()*+,;=-]*$''')
+
+        if not allowed_pattern.match(parsed_url_tuple.path):
+           raise ValueError(self._("Path component (%(url_path)s) in %(url)s is not properly escaped")%info)
+
+        if not allowed_pattern.match(parsed_url_tuple.params):
+           raise ValueError(self._("Params component (%(url_params)s) in %(url)s is not properly escaped")%info)
+
+        if not allowed_pattern.match(parsed_url_tuple.query):
+            raise ValueError(self._("Query component (%(url_query)s) in %(url)s is not properly escaped")%info)
+
+        if not allowed_pattern.match(parsed_url_tuple.fragment):
+            raise ValueError(self._("Fragment component (%(url_fragment)s) in %(url)s is not properly escaped")%info)
+
+        return(urllib_.urlunparse(parsed_url_tuple))
+
     name = ''
     permissionType = None
     def permission(self):
@@ -729,7 +822,8 @@ def handle(self):
         # Allow an option to stay on the page to create new things
         if '__redirect_to' in self.form:
             raise exceptions.Redirect('%s&@ok_message=%s'%(
-                self.form['__redirect_to'].value, urllib_.quote(messages)))
+                self.clean_url(self.form['__redirect_to'].value),
+                urllib_.quote(messages)))
 
         # otherwise redirect to the new item's page
         raise exceptions.Redirect('%s%s%s?@ok_message=%s&@template=%s' % (
@@ -1046,7 +1140,9 @@ def handle(self):
             # 4. Define a new redirect_url missing the @...message entries.
             #    This will be redefined if there is a login error to include
             #      a new error message
-            redirect_url_tuple = urllib_.urlparse(self.form['__came_from'].value)
+
+            clean_url = self.clean_url(self.form['__came_from'].value)
+            redirect_url_tuple = urllib_.urlparse(clean_url)
             # now I have a tuple form for the __came_from url
             try:
                 query=urllib_.parse_qs(redirect_url_tuple.query)
diff --git a/test/test_cgi.py b/test/test_cgi.py
@@ -1173,6 +1173,110 @@ def testrenderContext(self):
         self.assertNotEqual(-1, result.index('ok message'))
         # print result
 
+    def testclean_url(self):
+        ''' test the clean_url function '''
+        action = actions.Action(self.client)
+        clean_url = action.clean_url
+
+        # Christmas tree url: test of every component that passes
+        self.assertEqual(
+            clean_url("http://tracker.example/cgi-bin/roundup.cgi/bugs/user3;parm=bar?@template=foo&parm=(zot)#issue"),
+            'http://tracker.example/cgi-bin/roundup.cgi/bugs/user3;parm=bar?@template=foo&parm=(zot)#issue')
+
+        # allow replacing http with https if base is http
+        self.assertEqual(
+            clean_url("https://tracker.example/cgi-bin/roundup.cgi/bugs/user3;parm=bar?@template=foo&parm=(zot)#issue"),
+            'https://tracker.example/cgi-bin/roundup.cgi/bugs/user3;parm=bar?@template=foo&parm=(zot)#issue')
+
+
+        # change base to use https and make sure we don't redirect to http
+        saved_base = action.base
+        action.base = "https://tracker.example/cgi-bin/roundup.cgi/bugs/"
+        with self.assertRaises(ValueError) as cm:
+            clean_url("http://tracker.example/cgi-bin/roundup.cgi/bugs/user3;parm=bar?@template=foo&parm=(zot)#issue")
+        self.assertEqual(cm.exception.message, 'Base url https://tracker.example/cgi-bin/roundup.cgi/bugs/ requires https. Redirect url http://tracker.example/cgi-bin/roundup.cgi/bugs/user3;parm=bar?@template=foo&parm=(zot)#issue uses http.')
+        action.base = saved_base
+
+        # url doesn't have to be valid to roundup, just has to be contained
+        # inside of roundup. No zoik class is defined
+        self.assertEqual(clean_url("http://tracker.example/cgi-bin/roundup.cgi/bugs/zoik7;parm=bar?@template=foo&parm=(zot)#issue"), "http://tracker.example/cgi-bin/roundup.cgi/bugs/zoik7;parm=bar?@template=foo&parm=(zot)#issue")
+
+        # test with wonky schemes
+        with self.assertRaises(ValueError) as cm:
+            clean_url("email://tracker.example/cgi-bin/roundup.cgi/bugs/user3;parm=bar?@template=foo&parm=(zot)#issue"),
+        self.assertEqual(cm.exception.message, 'Unrecognized scheme in email://tracker.example/cgi-bin/roundup.cgi/bugs/user3;parm=bar?@template=foo&parm=(zot)#issue')
+
+        with self.assertRaises(ValueError) as cm:
+            clean_url("http%3a//tracker.example/cgi-bin/roundup.cgi/bugs/user3;parm=bar?@template=foo&parm=(zot)#issue"),
+        self.assertEqual(cm.exception.message, 'Unrecognized scheme in http%3a//tracker.example/cgi-bin/roundup.cgi/bugs/user3;parm=bar?@template=foo&parm=(zot)#issue')
+
+        # test different netloc/path prefix
+        # assert port
+        with self.assertRaises(ValueError) as cm:
+            clean_url("http://tracker.example:1025/cgi-bin/roundup.cgi/bugs/user3;parm=bar?@template=foo&parm=(zot)#issue"),
+        self.assertEqual(cm.exception.message, 'Net location in http://tracker.example:1025/cgi-bin/roundup.cgi/bugs/user3;parm=bar?@template=foo&parm=(zot)#issue does not match base: tracker.example')
+
+        #assert user
+        with self.assertRaises(ValueError) as cm:
+            clean_url("http://user@tracker.example/cgi-bin/roundup.cgi/bugs/user3;parm=bar?@template=foo&parm=(zot)#issue"),
+        self.assertEqual(cm.exception.message, 'Net location in http://user@tracker.example/cgi-bin/roundup.cgi/bugs/user3;parm=bar?@template=foo&parm=(zot)#issue does not match base: tracker.example')
+
+        #assert user:password
+        with self.assertRaises(ValueError) as cm:
+            clean_url("http://user:pass@tracker.example/cgi-bin/roundup.cgi/bugs/user3;parm=bar?@template=foo&parm=(zot)#issue"),
+        self.assertEqual(cm.exception.message, 'Net location in http://user:pass@tracker.example/cgi-bin/roundup.cgi/bugs/user3;parm=bar?@template=foo&parm=(zot)#issue does not match base: tracker.example')
+
+        # try localhost http scheme
+        with self.assertRaises(ValueError) as cm:
+            clean_url("http://localhost/cgi-bin/roundup.cgi/bugs/user3")
+        self.assertEqual(cm.exception.message, 'Net location in http://localhost/cgi-bin/roundup.cgi/bugs/user3 does not match base: tracker.example')
+
+        # try localhost https scheme
+        with self.assertRaises(ValueError) as cm:
+            clean_url("https://localhost/cgi-bin/roundup.cgi/bugs/user3")
+        self.assertEqual(cm.exception.message, 'Net location in https://localhost/cgi-bin/roundup.cgi/bugs/user3 does not match base: tracker.example')
+
+        # try different host
+        with self.assertRaises(ValueError) as cm:
+            clean_url("http://bad.guys.are.us/cgi-bin/roundup.cgi/bugs/user3;parm=bar?@template=foo&parm=(zot)#issue"),
+        self.assertEqual(cm.exception.message, 'Net location in http://bad.guys.are.us/cgi-bin/roundup.cgi/bugs/user3;parm=bar?@template=foo&parm=(zot)#issue does not match base: tracker.example')
+
+        # change the base path to .../bug from .../bugs
+        with self.assertRaises(ValueError) as cm:
+            clean_url("http://tracker.example/cgi-bin/roundup.cgi/bug/user3;parm=bar?@template=foo&parm=(zot)#issue"),
+        self.assertEqual(cm.exception.message, 'Base path /cgi-bin/roundup.cgi/bugs/ is not a prefix for url http://tracker.example/cgi-bin/roundup.cgi/bug/user3;parm=bar?@template=foo&parm=(zot)#issue')
+
+        # change the base path eliminate - in cgi-bin
+        with self.assertRaises(ValueError) as cm:
+            clean_url("http://tracker.example/cgibin/roundup.cgi/bug/user3;parm=bar?@template=foo&parm=(zot)#issue"),
+        self.assertEqual(cm.exception.message, 'Base path /cgi-bin/roundup.cgi/bugs/ is not a prefix for url http://tracker.example/cgibin/roundup.cgi/bug/user3;parm=bar?@template=foo&parm=(zot)#issue')
+
+
+        # scan for unencoded characters
+        # we skip schema and net location since unencoded character
+        # are allowed only by an explicit match to a reference.
+        #
+        # break components with unescaped character '<'
+        # path component
+        with self.assertRaises(ValueError) as cm:
+            clean_url("http://tracker.example/cgi-bin/roundup.cgi/bugs/<user3;parm=bar?@template=foo&parm=(zot)#issue"),
+        self.assertEqual(cm.exception.message, 'Path component (/cgi-bin/roundup.cgi/bugs/<user3) in http://tracker.example/cgi-bin/roundup.cgi/bugs/<user3;parm=bar?@template=foo&parm=(zot)#issue is not properly escaped')
+
+        # params component
+        with self.assertRaises(ValueError) as cm:
+            clean_url("http://tracker.example/cgi-bin/roundup.cgi/bugs/user3;parm=b<ar?@template=foo&parm=(zot)#issue"),
+        self.assertEqual(cm.exception.message, 'Params component (parm=b<ar) in http://tracker.example/cgi-bin/roundup.cgi/bugs/user3;parm=b<ar?@template=foo&parm=(zot)#issue is not properly escaped')
+
+        # query component
+        with self.assertRaises(ValueError) as cm:
+            clean_url("http://tracker.example/cgi-bin/roundup.cgi/bugs/user3;parm=bar?@template=<foo>&parm=(zot)#issue"),
+        self.assertEqual(cm.exception.message, 'Query component (@template=<foo>&parm=(zot)) in http://tracker.example/cgi-bin/roundup.cgi/bugs/user3;parm=bar?@template=<foo>&parm=(zot)#issue is not properly escaped')
+
+        # fragment component
+        with self.assertRaises(ValueError) as cm:
+            clean_url("http://tracker.example/cgi-bin/roundup.cgi/bugs/user3;parm=bar?@template=foo&parm=(zot)#iss<ue"),
+        self.assertEqual(cm.exception.message, 'Fragment component (iss<ue) in http://tracker.example/cgi-bin/roundup.cgi/bugs/user3;parm=bar?@template=foo&parm=(zot)#iss<ue is not properly escaped')
+
 class TemplateTestCase(unittest.TestCase):
     ''' Test the template resolving code, i.e. what can be given to @template
     '''
