-
-
Notifications
You must be signed in to change notification settings - Fork 26.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use file name whitelist to prevent RCE #4866
Conversation
Use a whitelist to validate user-provided file names. This doesn't cover the entire range of valid filenames but should cover almost all of them in practice. Allows letters, numbers, periods, dashes, and underscores. Opting to use a whitelist instead of a blacklist because getting this wrong leaves us vulnerable to a RCE attack.
4328730
to
f928fee
Compare
We're probably cutting a 1.x soon, so a separate PR for master would be great (unless if this cherry picks cleanly)! |
A few things I’d like to see
|
What if we opened a file explaining why their file didn't open when a request is rejected? This would encourage them to file an issue, rename their file, or check their system and package tree for integrity. Something like rce.md in our package internals. Is there a npm package that checks this with greater accuracy? |
I think this is fine as a stop measure. |
Updated. Once y'all are happy with this I'll open a duplicate PR against master. |
Looks reasonable to me. Can we print something to the console when it happens? Like we do in this file when env variable isn’t set. |
Updated the whitelist to /^[\p{L}0-9/.\-_]+$/u, which matches alphanumeric characters, periods, dashes, and underscores. Unicode property support is stage 4 so I've inlined the transpiled version.
5abec23
to
c1ef946
Compare
'When running on Windows, file names are checked against a whitelist ' + | ||
'to protect against remote code execution attacks. File names may ' + | ||
'consist only of alphanumeric characters (all languages), periods, ' + | ||
'dashes, slashes, and underscores.' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@gaearon How's this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good
@acdlite Can you do some testing to confirm it works on intended on Windows (and that it mitigates the example you used)? |
Sorry, neglected to check back on this. Yeah I tested it on a VM. |
Cool. I'll release today. Can you prepare a master PR please too? |
* Use file name whitelist to prevent RCE Use a whitelist to validate user-provided file names. This doesn't cover the entire range of valid filenames but should cover almost all of them in practice. Allows letters, numbers, periods, dashes, and underscores. Opting to use a whitelist instead of a blacklist because getting this wrong leaves us vulnerable to a RCE attack. * Allow alphabet characters from all languages Updated the whitelist to /^[\p{L}0-9/.\-_]+$/u, which matches alphanumeric characters, periods, dashes, and underscores. Unicode property support is stage 4 so I've inlined the transpiled version. * Only use file name whitelist on Windows * Log error message if file name does not pass whitelist
I released
I'll also cut a new release from the |
Also released |
* Add modes to our Babel preset (1.x) (facebook#4668) * babel-preset-react-app@3.1.2 * add react-testing-library documentation/examples (facebook#4679) * add react-testing-library documentation/examples * make react-testing-library a heading * fix typo * Fix link to the article about BEM (facebook#4858) * Use file name whitelist to prevent RCE (facebook#4866) * Use file name whitelist to prevent RCE Use a whitelist to validate user-provided file names. This doesn't cover the entire range of valid filenames but should cover almost all of them in practice. Allows letters, numbers, periods, dashes, and underscores. Opting to use a whitelist instead of a blacklist because getting this wrong leaves us vulnerable to a RCE attack. * Allow alphabet characters from all languages Updated the whitelist to /^[\p{L}0-9/.\-_]+$/u, which matches alphanumeric characters, periods, dashes, and underscores. Unicode property support is stage 4 so I've inlined the transpiled version. * Only use file name whitelist on Windows * Log error message if file name does not pass whitelist * Bump versions * Bump release * Add 1.1.5 release notes
I may be missing something. Shouldn't the |
* facebook-master: Add 1.1.5 release notes Bump release Bump versions Use file name whitelist to prevent RCE (facebook#4866) Fix link to the article about BEM (facebook#4858)
Hmm actually I completely forgot about this check. Maybe you’re right this mostly mitigates it. But doesn’t hurt to check more aggressively. |
@ForbesLindesay I double-checked in the vulnerability report, and indeed there is a way to fool this check by forcing a browser to download a file with a specially crafted name. It requires knowing some easily guessable things about the attack target but it's not implausible. |
Summary: Use a whitelist to validate user-provided file names. This doesn't cover the entire range of valid filenames but should cover almost all of them in practice. Allows letters, numbers, periods, dashes, and underscores. Opting to use a whitelist instead of a blacklist because getting this wrong leaves us vulnerable to a RCE attack. This is the same patch I submitted to create-react-app: facebook/create-react-app#4866 See s163726 for more details Reviewed By: LukasReschke Differential Revision: D9504148 fbshipit-source-id: e3c7587f1b7f93bec90a58a38d5f6d58f1f59275
Summary: Use a whitelist to validate user-provided file names. This doesn't cover the entire range of valid filenames but should cover almost all of them in practice. Allows letters, numbers, periods, dashes, and underscores. Opting to use a whitelist instead of a blacklist because getting this wrong leaves us vulnerable to a RCE attack. This is the same patch I submitted to create-react-app: facebook/create-react-app#4866 See s163726 for more details Reviewed By: LukasReschke Differential Revision: D9504148 fbshipit-source-id: e3c7587f1b7f93bec90a58a38d5f6d58f1f59275
Summary: Use a whitelist to validate user-provided file names. This doesn't cover the entire range of valid filenames but should cover almost all of them in practice. Allows letters, numbers, periods, dashes, and underscores. Opting to use a whitelist instead of a blacklist because getting this wrong leaves us vulnerable to a RCE attack. This is the same patch I submitted to create-react-app: facebook/create-react-app#4866 See s163726 for more details Reviewed By: LukasReschke Differential Revision: D9504148 fbshipit-source-id: e3c7587f1b7f93bec90a58a38d5f6d58f1f59275
It looks like this completely broke the click-to-open functionality on Windows. |
Seems like we'll need to release five patches again because with these patches, we broke it for all versions. No valid Windows file path can pass this regex because it always starts with |
Cut fixes in:
|
* commit 'dc74990b89b5c6e143b522c759be3dac2c286514': Add 1.1.5 release notes Bump release Bump versions Use file name whitelist to prevent RCE (facebook#4866)
Use a whitelist to validate user-provided file names. This doesn't cover the entire range of valid filenames but should cover almost all of them in practice. Allows letters, numbers, periods, dashes, and underscores. Opting to use a whitelist instead of a blacklist because getting this wrong leaves us vulnerable to a RCE attack.
Should I submit a separate PR to the
master
branch?