Use file name whitelist to prevent RCE #4866
Conversation
Use a whitelist to validate user-provided file names. This doesn't cover the entire range of valid filenames but should cover almost all of them in practice. Allows letters, numbers, periods, dashes, and underscores. Opting to use a whitelist instead of a blacklist because getting this wrong leaves us vulnerable to a RCE attack.
acdlite
force-pushed
the
file-name-whitelist
branch
from
4328730
to
f928fee
Compare
acdlite
changed the title
|
We're probably cutting a 1.x soon, so a separate PR for master would be great (unless if this cherry picks cleanly)! |
|
A few things I’d like to see
|
|
What if we opened a file explaining why their file didn't open when a request is rejected? This would encourage them to file an issue, rename their file, or check their system and package tree for integrity. Something like rce.md in our package internals. Is there a npm package that checks this with greater accuracy? |
|
I think this is fine as a stop measure. |
|
Updated. Once y'all are happy with this I'll open a duplicate PR against master. |
|
Looks reasonable to me. Can we print something to the console when it happens? Like we do in this file when env variable isn’t set. |
Updated the whitelist to /^[\p{L}0-9/.\-_]+$/u, which matches
alphanumeric characters, periods, dashes, and underscores. Unicode
property support is stage 4 so I've inlined the transpiled version.
acdlite
force-pushed
the
file-name-whitelist
branch
from
5abec23
to
c1ef946
Compare
| 'When running on Windows, file names are checked against a whitelist ' + | ||
| 'to protect against remote code execution attacks. File names may ' + | ||
| 'consist only of alphanumeric characters (all languages), periods, ' + | ||
| 'dashes, slashes, and underscores.' |
There was a problem hiding this comment.
@gaearon How's this?
|
@acdlite Can you do some testing to confirm it works on intended on Windows (and that it mitigates the example you used)? |
|
Sorry, neglected to check back on this. Yeah I tested it on a VM. |
|
Cool. I'll release today. Can you prepare a master PR please too? |
* Use file name whitelist to prevent RCE
Use a whitelist to validate user-provided file names. This doesn't cover
the entire range of valid filenames but should cover almost all of them
in practice. Allows letters, numbers, periods, dashes, and underscores.
Opting to use a whitelist instead of a blacklist because getting this
wrong leaves us vulnerable to a RCE attack.
* Allow alphabet characters from all languages
Updated the whitelist to /^[\p{L}0-9/.\-_]+$/u, which matches
alphanumeric characters, periods, dashes, and underscores. Unicode
property support is stage 4 so I've inlined the transpiled version.
* Only use file name whitelist on Windows
* Log error message if file name does not pass whitelist
|
I released
I'll also cut a new release from the |
|
Also released |
* Add modes to our Babel preset (1.x) (facebook#4668) * [email protected] * add react-testing-library documentation/examples (facebook#4679) * add react-testing-library documentation/examples * make react-testing-library a heading * fix typo * Fix link to the article about BEM (facebook#4858) * Use file name whitelist to prevent RCE (facebook#4866) * Use file name whitelist to prevent RCE Use a whitelist to validate user-provided file names. This doesn't cover the entire range of valid filenames but should cover almost all of them in practice. Allows letters, numbers, periods, dashes, and underscores. Opting to use a whitelist instead of a blacklist because getting this wrong leaves us vulnerable to a RCE attack. * Allow alphabet characters from all languages Updated the whitelist to /^[\p{L}0-9/.\-_]+$/u, which matches alphanumeric characters, periods, dashes, and underscores. Unicode property support is stage 4 so I've inlined the transpiled version. * Only use file name whitelist on Windows * Log error message if file name does not pass whitelist * Bump versions * Bump release * Add 1.1.5 release notes
|
I may be missing something. Shouldn't the |
* facebook-master: Add 1.1.5 release notes Bump release Bump versions Use file name whitelist to prevent RCE (facebook#4866) Fix link to the article about BEM (facebook#4858)
|
Hmm actually I completely forgot about this check. Maybe you’re right this mostly mitigates it. But doesn’t hurt to check more aggressively. |
|
@ForbesLindesay I double-checked in the vulnerability report, and indeed there is a way to fool this check by forcing a browser to download a file with a specially crafted name. It requires knowing some easily guessable things about the attack target but it's not implausible. |
Summary: Use a whitelist to validate user-provided file names. This doesn't cover the entire range of valid filenames but should cover almost all of them in practice. Allows letters, numbers, periods, dashes, and underscores. Opting to use a whitelist instead of a blacklist because getting this wrong leaves us vulnerable to a RCE attack. This is the same patch I submitted to create-react-app: facebook/create-react-app#4866 See s163726 for more details Reviewed By: LukasReschke Differential Revision: D9504148 fbshipit-source-id: e3c7587f1b7f93bec90a58a38d5f6d58f1f59275
Summary: Use a whitelist to validate user-provided file names. This doesn't cover the entire range of valid filenames but should cover almost all of them in practice. Allows letters, numbers, periods, dashes, and underscores. Opting to use a whitelist instead of a blacklist because getting this wrong leaves us vulnerable to a RCE attack. This is the same patch I submitted to create-react-app: facebook/create-react-app#4866 See s163726 for more details Reviewed By: LukasReschke Differential Revision: D9504148 fbshipit-source-id: e3c7587f1b7f93bec90a58a38d5f6d58f1f59275
Summary: Use a whitelist to validate user-provided file names. This doesn't cover the entire range of valid filenames but should cover almost all of them in practice. Allows letters, numbers, periods, dashes, and underscores. Opting to use a whitelist instead of a blacklist because getting this wrong leaves us vulnerable to a RCE attack. This is the same patch I submitted to create-react-app: facebook/create-react-app#4866 See s163726 for more details Reviewed By: LukasReschke Differential Revision: D9504148 fbshipit-source-id: e3c7587f1b7f93bec90a58a38d5f6d58f1f59275
|
It looks like this completely broke the click-to-open functionality on Windows. |
|
Seems like we'll need to release five patches again because with these patches, we broke it for all versions. No valid Windows file path can pass this regex because it always starts with |
* commit 'dc74990b89b5c6e143b522c759be3dac2c286514': Add 1.1.5 release notes Bump release Bump versions Use file name whitelist to prevent RCE (facebook#4866)
Use a whitelist to validate user-provided file names. This doesn't cover the entire range of valid filenames but should cover almost all of them in practice. Allows letters, numbers, periods, dashes, and underscores. Opting to use a whitelist instead of a blacklist because getting this wrong leaves us vulnerable to a RCE attack.
Should I submit a separate PR to the
masterbranch?