[ruby-core:92580] [Ruby trunk Bug#15835] Path traversal symlink - WEBrick

[ruby-core:92580] [Ruby trunk Bug#15835] Path traversal symlink - WEBrick

[mishra.dhiraj95]

Issue #15835 has been reported by Dhiraj (Dhiraj Mishra).

----------------------------------------
Bug #15835: Path traversal symlink - WEBrick
https://bugs.ruby-lang.org/issues/15835

* Author: Dhiraj (Dhiraj Mishra)
* Status: Open
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: 2.6.3
* Backport: 2.4: UNKNOWN, 2.5: UNKNOWN, 2.6: UNKNOWN
----------------------------------------
**Summary:**
A path traversal issue was observed in WEBrick ( WEBrick/1.4.2 (Ruby/2.6.3/2019-04-16)) via symlink. WEBrick serves static page for the current directory once enabled, however using symlink attacker could view data outside the hosted/running directory.

**Steps to reproduce:**
> mkdir nothing
> cd nothing
> ln -s ../../ symlnk
> ruby -run -ehttpd . -p8080

**Impact:**
This would allow the attacker to view sensitive data outside the root/running directory. 

**Recommendation:**
We can probably educate users about this behavior in the WebBrick documentation and providing a flag/parameter to disable/enable following symlinks.



-- 
https://bugs.ruby-lang.org/

[ruby-core:92583] [Ruby trunk Bug#15835] Path traversal symlink - WEBrick

[naruse]

Issue #15835 has been updated by naruse (Yui NARUSE).

Status changed from Open to Feedback

On Apache with `FollowSymLinks` enabled, it can traverse out of DocumentRoot.
hxxps://httpd.apache.org/docs/2.4/en/urlmapping.html
Therefore it's not a problem.

----------------------------------------
Bug #15835: Path traversal symlink - WEBrick
https://bugs.ruby-lang.org/issues/15835#change-77945

* Author: Dhiraj (Dhiraj Mishra)
* Status: Feedback
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: 2.6.3
* Backport: 2.4: UNKNOWN, 2.5: UNKNOWN, 2.6: UNKNOWN
----------------------------------------
**Summary:**
A path traversal issue was observed in WEBrick ( WEBrick/1.4.2 (Ruby/2.6.3/2019-04-16)) via symlink. WEBrick serves static page for the current directory once enabled, however using symlink attacker could view data outside the hosted/running directory.

**Steps to reproduce:**
> mkdir nothing
> cd nothing
> ln -s ../../ symlnk
> ruby -run -ehttpd . -p8080

**Impact:**
This would allow the attacker to view sensitive data outside the root/running directory. 

**Recommendation:**
We can probably educate users about this behavior in the WebBrick documentation and providing a flag/parameter to disable/enable following symlinks.



-- 
https://bugs.ruby-lang.org/

[ruby-core:92599] [Ruby trunk Bug#15835] Path traversal symlink - WEBrick

[shevegen]

Issue #15835 has been updated by shevegen (Robert A. Heiler).


While I agree with naruse, it may be worthwhile to mention this briefly at e. g. 
https://ruby-doc.org/stdlib/libdoc/webrick/rdoc/WEBrick.html - it could still surprise
users so it could be useful to mention it; perhaps at the section "WEBrick can be run
as a production server for small loads.".

As writing documentation is always a bit tedious, I will try my luck with a slight
modification to it here, from:

"WEBrick can be run as a production server for small loads. Be aware that symlinks 
might allow users to view data outside of the designated root directory, such as
for the Apache webserver with the FollowSymlinks option enabled".

Not sure if this is great but I just wanted to provide a bit of text - perhaps it
can help others adapt it and write an improved documentation; it's just a suggestion.

----------------------------------------
Bug #15835: Path traversal symlink - WEBrick
https://bugs.ruby-lang.org/issues/15835#change-77959

* Author: Dhiraj (Dhiraj Mishra)
* Status: Feedback
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: 2.6.3
* Backport: 2.4: UNKNOWN, 2.5: UNKNOWN, 2.6: UNKNOWN
----------------------------------------
**Summary:**
A path traversal issue was observed in WEBrick ( WEBrick/1.4.2 (Ruby/2.6.3/2019-04-16)) via symlink. WEBrick serves static page for the current directory once enabled, however using symlink attacker could view data outside the hosted/running directory.

**Steps to reproduce:**
> mkdir nothing
> cd nothing
> ln -s ../../ symlnk
> ruby -run -ehttpd . -p8080

**Impact:**
This would allow the attacker to view sensitive data outside the root/running directory. 

**Recommendation:**
We can probably educate users about this behavior in the WebBrick documentation and providing a flag/parameter to disable/enable following symlinks.



-- 
https://bugs.ruby-lang.org/