Fix a vulnerability in the Rserve code. #1229
Conversation
|
Note this is built on top of #1213. |
drgrice1
force-pushed
the
rserve-update-plus-complete-rewrite
branch
from
6d94d6b to
c647fd6
Compare
|
I tried running the PG problem posted above on this branch and getting a I was trying to test that the file writing is disallowed now. Do you have another version of this problem that will show that this fails to write a file. |
|
Yes, the problem is designed to work with the develop branch (or any other branch of webwork). It obviously won't work with this pull request because this removes the |
drgrice1
force-pushed
the
rserve-update-plus-complete-rewrite
branch
3 times, most recently
from
1543907 to
c96c6ea
Compare
drgrice1
force-pushed
the
rserve-update-plus-complete-rewrite
branch
from
c96c6ea to
1ecb4ec
Compare
This requires a change to the `Statistics::R::IO::Rserve` package. The vulnerability is directly in that package as its `get_file` method allows the caller to pass an arbitrary local file name, and it will retrieve the remove file and save it to that file as long as the serve has write permission to do so. I have submitted a pull request to the GitHub repository for the `Statistics::R::IO` package that would work to preven that, and also emailed the author directly but have received no response. Furthermore, the package has not had any changes since 2017. So at this point I think that we are going to need to consider the `Statistics::R::IO` package unmaintained and move on from that package. As such this pull request adds PG's own implementation. It is pretty much the `Statistics::R::IO::Rserve` package, but all of the other things that aren't needed by WeBWorK and PG are removed. Since this is part of PG the `get_file` method can save to the requested file name using the `WeBWorK::PG::IO::saveDataFile` method which refuses to save anything outside of the html temporary directory. Note that this implementation does not use `Class::Tiny` or `Class::Tiny::Antler`, so those modules should be removed from the modules that are share to the safe compartment. That is done in the `conf/pg_config.dist.yml` file, but a separate pull request will be needed to do this for webwork2. It is not critical, the package is not dangerous to have shared. Just not needed. There are unit tests for both the `Rserve` package and the `RserveClient.pl` macro. Some of the tests require an R connection. Those tests are skipped if that is not available. The `r-base-core` and `r-cran-rserve` Ubuntu packages have been added to the docker build and the GitHub unit test action. Rserve is started by a docker entrypoint script, and in the GitHub action so that the tests are run in the docker container and the GitHub action.
drgrice1
force-pushed
the
rserve-update-plus-complete-rewrite
branch
from
1ecb4ec to
48e7ea8
Compare
This requires a change to the
Statistics::R::IO::Rservepackage. The vulnerability is directly in that package as itsget_filemethod allows the caller to pass an arbitrary local file name, and it will retrieve the remove file and save it to that file as long as the serve has write permission to do so.I have submitted a pull request to the GitHub repository for the
Statistics::R::IOpackage that would work to prevent that, and also emailed the author directly but have received no response. Furthermore, the package has not had any changes since 2017. So at this point I think that we are going to need to consider theStatistics::R::IOpackage unmaintained and move on from that package.As such this pull request adds PG's own implementation. It is pretty much the
Statistics::R::IO::Rservepackage, but all of the other things that aren't needed by WeBWorK and PG are removed.Since this is part of PG the
get_filemethod can save to the requested file name using theWeBWorK::PG::IO::saveDataFilemethod which refuses to save anything outside of the html temporary directory.Note that this implementation does not use
Class::TinyorClass::Tiny::Antler, so those modules should be removed from the modules that are share to the safe compartment. That is done in theconf/pg_config.dist.ymlfile, but a separate pull request will be needed to do this for webwork2. It is not critical, the package is not dangerous to have shared. Just not needed.There are unit tests for both the
Rservepackage and theRserveClient.plmacro. Some of the tests require an R connection. Those tests are skipped if that is not available. Ther-base-coreandr-cran-rserveUbuntu packages have been added to the docker build and the GitHub unit test action. Rserve is started by a docker entrypoint script, and in the GitHub action so that the tests are run in the docker container and the GitHub action.You can use the attached file to test the vulnerability with the develop branch.
r-serve-vulnerability.pg.txt