[jira] Created: (TAP5-815) Asset dispatcher allows any file inside the webapp visible and downloadable

Asset dispatcher allows any file inside the webapp visible and downloadable
---------------------------------------------------------------------------

                 Key: TAP5-815
                 URL: https://issues.apache.org/jira/browse/TAP5-815
             Project: Tapestry 5
          Issue Type: Bug
    Affects Versions: 5.1.0.5
            Reporter: Thiago H. de Paula Figueiredo
            Priority: Blocker


Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12743694#action_12743694 ]

Thiago H. de Paula Figueiredo commented on TAP5-815:
----------------------------------------------------

The problem seems to be in this snippet at AssetResourceLocatorImpl:

        if (path.startsWith(applicationAssetPrefix))
            return findContextResource(path.substring(applicationAssetPrefix.length()));

        String resourcePath = aliasManager.toResourcePath(path);

        Resource resource = new ClasspathResource(resourcePath);

        if (!resourceCache.requiresDigest(resource)) return resource;

The digest is never taken when the resource path starts with the application asset prefix, which is exatcly the path prefix used in this bug.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12747826#action_12747826 ]

Ulrich Stärk commented on TAP5-815:
-----------------------------------

In 5.2-SNAPSHOT you can still access files located on the classpath or in the webapp context, except for .class und .tml files in the classpath (due to ResourceDigestGenerator). .tml files in the context are still accessible. There is no directory listing though. So this also partly applies to the current development tree.

The problem here is that Tapestry is using a blacklisting approach: It allows all access unless otherwise specified, for example by contributing to the ResourceDigestGenerator. This principle is unsecure by design. Instead Tapestry should do whitelisting, i.e. only allow access to explicitly allowed resources. Since Tapestry already knows about all the Assets required by a page or component (by looking at the @Path, @IncludeJavaScriptLibrary and @IncludeStylesheet annotations and the context: and asset: binding prefixes), such a whitelisting approach could be realized: Just allow access to Assets really required by pages or components.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12747886#action_12747886 ]

Thiago H. de Paula Figueiredo commented on TAP5-815:
----------------------------------------------------

I agree with Ulrich that a whitelist approach is probably the best one, but allowing onle access to assets used in pages is too restrictive IMHO. It would make working with anything that isn't a Tapestry page a hassle. I would suggest to have a chain of command, each object in it receiving the requested URL and responding true (ok), false (file is forbidden) or null (this object doesn't handle this URL, ask the same thing to the next object. This chain of command terminator would be a very restrictive one.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12747889#action_12747889 ]

Ulrich Stärk commented on TAP5-815:
-----------------------------------

Accessing a Tapestry-managed asset from a non-Tapestry source like a static html file should be avoided IMO. Such assets should be stored in the webapp context and can than be handled by the container and not by Tapestry.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12747895#action_12747895 ]

Thiago H. de Paula Figueiredo commented on TAP5-815:
----------------------------------------------------

I agree with Ulrich. The Tapestry asset handling should only be used by Tapestry components, pages and mixins.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12748050#action_12748050 ]

Robert Zeigler commented on TAP5-815:
-------------------------------------

Ulrich, "Just allow access to Assets really required by pages or components" is easier said than done.  The assets required by a page are not known until the first time a page is requested and the correspond page model is built.  Which means that it's difficult, at best, for an IOC module to access this information at service instantiation time; it will be instantiated when the first request comes in, /before/ the corresponding page is even loaded (due to dispatcher ordering), and that's on the first request, for a single page, before any other pages are loaded.  Any sort of asset authorization service that wanted to auto-enable required assets would need to have some sort of "addVisibleResource" method that is called whenever an asset is encountered/created during render.  I would advocate instead a whitelist approach where allowed files/file patterns are contributed via ioc contributions.  This would simplify things significantly.

As for assets used only by components, pages, and mixins, that's also a bit tricky, since it's possible for someone to write an alternative asset source that's used, eg, for file downloads (ie, not necessarily directly referenced by a page/component/mixin).

Incidentally, a long while ago, I implemented and made available for public use an "AssetProtectionDispatcher" that is configured essentially via chain of command as specified by Thiago above, with slight variation (a bit more flexible; individual contributions specify whether they explicitly allow or deny access).  The module further provides two "AssetPathAuthorizer" implementations: one for explicit whitelisting by resource name, and the other for whitelisting by url pattern, with the whitelist being the last in the chain of command.  The module contributes a default set of values to the whitelist (everything used by tapestry's core components), but you'll need to add explicit access to other resources (eg: contributing a .*\.jpg to the RegexAuthorizer).

Maven repo:
http://maven.saiwai-solutions.com
groupid: com.saiwaisolutions
artifactid: AssetProtectionDispatcher
version: 1.0.0

Alternatively, an older version is available on Tassel:
http://saiwai-solutions.com/Tassel/app?service=external/ViewComponent&sp=SAssetProtectionDispatcher

Version 1.0.0 also adds some default configurations to handle chenillekit-based assets.
Cheers!

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12748057#action_12748057 ]

Ulrich Stärk commented on TAP5-815:
-----------------------------------

I had some singleton service holding a collection of allowed assets in mind. This would be injected into AssetSource and queried whether access should be allowed. Allowde Assets get added from AssetObjectProvider, AssetInjectionProvider, IncludeJavaScriptLibraryWorker, IncludeStylesheetWorker, ContextBindingFactory and AssetBindingFactory.
If people choose to override the default AssetSource they have to live with being responsible for taking care of security. We could btw. also do the checks in the corresponding AssetFactories.

Uli

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12773228#action_12773228 ]

Christian Köberl commented on TAP5-815:
---------------------------------------

At least the directory index should be fixed quickly. This is a massive security issue for all Tapestry applications.
e.g. http://tapestry-test.appspot.com/assets/

A simple check in AssetDispatcher like this would help:
        if(path.endsWith("/") || path.indexOf('.') < 0)
                return false;


--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12773640#action_12773640 ]

David Rees commented on TAP5-815:
---------------------------------

This similarly 5.0.18 similarly as well - and the issue has been open for quite some time.  Is 5.0 maintained at all for security related issues?  What about 5.1?

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12773653#action_12773653 ]

Alex Kotchnev commented on TAP5-815:
------------------------------------

I'm totally blown away by the lack of interest this issue has received. In my opinion, this is the type of issue that FORCES a point release, it is that severe and important. There are several existing solutions that can easily be plugged into the framework, yet no action.

To my dismay, this has been open since Aug, and the issue has been known for 5.0 for a lot longer than that.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12773830#action_12773830 ]

Christian Riedel commented on TAP5-815:
---------------------------------------

well it's just half as popular as TAP-138 :)
i think if anyone contributes a framework-ready solution, some committer will do a security release.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12773833#action_12773833 ]

Igor Drobiazko commented on TAP5-815:
-------------------------------------

Can we live with Robert's solution? Please comment.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12773838#action_12773838 ]

Ulrich Stärk commented on TAP5-815:
-----------------------------------

I guess we could, but having another mechanism for securing assets (in addition to ResourceDigestGenerator) adds another layer of complexity. So if we integrated that into Tapestry - and we definitely have to integrate something as important as this - we should get rid of ResourceDigestGenerator.
Alternatively we could use ResourceDigestGenerator to also secure context assets and integrate Christians code snippet to prevent direcotry listings, but I prefer Roberts solution since it is much more flexible.
His code is missing any licensing terms though, so I don't know whether we can just integrate it.

Uli

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12773893#action_12773893 ]

Thiago H. de Paula Figueiredo commented on TAP5-815:
----------------------------------------------------

I don't think Robert's solution is enough, as attackers can still guess some files location (hibernate.cfg.xml and web.xml, for example) even without the directory listing. I think a viable solution would be the one I proposed in the first commet.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12773897#action_12773897 ]

Igor Drobiazko commented on TAP5-815:
-------------------------------------

So you prefer the ResourceDigestGenerator solution described by Ulrich? What about your concerns in TAP5-896? No more concerns?

As Ulrich suggested creating a digest for context  asstes seems to be ok.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12773900#action_12773900 ]

Christian Riedel commented on TAP5-815:
---------------------------------------

I don't think Robert's solution wouldn't make anything available because it's whitelist-based. Or did I miss something?

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12773900#action_12773900 ]

Christian Riedel edited comment on TAP5-815 at 11/5/09 11:31 AM:
-----------------------------------------------------------------

I don't think Robert's solution would make anything available because it's whitelist-based. Or did I miss something?

      was (Author: cbln):
    I don't think Robert's solution wouldn't make anything available because it's whitelist-based. Or did I miss something?
 
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12773906#action_12773906 ]

Ulrich Stärk commented on TAP5-815:
-----------------------------------

No you didn't. Robert's solution includes a whitelist approach. It should protect anything that's not explicitly allowed, including xml files such as those mentioned by Thiago.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12773907#action_12773907 ]

Thiago H. de Paula Figueiredo commented on TAP5-815:
----------------------------------------------------

I'm sorry. I was talking about Christian Köberl, not Robert's one. In fact, I completely agree with Robert's approach. That's exactly what I would do. It's the approach I use in my Tapestry Access Logger package to define what URL's are logged are what aren't.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.