Merge pull request from GHSA-wg4c-c9g9-rxhx

joshuaboniface · web-flow · commit fe8cf29cad2c · 2021-03-21T19:12:14.000-04:00
Fix issues 1 through 5 from GHSL-2021-050
diff --git a/Jellyfin.Api/Controllers/HlsSegmentController.cs b/Jellyfin.Api/Controllers/HlsSegmentController.cs
@@ -61,7 +61,13 @@ public ActionResult GetHlsAudioSegmentLegacy([FromRoute, Required] string itemId
         {
             // TODO: Deprecate with new iOS app
             var file = segmentId + Path.GetExtension(Request.Path);
-            file = Path.Combine(_serverConfigurationManager.GetTranscodePath(), file);
+            var transcodePath = _serverConfigurationManager.GetTranscodePath();
+            file = Path.GetFullPath(Path.Combine(transcodePath, file));
+            var fileDir = Path.GetDirectoryName(file);
+            if (string.IsNullOrEmpty(fileDir) || !fileDir.StartsWith(transcodePath))
+            {
+                return BadRequest("Invalid segment.");
+            }
 
             return FileStreamResponseHelpers.GetStaticFileResult(file, MimeTypes.GetMimeType(file)!, false, HttpContext);
         }
@@ -81,7 +87,13 @@ public ActionResult GetHlsAudioSegmentLegacy([FromRoute, Required] string itemId
         public ActionResult GetHlsPlaylistLegacy([FromRoute, Required] string itemId, [FromRoute, Required] string playlistId)
         {
             var file = playlistId + Path.GetExtension(Request.Path);
-            file = Path.Combine(_serverConfigurationManager.GetTranscodePath(), file);
+            var transcodePath = _serverConfigurationManager.GetTranscodePath();
+            file = Path.GetFullPath(Path.Combine(transcodePath, file));
+            var fileDir = Path.GetDirectoryName(file);
+            if (string.IsNullOrEmpty(fileDir) || !fileDir.StartsWith(transcodePath) || Path.GetExtension(file) != ".m3u8")
+            {
+                return BadRequest("Invalid segment.");
+            }
 
             return GetFileResult(file, file);
         }
@@ -130,7 +142,12 @@ public ActionResult GetHlsVideoSegmentLegacy(
             var file = segmentId + Path.GetExtension(Request.Path);
             var transcodeFolderPath = _serverConfigurationManager.GetTranscodePath();
 
-            file = Path.Combine(transcodeFolderPath, file);
+            file = Path.GetFullPath(Path.Combine(transcodeFolderPath, file));
+            var fileDir = Path.GetDirectoryName(file);
+            if (string.IsNullOrEmpty(fileDir) || !fileDir.StartsWith(transcodeFolderPath))
+            {
+                return BadRequest("Invalid segment.");
+            }
 
             var normalizedPlaylistId = playlistId;
 
diff --git a/Jellyfin.Api/Controllers/ImageByNameController.cs b/Jellyfin.Api/Controllers/ImageByNameController.cs
@@ -74,14 +74,19 @@ public ActionResult GetGeneralImage([FromRoute, Required] string name, [FromRout
                 : type;
 
             var path = BaseItem.SupportedImageExtensions
-                .Select(i => Path.Combine(_applicationPaths.GeneralPath, name, filename + i))
+                .Select(i => Path.GetFullPath(Path.Combine(_applicationPaths.GeneralPath, name, filename + i)))
                 .FirstOrDefault(System.IO.File.Exists);
 
             if (path == null)
             {
                 return NotFound();
             }
 
+            if (!path.StartsWith(_applicationPaths.GeneralPath))
+            {
+                return BadRequest("Invalid image path.");
+            }
+
             var contentType = MimeTypes.GetMimeType(path);
             return File(System.IO.File.OpenRead(path), contentType);
         }
@@ -163,27 +168,39 @@ public ActionResult GetMediaInfoImage(
         /// <returns>A <see cref="FileStreamResult"/> containing the image contents on success, or a <see cref="NotFoundResult"/> if the image could not be found.</returns>
         private ActionResult GetImageFile(string basePath, string theme, string? name)
         {
-            var themeFolder = Path.Combine(basePath, theme);
+            var themeFolder = Path.GetFullPath(Path.Combine(basePath, theme));
+
             if (Directory.Exists(themeFolder))
             {
                 var path = BaseItem.SupportedImageExtensions.Select(i => Path.Combine(themeFolder, name + i))
                     .FirstOrDefault(System.IO.File.Exists);
 
                 if (!string.IsNullOrEmpty(path) && System.IO.File.Exists(path))
                 {
+                    if (!path.StartsWith(basePath))
+                    {
+                        return BadRequest("Invalid image path.");
+                    }
+
                     var contentType = MimeTypes.GetMimeType(path);
+
                     return PhysicalFile(path, contentType);
                 }
             }
 
-            var allFolder = Path.Combine(basePath, "all");
+            var allFolder = Path.GetFullPath(Path.Combine(basePath, "all"));
             if (Directory.Exists(allFolder))
             {
                 var path = BaseItem.SupportedImageExtensions.Select(i => Path.Combine(allFolder, name + i))
                     .FirstOrDefault(System.IO.File.Exists);
 
                 if (!string.IsNullOrEmpty(path) && System.IO.File.Exists(path))
                 {
+                    if (!path.StartsWith(basePath))
+                    {
+                        return BadRequest("Invalid image path.");
+                    }
+
                     var contentType = MimeTypes.GetMimeType(path);
                     return PhysicalFile(path, contentType);
                 }
diff --git a/MediaBrowser.Providers/Subtitles/SubtitleManager.cs b/MediaBrowser.Providers/Subtitles/SubtitleManager.cs
@@ -205,12 +205,30 @@ private async Task TrySaveSubtitle(
 
                 if (saveInMediaFolder)
                 {
-                    savePaths.Add(Path.Combine(video.ContainingFolderPath, saveFileName));
+                    var mediaFolderPath = Path.GetFullPath(Path.Combine(video.ContainingFolderPath, saveFileName));
+                    // TODO: Add some error handling to the API user: return BadRequest("Could not save subtitle, bad path.");
+                    if (mediaFolderPath.StartsWith(video.ContainingFolderPath))
+                    {
+                        savePaths.Add(mediaFolderPath);
+                    }
                 }
 
-                savePaths.Add(Path.Combine(video.GetInternalMetadataPath(), saveFileName));
+                var internalPath = Path.GetFullPath(Path.Combine(video.GetInternalMetadataPath(), saveFileName));
+
+                // TODO: Add some error to the user: return BadRequest("Could not save subtitle, bad path.");
+                if (internalPath.StartsWith(video.GetInternalMetadataPath()))
+                {
+                    savePaths.Add(internalPath);
+                }
 
-                await TrySaveToFiles(memoryStream, savePaths).ConfigureAwait(false);
+                if (savePaths.Count > 0)
+                {
+                    await TrySaveToFiles(memoryStream, savePaths).ConfigureAwait(false);
+                }
+                else
+                {
+                    _logger.LogError("An uploaded subtitle could not be saved because the resulting paths were invalid.");
+                }
             }
         }
 

Original file line number	Diff line number	Diff line change
`@@ -74,14 +74,19 @@ public ActionResult GetGeneralImage([FromRoute, Required] string name, [FromRout`
`74`	`74`	`: type;`
`75`	`75`
`76`	`76`	`var path = BaseItem.SupportedImageExtensions`
`77`		`- .Select(i => Path.Combine(_applicationPaths.GeneralPath, name, filename + i))`
	`77`	`+ .Select(i => Path.GetFullPath(Path.Combine(_applicationPaths.GeneralPath, name, filename + i)))`
`78`	`78`	`.FirstOrDefault(System.IO.File.Exists);`
`79`	`79`
`80`	`80`	`if (path == null)`
`81`	`81`	`{`
`82`	`82`	`return NotFound();`
`83`	`83`	`}`
`84`	`84`
	`85`	`+ if (!path.StartsWith(_applicationPaths.GeneralPath))`
	`86`	`+ {`
	`87`	`+ return BadRequest("Invalid image path.");`
	`88`	`+ }`
	`89`	`+`
`85`	`90`	`var contentType = MimeTypes.GetMimeType(path);`
`86`	`91`	`return File(System.IO.File.OpenRead(path), contentType);`
`87`	`92`	`}`
`@@ -163,27 +168,39 @@ public ActionResult GetMediaInfoImage(`
`163`	`168`	`/// <returns>A <see cref="FileStreamResult"/> containing the image contents on success, or a <see cref="NotFoundResult"/> if the image could not be found.</returns>`
`164`	`169`	`private ActionResult GetImageFile(string basePath, string theme, string? name)`
`165`	`170`	`{`
`166`		`- var themeFolder = Path.Combine(basePath, theme);`
	`171`	`+ var themeFolder = Path.GetFullPath(Path.Combine(basePath, theme));`
	`172`	`+`
`167`	`173`	`if (Directory.Exists(themeFolder))`
`168`	`174`	`{`
`169`	`175`	`var path = BaseItem.SupportedImageExtensions.Select(i => Path.Combine(themeFolder, name + i))`
`170`	`176`	`.FirstOrDefault(System.IO.File.Exists);`
`171`	`177`
`172`	`178`	`if (!string.IsNullOrEmpty(path) && System.IO.File.Exists(path))`
`173`	`179`	`{`
	`180`	`+ if (!path.StartsWith(basePath))`
	`181`	`+ {`
	`182`	`+ return BadRequest("Invalid image path.");`
	`183`	`+ }`
	`184`	`+`
`174`	`185`	`var contentType = MimeTypes.GetMimeType(path);`
	`186`	`+`
`175`	`187`	`return PhysicalFile(path, contentType);`
`176`	`188`	`}`
`177`	`189`	`}`
`178`	`190`
`179`		`- var allFolder = Path.Combine(basePath, "all");`
	`191`	`+ var allFolder = Path.GetFullPath(Path.Combine(basePath, "all"));`
`180`	`192`	`if (Directory.Exists(allFolder))`
`181`	`193`	`{`
`182`	`194`	`var path = BaseItem.SupportedImageExtensions.Select(i => Path.Combine(allFolder, name + i))`
`183`	`195`	`.FirstOrDefault(System.IO.File.Exists);`
`184`	`196`
`185`	`197`	`if (!string.IsNullOrEmpty(path) && System.IO.File.Exists(path))`
`186`	`198`	`{`
	`199`	`+ if (!path.StartsWith(basePath))`
	`200`	`+ {`
	`201`	`+ return BadRequest("Invalid image path.");`
	`202`	`+ }`
	`203`	`+`
`187`	`204`	`var contentType = MimeTypes.GetMimeType(path);`
`188`	`205`	`return PhysicalFile(path, contentType);`
`189`	`206`	`}`