StaticHandler should encode file names in directory listing

If the file name is not properly encoded, malicious Javascript code could be executed.

Signed-off-by: Thomas Segismont <[email protected]>

Author: tsegismont

vertx-web/src/main/java/io/vertx/ext/web/handler/impl/ErrorHandlerImpl.java

@@ -26,6 +26,7 @@
 import io.vertx.ext.web.MIMEHeader;
 import io.vertx.ext.web.RoutingContext;
 import io.vertx.ext.web.handler.ErrorHandler;
+import io.vertx.ext.web.impl.Utils;
 
 import java.nio.charset.StandardCharsets;
 import java.util.List;
@@ -151,7 +152,7 @@ private boolean sendError(RoutingContext context, String mime, int errorCode) {
         for (StackTraceElement elem : exception.getStackTrace()) {
           stack
             .append("<li>")
-            .append(escapeHTML(elem.toString()))
+            .append(Utils.escapeHTML(elem.toString()))
             .append("</li>");
         }
       }
@@ -200,33 +201,13 @@ private boolean sendError(RoutingContext context, String mime, int errorCode) {
     return false;
   }
 
-  /**
-   * Very incomplete html escape that will escape the most common characters on error messages.
-   * This is to avoid pulling a full dependency to perform a compliant escape. Error messages
-   * are created by developers as such that they should not be to complex for logging.
-   */
-  private static String escapeHTML(String s) {
-    StringBuilder out = new StringBuilder(Math.max(16, s.length()));
-    for (int i = 0; i < s.length(); i++) {
-      char c = s.charAt(i);
-      if (c > 127 || c == '"' || c == '\'' || c == '<' || c == '>' || c == '&') {
-        out.append("&#");
-        out.append((int) c);
-        out.append(';');
-      } else {
-        out.append(c);
-      }
-    }
-    return out.toString();
-  }
-
   private static String htmlFormat(String errorMessage) {
     if (errorMessage == null) {
       return "";
     }
 
     // step #1 (escape html entities)
-    String escaped = escapeHTML(errorMessage);
+    String escaped = Utils.escapeHTML(errorMessage);
     // step #2 (replace line endings with breaks)
     return escaped.replaceAll("\\r?\\n", "<br>");
   }

vertx-web/src/main/java/io/vertx/ext/web/handler/impl/StaticHandlerImpl.java

@@ -16,37 +16,13 @@
 
 package io.vertx.ext.web.handler.impl;
 
-import static io.netty.handler.codec.http.HttpResponseStatus.FORBIDDEN;
-import static io.netty.handler.codec.http.HttpResponseStatus.NOT_MODIFIED;
-import static io.netty.handler.codec.http.HttpResponseStatus.PARTIAL_CONTENT;
-import static io.netty.handler.codec.http.HttpResponseStatus.REQUESTED_RANGE_NOT_SATISFIABLE;
-
-import java.io.File;
-import java.nio.charset.Charset;
-import java.nio.charset.StandardCharsets;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Map;
-import java.util.Objects;
-import java.util.Set;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
-
 import io.vertx.core.AsyncResult;
 import io.vertx.core.Future;
 import io.vertx.core.Handler;
 import io.vertx.core.MultiMap;
 import io.vertx.core.file.FileProps;
 import io.vertx.core.file.FileSystem;
-import io.vertx.core.http.HttpHeaders;
-import io.vertx.core.http.HttpMethod;
-import io.vertx.core.http.HttpServerRequest;
-import io.vertx.core.http.HttpServerResponse;
-import io.vertx.core.http.HttpVersion;
+import io.vertx.core.http.*;
 import io.vertx.core.http.impl.HttpUtils;
 import io.vertx.core.http.impl.MimeMapping;
 import io.vertx.core.impl.logging.Logger;
@@ -62,6 +38,15 @@
 import io.vertx.ext.web.impl.ParsableMIMEValue;
 import io.vertx.ext.web.impl.Utils;
 
+import java.io.File;
+import java.nio.charset.Charset;
+import java.nio.charset.StandardCharsets;
+import java.util.*;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import static io.netty.handler.codec.http.HttpResponseStatus.*;
+
 /**
  * Static web server
  * Parts derived from Yoke
@@ -763,11 +748,13 @@ private void sendDirectoryListing(FileSystem fileSystem, String dir, RoutingCont
               }
               files.append("<li><a href=\"");
               files.append(normalizedDir);
-              files.append(file);
+              String encodedUriPath = Utils.encodeUriPath(file);
+              files.append(encodedUriPath);
               files.append("\" title=\"");
-              files.append(file);
+              String escapedHTML = Utils.escapeHTML(file);
+              files.append(escapedHTML);
               files.append("\">");
-              files.append(file);
+              files.append(escapedHTML);
               files.append("</a></li>");
             }
 

vertx-web/src/main/java/io/vertx/ext/web/impl/Utils.java

@@ -24,6 +24,8 @@
 import io.vertx.ext.web.Route;
 import io.vertx.ext.web.RoutingContext;
 
+import java.io.ByteArrayOutputStream;
+import java.nio.charset.StandardCharsets;
 import java.time.Instant;
 import java.time.LocalDateTime;
 import java.time.ZoneId;
@@ -234,4 +236,68 @@ public static boolean fresh(RoutingContext ctx, long lastModified) {
 
     return true;
   }
+
+  /**
+   * Very incomplete html escape that will escape the most common characters on error messages.
+   * This is to avoid pulling a full dependency to perform a compliant escape. Error messages
+   * are created by developers as such that they should not be to complex for logging.
+   */
+  public static String escapeHTML(String s) {
+    StringBuilder out = new StringBuilder(Math.max(16, s.length()));
+    for (int i = 0; i < s.length(); i++) {
+      char c = s.charAt(i);
+      if (c > 127 || c == '"' || c == '\'' || c == '<' || c == '>' || c == '&') {
+        out.append("&#");
+        out.append((int) c);
+        out.append(';');
+      } else {
+        out.append(c);
+      }
+    }
+    return out.toString();
+  }
+
+  /**
+   * Encode the given URI path by replacing special characters as defined by RFC3986.
+   * Adapted from Spring <a href="https://github.com/spring-projects/spring-framework/blob/16edf9867a143f95cefadb7b2115dcbbf624e176/spring-web/src/main/java/org/springframework/web/util/UriUtils.java#L179">UriUtils</a> code.
+   */
+  public static String encodeUriPath(String path) {
+    byte[] bytes = path.getBytes(StandardCharsets.UTF_8);
+    boolean needsReplacement = false;
+    for (byte b : bytes) {
+      if (isAllowedForPath(b)) {
+        needsReplacement = true;
+        break;
+      }
+    }
+    if (!needsReplacement) {
+      return path;
+    }
+    return replaceCharactersForUriPath(bytes);
+  }
+
+  private static String replaceCharactersForUriPath(byte[] bytes) {
+    // Create a buffer at least twice as big as the original byte array length.
+    // BAOS would double the buffer size the first time the min capacity is bigger than the current length anyway.
+    ByteArrayOutputStream baos = new ByteArrayOutputStream(2 * bytes.length);
+    for (byte b : bytes) {
+      if (isAllowedForPath(b)) {
+        baos.write(b);
+      } else {
+        baos.write('%');
+        baos.write(Character.toUpperCase(Character.forDigit((b >> 4) & 0xF, 16)));
+        baos.write(Character.toUpperCase(Character.forDigit(b & 0xF, 16)));
+      }
+    }
+    return new String(baos.toByteArray(), StandardCharsets.UTF_8);
+  }
+
+  private static boolean isAllowedForPath(byte c) {
+    return (c >= 'a' && c <= 'z')
+      || (c >= 'A' && c <= 'Z')
+      || (c >= '0' && c <= '9')
+      || '-' == c || '.' == c || '_' == c || '~' == c || '!' == c || '$' == c || '&' == c || '\'' == c
+      || '(' == c || ')' == c || '*' == c || '+' == c || ',' == c || ';' == c || '=' == c || ':' == c
+      || '@' == c || '/' == c;
+  }
 }

vertx-web/src/test/java/io/vertx/ext/web/handler/StaticHandlerTest.java

@@ -16,6 +16,7 @@
 
 package io.vertx.ext.web.handler;
 
+import io.netty.util.internal.PlatformDependent;
 import io.vertx.core.*;
 import io.vertx.core.http.*;
 import io.vertx.core.json.JsonArray;
@@ -25,12 +26,14 @@
 import io.vertx.ext.web.Router;
 import io.vertx.ext.web.WebTestBase;
 import io.vertx.ext.web.impl.Utils;
+import org.junit.Assume;
 import org.junit.Test;
 
 import java.io.File;
 import java.net.URL;
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
+import java.nio.file.Path;
 import java.util.*;
 import java.util.concurrent.CountDownLatch;
 import java.util.concurrent.atomic.AtomicBoolean;
@@ -644,7 +647,9 @@ public void testDirectoryListingJsonNoHidden() throws Exception {
   public void testDirectoryListingHtml() throws Exception {
     stat.setDirectoryListing(true);
 
-    testDirectoryListingHtmlCustomTemplate("META-INF/vertx/web/vertx-web-directory.html");
+    testDirectoryListingHtmlCustomTemplate("META-INF/vertx/web/vertx-web-directory.html", "/somedir2/", "<a href=\"/\">..</a>", "<ul id=\"files\"><li><a href=\"/somedir2/foo2.json\" title=\"foo2.json\">foo2.json</a></li>" +
+      "<li><a href=\"/somedir2/somepage.html\" title=\"somepage.html\">somepage.html</a></li>" +
+      "<li><a href=\"/somedir2/somepage2.html\" title=\"somepage2.html\">somepage2.html</a></li></ul>");
   }
 
   @Test
@@ -653,23 +658,40 @@ public void testCustomDirectoryListingHtml() throws Exception {
     String dirTemplate = "custom_dir_template.html";
     stat.setDirectoryTemplate(dirTemplate);
 
-    testDirectoryListingHtmlCustomTemplate(dirTemplate);
+    testDirectoryListingHtmlCustomTemplate(dirTemplate, "/somedir2/", "<a href=\"/\">..</a>", "<ul id=\"files\"><li><a href=\"/somedir2/foo2.json\" title=\"foo2.json\">foo2.json</a></li>" +
+      "<li><a href=\"/somedir2/somepage.html\" title=\"somepage.html\">somepage.html</a></li>" +
+      "<li><a href=\"/somedir2/somepage2.html\" title=\"somepage2.html\">somepage2.html</a></li></ul>");
   }
 
-  private void testDirectoryListingHtmlCustomTemplate(String dirTemplateFile) throws Exception {
+  @Test
+  public void testCustomDirectoryListingHtmlEscaping() throws Exception {
+    Assume.assumeFalse(PlatformDependent.isWindows());
+
+    File testDir = new File("target/test-classes/webroot/dirxss");
+    Files.createDirectories(testDir.toPath());
+    File dangerousFile = new File(testDir, "<img src=x onerror=alert('XSS-FILE')>.txt");
+    Path dangerousFilePath = dangerousFile.toPath();
+    Files.deleteIfExists(dangerousFilePath);
+    Files.createFile(dangerousFilePath);
+
     stat.setDirectoryListing(true);
 
+    testDirectoryListingHtmlCustomTemplate(
+      "META-INF/vertx/web/vertx-web-directory.html",
+      "/dirxss/",
+      "<a href=\"/\">..</a>",
+      "<ul id=\"files\"><li><a href=\"/dirxss/%3Cimg%20src=x%20onerror=alert('XSS-FILE')%3E.txt\" title=\"&#60;img src=x onerror=alert(&#39;XSS-FILE&#39;)&#62;.txt\">&#60;img src=x onerror=alert(&#39;XSS-FILE&#39;)&#62;.txt</a></li></ul>");
+  }
 
-    String directoryTemplate = vertx.fileSystem().readFileBlocking(dirTemplateFile).toString();
+  private void testDirectoryListingHtmlCustomTemplate(String dirTemplateFile, String path, String parentLink, String files) throws Exception {
+    stat.setDirectoryListing(true);
 
-    String parentLink = "<a href=\"/\">..</a>";
-    String files = "<ul id=\"files\"><li><a href=\"/somedir2/foo2.json\" title=\"foo2.json\">foo2.json</a></li>" +
-      "<li><a href=\"/somedir2/somepage.html\" title=\"somepage.html\">somepage.html</a></li>" +
-      "<li><a href=\"/somedir2/somepage2.html\" title=\"somepage2.html\">somepage2.html</a></li></ul>";
 
-    String expected = directoryTemplate.replace("{directory}", "/somedir2/").replace("{parent}", parentLink).replace("{files}", files);
+    String directoryTemplate = vertx.fileSystem().readFileBlocking(dirTemplateFile).toString();
+
+    String expected = directoryTemplate.replace("{directory}", path).replace("{parent}", parentLink).replace("{files}", files);
 
-    testRequest(HttpMethod.GET, "/somedir2/", req -> req.putHeader("accept", "text/html"), resp -> resp.bodyHandler(buff -> {
+    testRequest(HttpMethod.GET, path, req -> req.putHeader("accept", "text/html"), resp -> resp.bodyHandler(buff -> {
       assertEquals("text/html", resp.headers().get("content-type"));
       String sBuff = buff.toString();
       assertEquals(expected, sBuff);