Add DLL whitelist support for plugins

This commit is contained in:
AmbulantRex 2023-03-30 08:59:21 -06:00
parent d45cabfa74
commit 891b9f7a99
8 changed files with 375 additions and 26 deletions

View File

@ -1,6 +1,9 @@
using System;
using System.Diagnostics.CodeAnalysis;
using System.IO;
using System.Linq;
using MediaBrowser.Common.Providers;
using Nikse.SubtitleEdit.Core.Common;
namespace Emby.Server.Implementations.Library
{
@ -86,24 +89,8 @@ namespace Emby.Server.Implementations.Library
return false;
}
char oldDirectorySeparatorChar;
char newDirectorySeparatorChar;
// True normalization is still not possible https://github.com/dotnet/runtime/issues/2162
// The reasoning behind this is that a forward slash likely means it's a Linux path and
// so the whole path should be normalized to use / and vice versa for Windows (although Windows doesn't care much).
if (newSubPath.Contains('/', StringComparison.Ordinal))
{
oldDirectorySeparatorChar = '\\';
newDirectorySeparatorChar = '/';
}
else
{
oldDirectorySeparatorChar = '/';
newDirectorySeparatorChar = '\\';
}
path = path.Replace(oldDirectorySeparatorChar, newDirectorySeparatorChar);
subPath = subPath.Replace(oldDirectorySeparatorChar, newDirectorySeparatorChar);
subPath = subPath.NormalizePath(out var newDirectorySeparatorChar)!;
path = path.NormalizePath(newDirectorySeparatorChar)!;
// We have to ensure that the sub path ends with a directory separator otherwise we'll get weird results
// when the sub path matches a similar but in-complete subpath
@ -120,12 +107,86 @@ namespace Emby.Server.Implementations.Library
return false;
}
var newSubPathTrimmed = newSubPath.AsSpan().TrimEnd(newDirectorySeparatorChar);
var newSubPathTrimmed = newSubPath.AsSpan().TrimEnd((char)newDirectorySeparatorChar!);
// Ensure that the path with the old subpath removed starts with a leading dir separator
int idx = oldSubPathEndsWithSeparator ? subPath.Length - 1 : subPath.Length;
newPath = string.Concat(newSubPathTrimmed, path.AsSpan(idx));
return true;
}
/// <summary>
/// Retrieves the full resolved path and normalizes path separators to the <see cref="Path.DirectorySeparatorChar"/>.
/// </summary>
/// <param name="path">The path to canonicalize.</param>
/// <returns>The fully expanded, normalized path.</returns>
public static string Canonicalize(this string path)
{
return Path.GetFullPath(path).NormalizePath()!;
}
/// <summary>
/// Normalizes the path's directory separator character to the currently defined <see cref="Path.DirectorySeparatorChar"/>.
/// </summary>
/// <param name="path">The path to normalize.</param>
/// <returns>The normalized path string or <see langword="null"/> if the input path is null or empty.</returns>
public static string? NormalizePath(this string? path)
{
return path.NormalizePath(Path.DirectorySeparatorChar);
}
/// <summary>
/// Normalizes the path's directory separator character.
/// </summary>
/// <param name="path">The path to normalize.</param>
/// <param name="separator">The separator character the path now uses or <see langword="null"/>.</param>
/// <returns>The normalized path string or <see langword="null"/> if the input path is null or empty.</returns>
public static string? NormalizePath(this string? path, out char separator)
{
if (string.IsNullOrEmpty(path))
{
separator = default;
return path;
}
var newSeparator = '\\';
// True normalization is still not possible https://github.com/dotnet/runtime/issues/2162
// The reasoning behind this is that a forward slash likely means it's a Linux path and
// so the whole path should be normalized to use / and vice versa for Windows (although Windows doesn't care much).
if (path.Contains('/', StringComparison.Ordinal))
{
newSeparator = '/';
}
separator = newSeparator;
return path?.NormalizePath(newSeparator);
}
/// <summary>
/// Normalizes the path's directory separator character to the specified character.
/// </summary>
/// <param name="path">The path to normalize.</param>
/// <param name="newSeparator">The replacement directory separator character. Must be a valid directory separator.</param>
/// <returns>The normalized path.</returns>
/// <exception cref="ArgumentException">Thrown if the new separator character is not a directory separator.</exception>
public static string? NormalizePath(this string? path, char newSeparator)
{
const char Bs = '\\';
const char Fs = '/';
if (!(newSeparator == Bs || newSeparator == Fs))
{
throw new ArgumentException("The character must be a directory separator.");
}
if (string.IsNullOrEmpty(path))
{
return path;
}
return newSeparator == Bs ? path?.Replace(Fs, newSeparator) : path?.Replace(Bs, newSeparator);
}
}
}

View File

@ -1,5 +1,6 @@
using System;
using System.Collections.Generic;
using System.Data;
using System.Globalization;
using System.IO;
using System.Linq;
@ -9,6 +10,8 @@ using System.Runtime.Loader;
using System.Text;
using System.Text.Json;
using System.Threading.Tasks;
using Emby.Server.Implementations.Library;
using Jellyfin.Extensions;
using Jellyfin.Extensions.Json;
using Jellyfin.Extensions.Json.Converters;
using MediaBrowser.Common;
@ -19,8 +22,11 @@ using MediaBrowser.Model.Configuration;
using MediaBrowser.Model.IO;
using MediaBrowser.Model.Plugins;
using MediaBrowser.Model.Updates;
using Microsoft.AspNetCore.Mvc.ApplicationParts;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging;
using Nikse.SubtitleEdit.Core.Common;
using SQLitePCL.pretty;
namespace Emby.Server.Implementations.Plugins
{
@ -44,7 +50,7 @@ namespace Emby.Server.Implementations.Plugins
/// <summary>
/// Initializes a new instance of the <see cref="PluginManager"/> class.
/// </summary>
/// <param name="logger">The <see cref="ILogger"/>.</param>
/// <param name="logger">The <see cref="ILogger{PluginManager}"/>.</param>
/// <param name="appHost">The <see cref="IApplicationHost"/>.</param>
/// <param name="config">The <see cref="ServerConfiguration"/>.</param>
/// <param name="pluginsPath">The plugin path.</param>
@ -424,7 +430,8 @@ namespace Emby.Server.Implementations.Plugins
Version = versionInfo.Version,
Status = status == PluginStatus.Disabled ? PluginStatus.Disabled : PluginStatus.Active, // Keep disabled state.
AutoUpdate = true,
ImagePath = imagePath
ImagePath = imagePath,
Assemblies = versionInfo.Assemblies
};
return SaveManifest(manifest, path);
@ -688,7 +695,15 @@ namespace Emby.Server.Implementations.Plugins
var entry = versions[x];
if (!string.Equals(lastName, entry.Name, StringComparison.OrdinalIgnoreCase))
{
entry.DllFiles = Directory.GetFiles(entry.Path, "*.dll", SearchOption.AllDirectories);
if (!TryGetPluginDlls(entry, out var allowedDlls))
{
_logger.LogError("One or more assembly paths was invalid. Marking plugin {Plugin} as \"Malfunctioned\".", entry.Name);
ChangePluginState(entry, PluginStatus.Malfunctioned);
continue;
}
entry.DllFiles = allowedDlls;
if (entry.IsEnabledAndSupported)
{
lastName = entry.Name;
@ -734,6 +749,68 @@ namespace Emby.Server.Implementations.Plugins
return versions.Where(p => p.DllFiles.Count != 0);
}
/// <summary>
/// Attempts to retrieve valid DLLs from the plugin path. This method will consider the assembly whitelist
/// from the manifest.
/// </summary>
/// <remarks>
/// Loading DLLs from externally supplied paths introduces a path traversal risk. This method
/// uses a safelisting tactic of considering DLLs from the plugin directory and only using
/// the plugin's canonicalized assembly whitelist for comparison. See
/// <see href="https://owasp.org/www-community/attacks/Path_Traversal"/> for more details.
/// </remarks>
/// <param name="plugin">The plugin.</param>
/// <param name="whitelistedDlls">The whitelisted DLLs. If the method returns <see langword="false"/>, this will be empty.</param>
/// <returns>
/// <see langword="true"/> if all assemblies listed in the manifest were available in the plugin directory.
/// <see langword="false"/> if any assemblies were invalid or missing from the plugin directory.
/// </returns>
/// <exception cref="ArgumentNullException">If the <see cref="LocalPlugin"/> is null.</exception>
private bool TryGetPluginDlls(LocalPlugin plugin, out IReadOnlyList<string> whitelistedDlls)
{
_ = plugin ?? throw new ArgumentNullException(nameof(plugin));
IReadOnlyList<string> pluginDlls = Directory.GetFiles(plugin.Path, "*.dll", SearchOption.AllDirectories);
whitelistedDlls = Array.Empty<string>();
if (pluginDlls.Count > 0 && plugin.Manifest.Assemblies.Count > 0)
{
_logger.LogInformation("Registering whitelisted assemblies for plugin \"{Plugin}\"...", plugin.Name);
var canonicalizedPaths = new List<string>();
foreach (var path in plugin.Manifest.Assemblies)
{
var canonicalized = Path.Combine(plugin.Path, path).Canonicalize();
// Ensure we stay in the plugin directory.
if (!canonicalized.StartsWith(plugin.Path.NormalizePath()!, StringComparison.Ordinal))
{
_logger.LogError("Assembly path {Path} is not inside the plugin directory.", path);
return false;
}
canonicalizedPaths.Add(canonicalized);
}
var intersected = pluginDlls.Intersect(canonicalizedPaths).ToList();
if (intersected.Count != canonicalizedPaths.Count)
{
_logger.LogError("Plugin {Plugin} contained assembly paths that were not found in the directory.", plugin.Name);
return false;
}
whitelistedDlls = intersected;
}
else
{
// No whitelist, default to loading all DLLs in plugin directory.
whitelistedDlls = pluginDlls;
}
return true;
}
/// <summary>
/// Changes the status of the other versions of the plugin to "Superceded".
/// </summary>

View File

@ -1,4 +1,5 @@
using System;
using System.Collections.Generic;
using System.Text.Json.Serialization;
using MediaBrowser.Model.Plugins;
@ -23,6 +24,7 @@ namespace MediaBrowser.Common.Plugins
Overview = string.Empty;
TargetAbi = string.Empty;
Version = string.Empty;
Assemblies = new List<string>();
}
/// <summary>
@ -104,5 +106,12 @@ namespace MediaBrowser.Common.Plugins
/// </summary>
[JsonPropertyName("imagePath")]
public string? ImagePath { get; set; }
/// <summary>
/// Gets or sets the collection of assemblies that should be loaded.
/// Paths are considered relative to the plugin folder.
/// </summary>
[JsonPropertyName("assemblies")]
public IList<string> Assemblies { get; set; }
}
}

View File

@ -1,3 +1,5 @@
using System;
using System.Collections.Generic;
using System.Text.Json.Serialization;
using SysVersion = System.Version;
@ -73,5 +75,11 @@ namespace MediaBrowser.Model.Updates
/// </summary>
[JsonPropertyName("repositoryUrl")]
public string RepositoryUrl { get; set; } = string.Empty;
/// <summary>
/// Gets or sets the assemblies whitelist for this version.
/// </summary>
[JsonPropertyName("assemblies")]
public IList<string> Assemblies { get; set; } = Array.Empty<string>();
}
}

View File

@ -1,4 +1,5 @@
using System;
using System.IO;
using Emby.Server.Implementations.Library;
using Xunit;
@ -73,5 +74,47 @@ namespace Jellyfin.Server.Implementations.Tests.Library
Assert.False(PathExtensions.TryReplaceSubPath(path, subPath, newSubPath, out var result));
Assert.Null(result);
}
[Theory]
[InlineData(null, '/', null)]
[InlineData(null, '\\', null)]
[InlineData("/home/jeff/myfile.mkv", '\\', "\\home\\jeff\\myfile.mkv")]
[InlineData("C:\\Users\\Jeff\\myfile.mkv", '/', "C:/Users/Jeff/myfile.mkv")]
[InlineData("\\home/jeff\\myfile.mkv", '\\', "\\home\\jeff\\myfile.mkv")]
[InlineData("\\home/jeff\\myfile.mkv", '/', "/home/jeff/myfile.mkv")]
[InlineData("", '/', "")]
public void NormalizePath_SpecifyingSeparator_Normalizes(string path, char separator, string expectedPath)
{
Assert.Equal(expectedPath, path.NormalizePath(separator));
}
[Theory]
[InlineData("/home/jeff/myfile.mkv")]
[InlineData("C:\\Users\\Jeff\\myfile.mkv")]
[InlineData("\\home/jeff\\myfile.mkv")]
public void NormalizePath_NoArgs_UsesDirectorySeparatorChar(string path)
{
var separator = Path.DirectorySeparatorChar;
Assert.Equal(path.Replace('\\', separator).Replace('/', separator), path.NormalizePath());
}
[Theory]
[InlineData("/home/jeff/myfile.mkv", '/')]
[InlineData("C:\\Users\\Jeff\\myfile.mkv", '\\')]
[InlineData("\\home/jeff\\myfile.mkv", '/')]
public void NormalizePath_OutVar_Correct(string path, char expectedSeparator)
{
var result = path.NormalizePath(out var separator);
Assert.Equal(expectedSeparator, separator);
Assert.Equal(path.Replace('\\', separator).Replace('/', separator), result);
}
[Fact]
public void NormalizePath_SpecifyInvalidSeparator_ThrowsException()
{
Assert.Throws<ArgumentException>(() => string.Empty.NormalizePath('a'));
}
}
}

View File

@ -1,7 +1,12 @@
using System;
using System.IO;
using System.Text.Json;
using Emby.Server.Implementations.Library;
using Emby.Server.Implementations.Plugins;
using Jellyfin.Extensions.Json;
using Jellyfin.Extensions.Json.Converters;
using MediaBrowser.Common.Plugins;
using MediaBrowser.Model.Plugins;
using Microsoft.Extensions.Logging.Abstractions;
using Xunit;
@ -40,6 +45,136 @@ namespace Jellyfin.Server.Implementations.Tests.Plugins
Assert.Equal(manifest.Status, res.Manifest.Status);
Assert.Equal(manifest.AutoUpdate, res.Manifest.AutoUpdate);
Assert.Equal(manifest.ImagePath, res.Manifest.ImagePath);
Assert.Equal(manifest.Assemblies, res.Manifest.Assemblies);
}
/// <summary>
/// Tests safe traversal within the plugin directory.
/// </summary>
/// <param name="dllFile">The safe path to evaluate.</param>
[Theory]
[InlineData("./some.dll")]
[InlineData("some.dll")]
[InlineData("sub/path/some.dll")]
public void Constructor_DiscoversSafePluginAssembly_Status_Active(string dllFile)
{
var manifest = new PluginManifest
{
Id = Guid.NewGuid(),
Name = "Safe Assembly",
Assemblies = new string[] { dllFile }
};
var filename = Path.GetFileName(dllFile)!;
var (tempPath, pluginPath) = GetTestPaths("safe");
Directory.CreateDirectory(Path.Combine(pluginPath, dllFile.Replace(filename, string.Empty, StringComparison.OrdinalIgnoreCase)));
File.Create(Path.Combine(pluginPath, dllFile));
var options = GetTestSerializerOptions();
var data = JsonSerializer.Serialize(manifest, options);
var metafilePath = Path.Combine(tempPath, "safe", "meta.json");
File.WriteAllText(metafilePath, data);
var pluginManager = new PluginManager(new NullLogger<PluginManager>(), null!, null!, tempPath, new Version(1, 0));
var res = JsonSerializer.Deserialize<PluginManifest>(File.ReadAllText(metafilePath), options);
var expectedFullPath = Path.Combine(pluginPath, dllFile).Canonicalize();
Assert.NotNull(res);
Assert.NotEmpty(pluginManager.Plugins);
Assert.Equal(PluginStatus.Active, res!.Status);
Assert.Equal(expectedFullPath, pluginManager.Plugins[0].DllFiles[0]);
Assert.StartsWith(Path.Combine(tempPath, "safe"), expectedFullPath, StringComparison.InvariantCulture);
}
/// <summary>
/// Tests unsafe attempts to traverse to higher directories.
/// </summary>
/// <remarks>
/// Attempts to load directories outside of the plugin should be
/// constrained. Path traversal, shell expansion, and double encoding
/// can be used to load unintended files.
/// See <see href="https://owasp.org/www-community/attacks/Path_Traversal"/> for more.
/// </remarks>
/// <param name="unsafePath">The unsafe path to evaluate.</param>
[Theory]
[InlineData("/some.dll")] // Root path.
[InlineData("../some.dll")] // Simple traversal.
[InlineData("C:\\some.dll")] // Windows root path.
[InlineData("test.txt")] // Not a DLL
[InlineData(".././.././../some.dll")] // Traversal with current and parent
[InlineData("..\\.\\..\\.\\..\\some.dll")] // Windows traversal with current and parent
[InlineData("\\\\network\\resource.dll")] // UNC Path
[InlineData("https://jellyfin.org/some.dll")] // URL
[InlineData("....//....//some.dll")] // Path replacement risk if a single "../" replacement occurs.
[InlineData("~/some.dll")] // Tilde poses a shell expansion risk, but is a valid path character.
public void Constructor_DiscoversUnsafePluginAssembly_Status_Malfunctioned(string unsafePath)
{
var manifest = new PluginManifest
{
Id = Guid.NewGuid(),
Name = "Unsafe Assembly",
Assemblies = new string[] { unsafePath }
};
var (tempPath, pluginPath) = GetTestPaths("unsafe");
Directory.CreateDirectory(pluginPath);
var files = new string[]
{
"../other.dll",
"some.dll"
};
foreach (var file in files)
{
File.Create(Path.Combine(pluginPath, file));
}
var options = GetTestSerializerOptions();
var data = JsonSerializer.Serialize(manifest, options);
var metafilePath = Path.Combine(tempPath, "unsafe", "meta.json");
File.WriteAllText(metafilePath, data);
var pluginManager = new PluginManager(new NullLogger<PluginManager>(), null!, null!, tempPath, new Version(1, 0));
var res = JsonSerializer.Deserialize<PluginManifest>(File.ReadAllText(metafilePath), options);
Assert.NotNull(res);
Assert.Empty(pluginManager.Plugins);
Assert.Equal(PluginStatus.Malfunctioned, res!.Status);
}
private JsonSerializerOptions GetTestSerializerOptions()
{
var options = new JsonSerializerOptions(JsonDefaults.Options)
{
WriteIndented = true
};
for (var i = 0; i < options.Converters.Count; i++)
{
// Remove the Guid converter for parity with plugin manager.
if (options.Converters[i] is JsonGuidConverter converter)
{
options.Converters.Remove(converter);
}
}
return options;
}
private (string TempPath, string PluginPath) GetTestPaths(string pluginFolderName)
{
var tempPath = Path.Combine(_testPathRoot, "plugins-" + Path.GetRandomFileName());
var pluginPath = Path.Combine(tempPath, pluginFolderName);
return (tempPath, pluginPath);
}
}
}

View File

@ -13,7 +13,8 @@
"targetAbi": "10.6.0.0",
"sourceUrl": "https://repo.jellyfin.org/releases/plugin/anime/anime_10.0.0.0.zip",
"checksum": "93e969adeba1050423fc8817ed3c36f8",
"timestamp": "2020-08-17T01:41:13Z"
"timestamp": "2020-08-17T01:41:13Z",
"assemblies": [ "Jellyfin.Plugin.Anime.dll" ]
},
{
"version": "9.0.0.0",
@ -21,7 +22,8 @@
"targetAbi": "10.6.0.0",
"sourceUrl": "https://repo.jellyfin.org/releases/plugin/anime/anime_9.0.0.0.zip",
"checksum": "9b1cebff835813e15f414f44b40c41c8",
"timestamp": "2020-07-20T01:30:16Z"
"timestamp": "2020-07-20T01:30:16Z",
"assemblies": [ "Jellyfin.Plugin.Anime.dll" ]
}
]
},

View File

@ -106,5 +106,19 @@ namespace Jellyfin.Server.Implementations.Tests.Updates
var ex = await Record.ExceptionAsync(() => _installationManager.InstallPackage(packageInfo, CancellationToken.None)).ConfigureAwait(false);
Assert.Null(ex);
}
[Fact]
public async Task InstallPackage_WithAssemblies_Success()
{
PackageInfo[] packages = await _installationManager.GetPackages(
"Jellyfin Stable",
"https://repo.jellyfin.org/releases/plugin/manifest-stable.json",
false);
packages = _installationManager.FilterPackages(packages, "Anime").ToArray();
Assert.Single(packages);
Assert.NotEmpty(packages[0].Versions[0].Assemblies);
Assert.Equal("Jellyfin.Plugin.Anime.dll", packages[0].Versions[0].Assemblies[0]);
}
}
}