[alias_traversal] Minor improvements + respects path in the alias dir…

…ective: - alias /foo/bar/ -> HIGH severity - alias /foo/bar -> MEDIUM severity
afwu · Nov 10, 2017 · ea7d771 · ea7d771
1 parent 2a922f3
commit ea7d771
Show file tree

Hide file tree

Showing 7 changed files with 28 additions and 3 deletions.
diff --git a/gixy/directives/directive.py b/gixy/directives/directive.py
@@ -131,3 +131,11 @@ def __init__(self, name, args):
     @property
     def variables(self):
         return [Variable(name='document_root', value=self.path, provider=self)]
+
+
+class AliasDirective(Directive):
+    nginx_name = 'alias'
+
+    def __init__(self, name, args):
+        super(AliasDirective, self).__init__(name, args)
+        self.path = args[0]
diff --git a/gixy/plugins/alias_traversal.py b/gixy/plugins/alias_traversal.py
@@ -11,16 +11,21 @@ class alias_traversal(Plugin):
     """
     summary = 'Path traversal via misconfigured alias.'
     severity = gixy.severity.HIGH
-    description = 'TODO'
+    description = 'Using alias in a prefixed location that doesn\'t ends with directory separator could lead to path ' \
+                  'traversal vulnerability. '
     help_url = 'https://github.com/yandex/gixy/blob/master/docs/en/plugins/aliastraversal.md'
     directives = ['alias']
 
     def audit(self, directive):
         for location in directive.parents:
             if location.name != 'location':
                 continue
+
             if not location.modifier or location.modifier == '^~':
                 # We need non-strict prefixed locations
                 if not location.path.endswith('/'):
-                    self.add_issue(directive=[directive, location])
+                    self.add_issue(
+                        severity=gixy.severity.HIGH if directive.path.endswith('/') else gixy.severity.MEDIUM,
+                        directive=[directive, location]
+                    )
             break
diff --git a/tests/plugins/simply/alias_traversal/config.json b/tests/plugins/simply/alias_traversal/config.json
@@ -1,3 +1,3 @@
 {
-  "severity": "HIGH"
+  "severity": ["MEDIUM", "HIGH"]
 }
diff --git a/tests/plugins/simply/alias_traversal/not_slashed_alias.conf b/tests/plugins/simply/alias_traversal/not_slashed_alias.conf
@@ -0,0 +1,3 @@
+location /files {
+    alias /home;
+}
diff --git a/tests/plugins/simply/alias_traversal/not_slashed_alias_fp.conf b/tests/plugins/simply/alias_traversal/not_slashed_alias_fp.conf
@@ -0,0 +1,3 @@
+location /files/ {
+    alias /home;
+}
diff --git a/tests/plugins/simply/alias_traversal/slashed_alias.conf b/tests/plugins/simply/alias_traversal/slashed_alias.conf
@@ -0,0 +1,3 @@
+location /files {
+    alias /home/;
+}
diff --git a/tests/plugins/simply/alias_traversal/slashed_alias_fp.conf b/tests/plugins/simply/alias_traversal/slashed_alias_fp.conf
@@ -0,0 +1,3 @@
+location /files/ {
+    alias /home/;
+}