alteropen/jellyfin
1
0
Fork 0
mirror of https://github.com/jellyfin/jellyfin.git synced 2026-05-27 02:56:54 +01:00
Code Issues Actions 8 Packages Projects Releases Wiki Activity

Add DLL whitelist support for plugins

Browse Source
This commit is contained in:
AmbulantRex
2023-03-30 08:59:21 -06:00
parent d45cabfa74
commit 891b9f7a99
8 changed files with 375 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

99
Emby.Server.Implementations/Library/PathExtensions.cs
View File

@@ -1,6 +1,9 @@
using System;
using System.Diagnostics.CodeAnalysis;
using System.IO;
using System.Linq;
using MediaBrowser.Common.Providers;
using Nikse.SubtitleEdit.Core.Common;
namespace Emby.Server.Implementations.Library
{
@@ -86,24 +89,8 @@ namespace Emby.Server.Implementations.Library
return false;
}
char oldDirectorySeparatorChar;
char newDirectorySeparatorChar;
// True normalization is still not possible https://github.com/dotnet/runtime/issues/2162
// The reasoning behind this is that a forward slash likely means it's a Linux path and
// so the whole path should be normalized to use / and vice versa for Windows (although Windows doesn't care much).
if (newSubPath.Contains('/', StringComparison.Ordinal))
{
oldDirectorySeparatorChar = '\\';
newDirectorySeparatorChar = '/';
}
else
{
oldDirectorySeparatorChar = '/';
newDirectorySeparatorChar = '\\';
}
path = path.Replace(oldDirectorySeparatorChar, newDirectorySeparatorChar);
subPath = subPath.Replace(oldDirectorySeparatorChar, newDirectorySeparatorChar);
subPath = subPath.NormalizePath(out var newDirectorySeparatorChar)!;
path = path.NormalizePath(newDirectorySeparatorChar)!;
// We have to ensure that the sub path ends with a directory separator otherwise we'll get weird results
// when the sub path matches a similar but in-complete subpath
@@ -120,12 +107,86 @@ namespace Emby.Server.Implementations.Library
return false;
}
var newSubPathTrimmed = newSubPath.AsSpan().TrimEnd(newDirectorySeparatorChar);
var newSubPathTrimmed = newSubPath.AsSpan().TrimEnd((char)newDirectorySeparatorChar!);
// Ensure that the path with the old subpath removed starts with a leading dir separator
int idx = oldSubPathEndsWithSeparator ? subPath.Length - 1 : subPath.Length;
newPath = string.Concat(newSubPathTrimmed, path.AsSpan(idx));
return true;
}
/// <summary>
/// Retrieves the full resolved path and normalizes path separators to the <see cref="Path.DirectorySeparatorChar"/>.
/// </summary>
/// <param name="path">The path to canonicalize.</param>
/// <returns>The fully expanded, normalized path.</returns>
public static string Canonicalize(this string path)
{
return Path.GetFullPath(path).NormalizePath()!;
}
/// <summary>
/// Normalizes the path's directory separator character to the currently defined <see cref="Path.DirectorySeparatorChar"/>.
/// </summary>
/// <param name="path">The path to normalize.</param>
/// <returns>The normalized path string or <see langword="null"/> if the input path is null or empty.</returns>
public static string? NormalizePath(this string? path)
{
return path.NormalizePath(Path.DirectorySeparatorChar);
}
/// <summary>
/// Normalizes the path's directory separator character.
/// </summary>
/// <param name="path">The path to normalize.</param>
/// <param name="separator">The separator character the path now uses or <see langword="null"/>.</param>
/// <returns>The normalized path string or <see langword="null"/> if the input path is null or empty.</returns>
public static string? NormalizePath(this string? path, out char separator)
{
if (string.IsNullOrEmpty(path))
{
separator = default;
return path;
}
var newSeparator = '\\';
// True normalization is still not possible https://github.com/dotnet/runtime/issues/2162
// The reasoning behind this is that a forward slash likely means it's a Linux path and
// so the whole path should be normalized to use / and vice versa for Windows (although Windows doesn't care much).
if (path.Contains('/', StringComparison.Ordinal))
{
newSeparator = '/';
}
separator = newSeparator;
return path?.NormalizePath(newSeparator);
}
/// <summary>
/// Normalizes the path's directory separator character to the specified character.
/// </summary>
/// <param name="path">The path to normalize.</param>
/// <param name="newSeparator">The replacement directory separator character. Must be a valid directory separator.</param>
/// <returns>The normalized path.</returns>
/// <exception cref="ArgumentException">Thrown if the new separator character is not a directory separator.</exception>
public static string? NormalizePath(this string? path, char newSeparator)
{
const char Bs = '\\';
const char Fs = '/';
if (!(newSeparator == Bs || newSeparator == Fs))
{
throw new ArgumentException("The character must be a directory separator.");
}
if (string.IsNullOrEmpty(path))
{
return path;
}
return newSeparator == Bs ? path?.Replace(Fs, newSeparator) : path?.Replace(Bs, newSeparator);
}
}
}

83
Emby.Server.Implementations/Plugins/PluginManager.cs
View File

@@ -1,5 +1,6 @@
using System;
using System.Collections.Generic;
using System.Data;
using System.Globalization;
using System.IO;
using System.Linq;
@@ -9,6 +10,8 @@ using System.Runtime.Loader;
using System.Text;
using System.Text.Json;
using System.Threading.Tasks;
using Emby.Server.Implementations.Library;
using Jellyfin.Extensions;
using Jellyfin.Extensions.Json;
using Jellyfin.Extensions.Json.Converters;
using MediaBrowser.Common;
@@ -19,8 +22,11 @@ using MediaBrowser.Model.Configuration;
using MediaBrowser.Model.IO;
using MediaBrowser.Model.Plugins;
using MediaBrowser.Model.Updates;
using Microsoft.AspNetCore.Mvc.ApplicationParts;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging;
using Nikse.SubtitleEdit.Core.Common;
using SQLitePCL.pretty;
namespace Emby.Server.Implementations.Plugins
{
@@ -44,7 +50,7 @@ namespace Emby.Server.Implementations.Plugins
/// <summary>
/// Initializes a new instance of the <see cref="PluginManager"/> class.
/// </summary>
/// <param name="logger">The <see cref="ILogger"/>.</param>
/// <param name="logger">The <see cref="ILogger{PluginManager}"/>.</param>
/// <param name="appHost">The <see cref="IApplicationHost"/>.</param>
/// <param name="config">The <see cref="ServerConfiguration"/>.</param>
/// <param name="pluginsPath">The plugin path.</param>
@@ -424,7 +430,8 @@ namespace Emby.Server.Implementations.Plugins
Version = versionInfo.Version,
Status = status == PluginStatus.Disabled ? PluginStatus.Disabled : PluginStatus.Active, // Keep disabled state.
AutoUpdate = true,
ImagePath = imagePath
ImagePath = imagePath,
Assemblies = versionInfo.Assemblies
};
return SaveManifest(manifest, path);
@@ -688,7 +695,15 @@ namespace Emby.Server.Implementations.Plugins
var entry = versions[x];
if (!string.Equals(lastName, entry.Name, StringComparison.OrdinalIgnoreCase))
{
entry.DllFiles = Directory.GetFiles(entry.Path, "*.dll", SearchOption.AllDirectories);
if (!TryGetPluginDlls(entry, out var allowedDlls))
{
_logger.LogError("One or more assembly paths was invalid. Marking plugin {Plugin} as \"Malfunctioned\".", entry.Name);
ChangePluginState(entry, PluginStatus.Malfunctioned);
continue;
}
entry.DllFiles = allowedDlls;
if (entry.IsEnabledAndSupported)
{
lastName = entry.Name;
@@ -734,6 +749,68 @@ namespace Emby.Server.Implementations.Plugins
return versions.Where(p => p.DllFiles.Count != 0);
}
/// <summary>
/// Attempts to retrieve valid DLLs from the plugin path. This method will consider the assembly whitelist
/// from the manifest.
/// </summary>
/// <remarks>
/// Loading DLLs from externally supplied paths introduces a path traversal risk. This method
/// uses a safelisting tactic of considering DLLs from the plugin directory and only using
/// the plugin's canonicalized assembly whitelist for comparison. See
/// <see href="https://owasp.org/www-community/attacks/Path_Traversal"/> for more details.
/// </remarks>
/// <param name="plugin">The plugin.</param>
/// <param name="whitelistedDlls">The whitelisted DLLs. If the method returns <see langword="false"/>, this will be empty.</param>
/// <returns>
/// <see langword="true"/> if all assemblies listed in the manifest were available in the plugin directory.
/// <see langword="false"/> if any assemblies were invalid or missing from the plugin directory.
/// </returns>
/// <exception cref="ArgumentNullException">If the <see cref="LocalPlugin"/> is null.</exception>
private bool TryGetPluginDlls(LocalPlugin plugin, out IReadOnlyList<string> whitelistedDlls)
{
_ = plugin ?? throw new ArgumentNullException(nameof(plugin));
IReadOnlyList<string> pluginDlls = Directory.GetFiles(plugin.Path, "*.dll", SearchOption.AllDirectories);
whitelistedDlls = Array.Empty<string>();
if (pluginDlls.Count > 0 && plugin.Manifest.Assemblies.Count > 0)
{
_logger.LogInformation("Registering whitelisted assemblies for plugin \"{Plugin}\"...", plugin.Name);
var canonicalizedPaths = new List<string>();
foreach (var path in plugin.Manifest.Assemblies)
{
var canonicalized = Path.Combine(plugin.Path, path).Canonicalize();
// Ensure we stay in the plugin directory.
if (!canonicalized.StartsWith(plugin.Path.NormalizePath()!, StringComparison.Ordinal))
{
_logger.LogError("Assembly path {Path} is not inside the plugin directory.", path);
return false;
}
canonicalizedPaths.Add(canonicalized);
}
var intersected = pluginDlls.Intersect(canonicalizedPaths).ToList();
if (intersected.Count != canonicalizedPaths.Count)
{
_logger.LogError("Plugin {Plugin} contained assembly paths that were not found in the directory.", plugin.Name);
return false;
}
whitelistedDlls = intersected;
}
else
{
// No whitelist, default to loading all DLLs in plugin directory.
whitelistedDlls = pluginDlls;
}
return true;
}
/// <summary>
/// Changes the status of the other versions of the plugin to "Superceded".
/// </summary>