Fixing test for CVE-2024-56509

CVE-2024-56509 - Stricter file protocol checking pre-check ( Improper Input Validation Leading to LFR/Path Traversal when fetching file:.. )
0.48.04
2025-12-02 14:22:34 +00:00 · 2024-12-27 10:37:36 +01:00 · 2024-12-27 09:26:28 +01:00 · 2024-12-16 21:50:53 +01:00 · 2024-12-16 21:50:28 +01:00
4 changed files with 28 additions and 38 deletions
--- a/changedetectionio/init.py
+++ b/changedetectionio/init.py
@@ -2,7 +2,7 @@

 # Read more https://github.com/dgtlmoon/changedetection.io/wiki

-__version__ = '0.48.03'
+__version__ = '0.48.04'

 from changedetectionio.strtobool import strtobool
 from json.decoder import JSONDecodeError
--- a/changedetectionio/processors/init.py
+++ b/changedetectionio/processors/init.py
@@ -33,8 +33,8 @@ class difference_detection_processor():

        url = self.watch.link

-        # Protect against file://, file:/ access, check the real "link" without any meta "source:" etc prepended.
-        if re.search(r'^file:/', url.strip(), re.IGNORECASE):
+        # Protect against file:, file:/, file:// access, check the real "link" without any meta "source:" etc prepended.
+        if re.search(r'^file:', url.strip(), re.IGNORECASE):
            if not strtobool(os.getenv('ALLOW_FILE_URI', 'false')):
                raise Exception(
                    "file:// type access is denied for security reasons."
--- a/changedetectionio/tests/test_security.py
+++ b/changedetectionio/tests/test_security.py
@@ -1,9 +1,7 @@
 import os

 from flask import url_for
-from .util import set_original_response, set_modified_response, live_server_setup, wait_for_all_checks
-import time
-
+from .util import live_server_setup, wait_for_all_checks
 from .. import strtobool


@@ -61,54 +59,44 @@ def test_bad_access(client, live_server, measure_memory_usage):
    assert b'Watch protocol is not permitted by SAFE_PROTOCOL_REGEX' in res.data


-def test_file_slashslash_access(client, live_server, measure_memory_usage):
-    #live_server_setup(live_server)
+def _runner_test_various_file_slash(client, file_uri):

-    test_file_path = os.path.abspath(__file__)
-
-    # file:// is permitted by default, but it will be caught by ALLOW_FILE_URI
    client.post(
        url_for("form_quick_watch_add"),
-        data={"url": f"file://{test_file_path}", "tags": ''},
+        data={"url": file_uri, "tags": ''},
        follow_redirects=True
    )
    wait_for_all_checks(client)
    res = client.get(url_for("index"))

+    substrings = [b"URLs with hostname components are not permitted", b"No connection adapters were found for"]
+
+
    # If it is enabled at test time
    if strtobool(os.getenv('ALLOW_FILE_URI', 'false')):
-        res = client.get(
-            url_for("preview_page", uuid="first"),
-            follow_redirects=True
-        )
+        if file_uri.startswith('file:///'):
+            # This one should be the full qualified path to the file and should get the contents of this file
+            res = client.get(
+                url_for("preview_page", uuid="first"),
+                follow_redirects=True
+            )
+            assert b'_runner_test_various_file_slash' in res.data
+        else:
+            # This will give some error from requests or if it went to chrome, will give some other error :-)
+            assert any(s in res.data for s in substrings)

-        assert b"test_file_slashslash_access" in res.data
-    else:
-        # Default should be here
-        assert b'file:// type access is denied for security reasons.' in res.data
+    res = client.get(url_for("form_delete", uuid="all"), follow_redirects=True)
+    assert b'Deleted' in res.data

 def test_file_slash_access(client, live_server, measure_memory_usage):
    #live_server_setup(live_server)

+    # file: is NOT permitted by default, so it will be caught by ALLOW_FILE_URI check
+
    test_file_path = os.path.abspath(__file__)
-
-    # file:// is permitted by default, but it will be caught by ALLOW_FILE_URI
-    client.post(
-        url_for("form_quick_watch_add"),
-        data={"url": f"file:/{test_file_path}", "tags": ''},
-        follow_redirects=True
-    )
-    wait_for_all_checks(client)
-    res = client.get(url_for("index"))
-
-    # If it is enabled at test time
-    if strtobool(os.getenv('ALLOW_FILE_URI', 'false')):
-        # So it should permit it, but it should fall back to the 'requests' library giving an error
-        # (but means it gets passed to playwright etc)
-        assert b"URLs with hostname components are not permitted" in res.data
-    else:
-        # Default should be here
-        assert b'file:// type access is denied for security reasons.' in res.data
+    _runner_test_various_file_slash(client, file_uri=f"file://{test_file_path}")
+    _runner_test_various_file_slash(client, file_uri=f"file:/{test_file_path}")
+    _runner_test_various_file_slash(client, file_uri=f"file:{test_file_path}") # CVE-2024-56509

 def test_xss(client, live_server, measure_memory_usage):
    #live_server_setup(live_server)
--- a/requirements.txt
+++ b/requirements.txt
@@ -95,3 +95,5 @@ babel
 # Needed for > 3.10, https://github.com/microsoft/playwright-python/issues/2096
 greenlet >= 3.0.3

+# Scheduler - Windows seemed to miss a lot of default timezone info (even "UTC" !)
+tzdata
Author	SHA1	Message	Date
dgtlmoon	8a0e2f5e13	Fixing test for CVE-2024-56509	2024-12-27 10:37:36 +01:00
dgtlmoon	f7e9846c9b	CVE-2024-56509 - Stricter file protocol checking pre-check ( Improper Input Validation Leading to LFR/Path Traversal when fetching file:.. )	2024-12-27 09:26:28 +01:00
dgtlmoon	5dea5e1def	0.48.04	2024-12-16 21:50:53 +01:00
dgtlmoon	0fade0a473	Windows was sometimes missing timezone data (#2845 #2826 )	2024-12-16 21:50:28 +01:00