Security considerations about macros

[rejetto]

This is a discussion mostly for techies,
it's related to the new feature coming with version 2.3: template macros.

I'm very worried about files related macros.
I'm talking about load, save, delete, rename, append.
They are very dangerous if they come from the wrong place.
The template is not very static, it can be composed with diff templates, and other pieces coming from external data, so it's not trivial for HFS to tell for every piece where it is coming from, because they are combined, and they are transformed/expanded through the process (a macro can generate other macros, or even just an half).
So, while most macros are quite harmless, files related macros can destroy your happiness, and we must come to a solution before 2.3 is published.
The point is that people don't consider a template as virtually dangerous, and could be prone to allow any script to run on his own HFS. We can't ignore this fact.

These days i thought of several risky situations.
I won't publish any "official" 2.3 until we find a serious solution to this.

Here comes some ideas

1) easiest solution
remove all harmful macros: save, delete, rename.
eventually leaving "load", and put some check on "append" to disallow filenames like "autorun.ini"
this may invalidate some of the things that people developed in the last month.

2) partial sandboxing
limit all macros to only the folder where they are executed, and eventually subfolders.

3) disabled by default
have such macros forbidden by default, and the admin can enable loading and/or writing macros.
not very effective, i think people will enable macros to use advanced templates, then anything will just be allowed.

4) forbid macros from external sources
considering a template as trusted, we couldn't do the same with diff templates, and anything else coming from the virtual file system

[maverick]

Remove ALL file related macros.  Security is very important especially for a file server.  Introducing macros or anything else that can be very dangerous is not the way to proceed IMHO.  Something like this could put this fine product you created in jeoprady .

[Foggy]

I think that option 4 is the way to go and that any macros that are imported from a file, urlvar, postvar, etc are somehow made void.

It makes sense to do this, because the only way someone that isn't the administrator can get a macro executed is by uploading it in a urlvar or postvar that is being called in the template. As soon as it is called in the template it will be evaluated.

it is also possible to upload a text file with a macro but the uploader will have to problems facing them making it a lot harder for them to succeed.
1) the template has to use load and they must know what file the template loads
2) If the template does use load and they know the file, by default hfs doesn't overwrite the file so it wouldn't be loaded anyway.

[TSG]

Load Delete and Append are very powerful, half my template runs off it.  Removing them is not really an option. However I like that they could be restricted. I like the execution in the folder they are in, cause only a moron is going to put a folder with sensitive system data on their HFS. Does this include execution within all unique folders like '/template' which is active in the background running shoutbox, language files etc?

Also, you could disable all comment/hfs.diff.tpl/filename placed macros in an upload enabled folder. This would lock the template system up fairly well. The only other risk then is the Virtual File System. But this is only a risk if someone was to tamper with it and ask a host to open it. My suggestion was to have a prompt telling them that the vfs was made on a different system and could be a security risk.

You could restrict HFS to atleast 2 folder levels above the HDD letter on the C:\ drive. So C:\Documents and Settings\User\THIS LEVEL. Putting a prompt when adding raw C:\ would be a good idea to tell them that its a security risk.

And finally you could basically not allow HFS to use the load macro on any folder other than a sub or neighbour folder of HFS.

That should tighten HFS up nicely.

[Giant Eagle]

Option 4 is the best way to solve this, as there is currently no way to change the template externally. Running a harmful template is like executing a virus, only a moron would do that.

Also, i think that hfs.diff.tpl should also be able to call macro's. The ability to upload, modify or delete them is the thing that should be removed (if that has not already been done).

File comments and file names should just be displayed as plain text, no hfs variables, no macro's.. just text.

Remove ALL file related macros.  Security is very important especially for a file server.  Introducing macros or anything else that can be very dangerous is not the way to proceed IMHO.  Something like this could put this fine product you created in jeoprady .

On the contrary; since PHP is not going to happen, solutions have to be made. I think HFS is going the right way, with a few security fixes it will be a one-of-its-kind

[TSG]

Ok. I have taken into account the problems we face and come up with these few small measures.

1. If someone uploads a hfs.diff.tpl, it would be renamed to (1)hfs.diff.tpl. That way it wont disturb a diff tpl in the upload enabled folder, and will not be executed.

2. Disable macros in %item-comment%.

3. Disable macros in %item-name% and %item-url% (even tho most macro features aren't valid filename chars).

4. Prompt the user if the .vfs file was created on another computer. Only a moron would use someone else's .vfs file anyway.

Finally, maybe a check should be made on {{delete}} to ensure that the user is logged in. And instead of permanent deletion, the deleted file is simply moved to the computers recycle bin for restoration if needed.

I may seem concerned only for my templates, but I am mainly concerned about the retardation of such awesome functionality. Sure there is a risk but restrictions and measures must be incorporated to prevent a malicious coward. And lets remember this is no common language, they would have to study HFS to learn how to delete a file. It took me a while to figure this stuff out.

Oh and the new syntax would render the chance of a filename macro even less likely. {} \/ : | " * >< ? are all invalid characters. {.macro.} {:quote:} for those out of the loop.

[Unknown8063]

1. If someone uploads a hfs.diff.tpl, it would be renamed to (1)hfs.diff.tpl. That way it wont disturb a diff tpl in the upload enabled folder, and will not be executed.

Agreed.  Diff templates should not be something a visitor can drop in a folder and expect it to execute.

4. Prompt the user if the .vfs file was created on another computer. Only a moron would use someone else's .vfs file anyway.

I guess a prompt would be okay, but a bit annoying.  One of the great things about HFS is how portable it is.  I use it on an external hard drive that I move between computers.

I completely agree that macros should be disabled in file comments and file names.  I can't see a legitimate use for this functionality and both could be reasonably exposed to user input (anyone consider allowing users to enter file comments along with the file upload?)

[TSG]

4. Prompt the user if the .vfs file was created on another computer. Only a moron would use someone else's .vfs file anyway.

I guess a prompt would be okay, but a bit annoying.  One of the great things about HFS is how portable it is.  I use it on an external hard drive that I move between computers.

I completely agree that macros should be disabled in file comments and file names.  I can't see a legitimate use for this functionality and both could be reasonably exposed to user input (anyone consider allowing users to enter file comments along with the file upload?)

I see what you mean, if you transport the HFS, don't you transport the .ini? So couldn't HFS recognise that particular .vfs? HFS would set some unique id for the .vfs, HFS would also need to know that unique id for future reference so it would require it to be stored in the .ini file.

Yes I considered the real file comments, thats why I suggested disabling macro in %item-comment%, so even if they did upload a .comment file it would just show the macro as plain text (i think) and the uploader would look like a moron

[bacter]

Security is very important. So i think most HFS implementations have a folder where hfs.exe, hfs.ini, *.vfs and the main template are stored. I think it is important to never include this folder in the vfs. I will call this folder the 'sys' folder for my exposure.

A) Security of the hfs-system

1: No diff-templates outside of the 'sys' folder.
Some time ago, i proposed to allow in the advanced->diff-template section an option i named 'include path/filename' instead of having the diff templates in the data folders. With the introduction of macros this seemed not to be necessary anymore, as with a macro-call we could already avoid repeating large templates in different folders. But for security reasons, I propose it once more.
If if the diff-template-option of hfs would implement such a feature, we could have all diff templates in the same secured sys-folder with a clear name (now we have to pay a lot of attention what the hell the diff template contains, as different templates have the same name!) and we could avoid the risk of uploading or erasing diff.templates.

2. No macro-execution of files from outside the 'sys' folder.
If a file is loaded from outside the sys folder, macros that it could contain must be ignored.

3. As TSG writes, disallow macroexecution in %item-comment% %item-name% etc. (Only needed if the template allows the users to change or uplad comment files or if somebody could build a filename containing a usefull macro!) - but it's not a bad idea to prevent.

With this, HFS as the system would be secured from executable things introduced by the user from outside. Another question is what the template creator would allow the user to do with file related options like delete, append, rename etc.

B) Security of the data - template writers responsability

To secure our data files,  the power of macros allows us a lot not only to destroy, but also to protect. As the user(group) administration in this version of hfs does not exist, we can it now easy implement with macros, assigning some global variables with macros in the special:begin section:
1. We can distingush from where the server is accessed (wan, lan, localhost or wlan-address-pool) in my case.
2. We can have user-datafile to set a user-account-level. Guests and less known users don't need to be in this, for users you want to allow higher access rights, you load the user-datafile, check username, including matching ip (partial for his provider).

With this security mecanism, the template creator can allow or not the file related operations to some users. I suggest at this point also another macro: move -> {{move|filename|destinationfolder}} This macro could avoid the loss of data if we use it instead of delete.
This way, the template-authors could secure their data, expanding their macros for risky operations:
- if account-level (and/or username) allows operation
-- append to historyfile :username datetime operation(delete,move,rename..) destination
-- execute the operation
...

The security of HFS (point A) relies in the program
The security of the data on the template and the way a server-admin builds his folder-tree

[Unknown8063]

2. No macro-execution of files from outside the 'sys' folder.
If a file is loaded from outside the sys folder, macros that it could contain must be ignored.

I disagree with this.  Right now the load macro allows you to dynamically load files off of another server using a URL.  A clever programmer could use this macro to give HFS a small amount of database integration by loading PHP pages off of another server that generates macros.  This is a pretty advanced usage but I don't see it as being unreasonable.  Not long ago I wrote a flash game on one server that talked to a PHP page on another to send and retrieve database data.

[bacter]

unknown8063:

no macro-execution of files from outside the sys folder.

I proposed this to have data-space on the hfs-server full separated from hfs-system elements.
Without a clearer example i cant see the need to create hfs-macros form a php-server.

As far as i can imagine, with php you could prepare pages to load that contain the final data which dont need any macro for further execution. Or if you want tu do something with the data you load, you could analize this data with local hfs macros ando manipulate them as you deed, with the string manipulation macros a clever programmer could construct some special interpreter for this case.

But i am willing to read some example that really need importing macros created by another server.
If this would really be a need, perhaps a special macro like {{allowmacrofrom|url}} could override the basic rule that inhibits for security reasons about no execution of macros from outside of 'sys'.

[Foggy]

3. As TSG writes, disallow macroexecution in %item-comment% %item-name% etc. (Only needed if the template allows the users to change or uplad comment files or if somebody could build a filename containing a usefull macro!) - but it's not a bad idea to prevent.

I agree with this but also want to remind you not to forget {{postvar}} and {{urlvar}} because tsg's shoutbox and templates I am working on all use these and someone could upload a macro in these vars.

I disagree with this.  Right now the load macro allows you to dynamically load files off of another server using a URL.  A clever programmer could use this macro to give HFS a small amount of database integration by loading PHP pages off of another server that generates macros.  This is a pretty advanced usage but I don't see it as being unreasonable.

I dont see this usage as being unreasonable either but I think it is a bad move to have macro's created/contained in external files and that macros loaded from LOAD should not be executed. If you are using php to create the macro's you could very easily change it to create a strings table. That is plain text and wouldnt be affected by disabling macros in LOAD.

Also it is very hard/impossible to make hfs append a macro to a file, so why let hfs run macro's from a file?

[Mars]

I did not certainly read everything in great detail all the topic, but I thought of a simple solution there delphi:

There is a  filter mask by default used for every folder '\hfs.*;index.htm*;default.htm*'

if s = '' then s:='\hfs.*;index.htm*;default.htm*'; // the user can disable this default filter by inputing * as mask

The idea is that if a file does not begin by ' hfs.' , then his content is modified by altering what looks like a macro,  and also for any file read from an URL

The code of the function resume in:

    function excludemacros(s:string):string;

//    MARKER_OPEN = '{{';
//    MARKER_CLOSE = '}}';
//    MARKER_SEP = '|';
//    MARKER_QUOTE = '{{\';
//    MARKER_UNQUOTE = '/}}';
//    MARKER_OPEN_SHORT = '{';
//    MARKER_CLOSE_SHORT = '}';
//    MARKER_OPEN_TAG = '<?tpl';
//    MARKER_CLOSE_TAG = 'tpl?>';
  var
    marker:string;
  begin
    marker:= MARKER_QUOTE; while pos(marker,s) > 0 do delete(s, pos(marker,s),length(marker));
    marker:= MARKER_UNQUOTE; while pos(marker,s) > 0 do delete(s, pos(marker,s),length(marker));
    marker:= MARKER_OPEN; while pos(marker,s) > 0 do delete(s, pos(marker,s),length(marker));
    marker:= MARKER_CLOSE; while pos(marker,s) > 0 do delete(s, pos(marker,s),length(marker));
    marker:= MARKER_OPEN_TAG; while pos(marker,s) > 0 do delete(s, pos(marker,s),length(marker));
    marker:= MARKER_CLOSE_TAG; while pos(marker,s) > 0 do delete(s, pos(marker,s),length(marker));
    msgdlg(s);
    result:=s;
  end;

.........
  if name= 'exclude macros' then
  result:= excludemacros(p);

It is possible to use a new macro {{exclude macros ¦ ......  }}

by example

   {{exclude macros | {{set | test | MY TEXT }} {{^test}} }}  return as result
 MY TEXT

but if you quote  macros as

{{exclude macros | {{\ {{set | test | MY TEXT }} {{^test}} /}} }}  return as result
 set | test | MY TEXT ^test 

the macros inside  {{exclude macros| {{\ ....  /}} }} are altered , not cuted, and all which looks like a macro is definitively inhibited by deleting macros markers


Some macros must be adapted as a consequence

  procedure load(fn:string; varname:string='');
  begin
  if ansiStartsText('http://', fn) then result:=excludemacros(httpGet(fn))
  else if fileExists(fn) then if ansiStartsStr('hfs.',extractfilename(fn))
                                then result:=loadFile(fn)
                                else result:=excludemacros(loadfile(fn))
  else if ansiStartsStr('hfs.',extractfilename(fn))
                                then result:=loadFile(exePath+fn)
                                else result:=excludemacros(loadfile(exePath+fn));
   if varname > '' then
    begin
    setVar(varname, result);
    result:='';
    end;
  end; // load

........

 procedure save_();
  begin
    if fileExists(p) then if ansiStartsStr('hfs.',extractfilename(p))
                                then result:=if_(saveFile(p,pars[1]), ' ')
                                else result:=if_(saveFile(p, excludemacros(pars[1])), ' ')
    else if ansiStartsStr('hfs.',extractfilename(p))
                                then result:=if_(saveFile(exepath+p,pars[1]), ' ')
                                else result:=if_(saveFile(exePath+p, excludemacros(pars[1])), ' ')
  end; //save_

...........

procedure append_();
  begin
    if fileExists(p) then if ansiStartsStr('hfs.',extractfilename(p))
                                then result:=if_(appendFile(p,pars[1]), ' ')
                                else result:=if_(appendFile(p, excludemacros(pars[1])), ' ')
    else if ansiStartsStr('hfs.',extractfilename(p))
                                then result:=if_(appendFile(exepath+p,pars[1]), ' ')
                                else result:=if_(appendFile(exePath+p, excludemacros(pars[1])), ' ')
  end; //append_

...........

 procedure section(ofs:integer);
  var
    b, e: integer;
    s: string;
  begin
  if not satisfied(md.tpl) then exit;
  if pars.count < 1+ofs then
    begin
    try result:=md.tpl[p] except end;
    exit;
    end;
  result:='';
  s:=par(ofs);
  if ansiStartsText('http://', s) then s:=excludemacros(httpGet(s))
    else if fileExists(par(ofs)) then if ansiStartsStr('hfs.',extractfilename(s))
                                then s:=loadFile(s)
                                else s:=excludemacros(loadfile(s))
    else if ansiStartsStr('hfs.',extractfilename(s))
                                then s:=loadFile(exePath+s)
                                else s:=excludemacros(loadfile(exePath+s));
  // search the starting pattern
  p:='['+p+']';
  b:=0;
    repeat
    b:=posEx(p, s, b+1);
    if b = 0 then exit;
    until (b = 1) or (s[b-1]  = #10);
  b:=1+posEx(#10, s, b); // skip this line
  if b = 1 then exit;
  // calculates the end of the section
  e:=posEx(#10'[', s, b);
  if e = 0 then e:=length(s);
  result:=substr(s,b,e);
  end; // section


...........

  if name = 'save' then
      save_();


 if name = 'append' then
      append_();
........

With these updates, all the files, which not beginning by HFS. , are altered during the usage of the macro: SECTION, LOAD, SAVE, and APPEND.

By security, all the files referenced by an url (same beginner by hfs.), are systematically altered if he it contain some macros.

The security is protected as long as filters are not modified inside hfs

Attached the hfs.exe build 177 mars compiled for your tests (included macros FOR EACH and REPLACE  from build 178)

[rejetto]

My reply is going to be long, sorry. But i considered all of you, and you deserve a reply.

To lose features is not my goal. But we cannot exchange safety with features. Even if the risk could be appear to be reasonable, security experts and/or paranoids may spread a bad reputation on the software.

The reason why I came up with this thread is because I spent some time trying to stop all possible doors for malicious macros, and found no way to stay safe while keeping same features. But go on reading, because I found a decent solution.

@tsg
Calling people morons won't make the software safer.
Braces {} are valid chars in a file name.
Ok, {{delete}} will move to recycle bin, but as a feature. If someone wants to destroy a file can still use {{save}}.

Restricting paths can make it safer, but not safe. Think of an upload folder where i may delete all other files uploaded by others.

To detect if a VFS file was created on the same computer is a nice idea. I may save all MACs on saving, and just search if any of them is available on loading. Sadly, an attacker could tamper the VFS file to make it contain a valid MAC address. Tho most of times an attacker won't know it, we cannot rely on the secretness of the mac address. So, I don't know a good way to detect if we are loading a file created elsewhere.

I think it is important to never include this folder in the vfs.

sure, because it contains passwords.

Some time ago, i proposed to allow in the advanced->diff-template section an option i named 'include path/filename' instead of having the diff templates in the data folders.

It's there, since long

If if the diff-template-option of hfs would implement such a feature, we could have all diff templates in the same secured sys-folder with a clear name (now we have to pay a lot of attention what the hell the diff template contains, as different templates have the same name!) and we could avoid the risk of uploading or erasing diff.templates.

that's a good idea. you'll find it in next beta.
@Unknown8063
just create your macros in the hfs folder, in a file "mymacros", then in the diff template you'll put just "mymacros", and it will be executed. The point is that an attacker hardly will have access to the hfs.exe folder, so it can be considered a trusted place.
@giant eagle
Yes, we may think of allowing macros in external diff tpl, since uploading them is forbidden by default. But this require some deep thinking to be sure there's no way to exploit it, and bacter's suggestion should be enough.

I suggest at this point also another macro: move -> {{move|filename|destinationfolder}}

You can use {{rename}} to get the same effect.

Still consider that even if HFS will be safe, a bad template can make it unsafe.
Example: {{delete|{{urlvar|filename}}}}
This will let people delete anything by entering the filename in the url.
That's because we are still considering the main template as a trusted thing.
It would be good we could warn people in case of possible threats, and ask for a confirmation, but i don't see a way. Do you?

@mars
yes, i think content of {{load}} should be protected.
I don't see the point in removing macros from {{save}} and {{append}}. Moreover i don't see why should {{section}} work with URLs. It just won't.

In the end, here is what i came to:
1. removed the <?tpl feature
2. macro-quoted the content of {{load}}
3. forbidden macros in:
A) %any-comment%
B) {{urlvar}} {{postvar}} and {{header}}
C) all filename-like %symbols%   
D) saved .VFS files


Macro-quoting {{load}} will make easy to execute macros by using {{dequote|{{load|filename}} }}. This means no unexpected executions, and it requires you to be already allowed to use macros. Externals aren't.
I may think of using this same technique for comments, but i will only if users will really need this. Forbidding is somewhat safer than macro-quoting.

I had to remove <?tpl syntax because i couldn't prevent people of using single braces in filenames and other texts. It is much more acceptable to prevent double braces now, or {. .} when the new syntax will be activated.
Having the double syntax introduced with <?tpl made the work very complex and unsafe. Because it was easy for a template writer to have a %comment% inside a <?tpl block. Then, i should have prevented even single braces in comments, and filenames, etc. This is not very acceptable.

What really made the work feasible was removing the <?tpl syntax.
I'm not happy with removing it, because it required me hours to create it, but this should make HFS safe enough, again.

Now i have the new beta ready, and we'll see how it goes.

[Mars]

I imagine that the macro final will be of the genre:

procedure load(fn:string; varname:string='');
  begin
  if ansiStartsText('http://', fn) then result:=httpGet(fn)
  else if ansiContainsStr(fn, '/') then result:=loadFile(uri2disk(fn))
  else result:=loadFile(fn);
  result:=MARKER_QUOTE+result+MARKER_UNQUOTE;        // '{{\ '+ result +' /}}'
  if varname > '' then
    begin
    setVar(varname, result);
    result:='';
    end;
  end; // load

But did you think of what had to take the variable as value? QUOTED or not QUOTED

I think that we can exceed the dilleme by:

procedure load(fn:string; varname:string='');
  begin
  if ansiStartsText('http://', fn) then result:=httpGet(fn)
  else if ansiContainsStr(fn, '/') then result:=loadFile(uri2disk(fn))
  else result:=loadFile(fn);
 if name='load' then  result:=MARKER_QUOTE+result+MARKER_UNQUOTE;
  if varname > '' then
    begin
    setVar(varname, result);
    result:='';
    end;
  end; // load
.........
  if stringExists(name, ['load','load dequote','load unquoted']) then
    load(par(0,'file'), par(1,'var'));

TESTED AND WORKING FINE


give us an alias to {{dequote|{{load|filename|var}} }}.

{{load unquoted|filename|var}} or {{load dequote|filename|var}}

*****************

Moreover i don't see why should {{section}} work with URLs. It just won't.

If you look at your delphi code

result:='';
  s:=loadFile(par(ofs));
    // search the starting pattern

loadFile() returns only a file defined physically, of genre :  c:\hfs\...\myfile

While with the Load macro, it is possible to charge a file of the arborescence of hfs, of the genre /template/myfile  as used by tsg .

If you wish a specific section of this file, it is not possible as is.
{{section | mysection | /template/myfile}}

you must to modify the procedure section() with

result:='';
  if ansiContainsStr(par(ofs), '/') then s:=loadFile(uri2disk(par(ofs)))
  else  s:=loadFile(par(ofs));
    // search the starting pattern

to obtain a correct feature as
{{section | mysection | /template/myfile}}

 {{section}}  with URLs is not supported by this feature, only local files (real and virtual)
 
And it is for that, that I think  it is necessary to apply to the macro section, the same treatment as the macro load concerning the dequote

  procedure section(ofs:integer);
  var
    b, e: integer;
    s: string;
  begin
  if not satisfied(md.tpl) then exit;
  if pars.count < 1+ofs then
    begin
    try result:=md.tpl[p] except end;
    exit;
    end;
  result:='';
  if ansiContainsStr(par(ofs), '/') then s:=loadFile(uri2disk(par(ofs)))
  else  s:=loadFile(par(ofs));
    // search the starting pattern
  p:='['+p+']';
  b:=0;
    repeat
    b:=posEx(p, s, b+1);
    if b = 0 then exit;
    until (b = 1) or (s[b-1]  = #10);
  b:=1+posEx(#10, s, b); // skip this line
  if b = 1 then exit;
  // calculates the end of the section
  e:=posEx(#10'[', s, b);
  if e = 0 then e:=length(s);
  result:=substr(s,b,e);
  if name='section' then result:=MARKER_QUOTE+result+MARKER_UNQUOTE;  end; // section
......
   if stringExists(name, ['section','section dequote','section unquoted']) then
    section(1);

attached file with last propositions