Re: NNCP path traversal attack.

public inbox for nncp-devel@lists.stargrave.org
Atom feed

From: Eugene Medvedev <rn3aoh.g@gmail•com>
To: Jonathan Lane <jon@borg•moe>
Cc: nncp-devel@lists.cypherpunks.su
Subject: Re: NNCP path traversal attack.
Date: Fri, 19 Sep 2025 09:43:58 +0300	[thread overview]
Message-ID: <CAO-d-4pA0yOwdNHsX+BY6GVGHWQUieWTU3deUdBHC_MVAxaNnQ@mail.gmail.com> (raw)
In-Reply-To: <DCWKC3GNCPIO.2UVUYPU6RGLOF@borg.moe>

On Fri, 19 Sept 2025 at 09:29, Jonathan Lane <jon@borg•moe> wrote:

> The usual protection against symlink traversal is running services in a
> chroot jail, Docker, or some other imposed filesystem boundary.  I'm not
> sure there's a good source-level fix for this that runs everywhere NNCP
> does.

I'm not sure symlink traversal is a problem per se: You can't introduce a
symlink with nncp-file, while whatever symlinks exist are presumably where
the owner of the node wanted them.

Plain path traversal, where you have a freq in "/fileshare/whatever" and
then an incoming packet requests "../../etc/nncp.hjson" and gets it,
definitely is a problem that can be patched away, and hopefully my
patch is sufficient. I don't think Docker or chroot jails can cover that,
because every time you toss you have to read nncp.json...

-- 
Eugene Medvedev

next prev parent reply	other threads:[~2025-09-19  6:45 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-09-19  4:46 NNCP path traversal attack Eugene Medvedev
2025-09-19  6:28 ` Jonathan Lane
2025-09-19  6:43   ` Eugene Medvedev [this message]
2025-09-19 12:02 ` John Goerzen
2025-09-19 12:11   ` Eugene Medvedev
2025-09-19 12:04 ` John Goerzen
2025-09-19 12:31   ` Eugene Medvedev
2025-09-19 13:25 ` Sergey Matveev
2025-09-19 13:30   ` Eugene Medvedev