Security hardening

openbullet · openbullet · commit ff06245acef1 · 2026-05-08T21:43:09.000+02:00
diff --git a/OpenBullet2.Web.Tests/Integration/JobIntegrationTests.cs b/OpenBullet2.Web.Tests/Integration/JobIntegrationTests.cs
@@ -25,6 +25,7 @@
 using RuriLib.Models.Hits;
 using RuriLib.Models.Jobs;
 using RuriLib.Models.Jobs.StartConditions;
+using RuriLib.Models.Proxies;
 using RuriLib.Services;
 using Xunit;
 
@@ -1096,6 +1097,65 @@ public async Task CreateMultiRunJob_Guest_Success()
         Assert.Equal(guest.Id, resultJob.OwnerId);
     }
 
+    [Fact]
+    public async Task CreateMultiRunJob_Guest_ScriptFileProxySource_Forbidden()
+    {
+        // Arrange
+        using var client = Factory.CreateClient();
+        var configRepository = GetRequiredService<IConfigRepository>();
+        var config = new Config
+        {
+            Id = Guid.NewGuid().ToString(),
+            Metadata = new ConfigMetadata { Name = "Test Config" }
+        };
+        await configRepository.SaveAsync(config);
+
+        var dbContext = GetRequiredService<ApplicationDbContext>();
+        var guest = new GuestEntity { Username = "guest", AccessExpiration = DateTime.MaxValue };
+        dbContext.Guests.Add(guest);
+        await dbContext.SaveChangesAsync(TestCancellationToken);
+
+        RequireLogin();
+        ImpersonateGuest(client, guest);
+
+        var dto = new CreateMultiRunJobDto
+        {
+            Name = "Test MRJ",
+            ConfigId = config.Id,
+            Bots = 10,
+            ProxyMode = JobProxyMode.On,
+            DataPool = JsonSerializer.SerializeToElement(new InfiniteDataPoolOptionsDto
+            {
+                PolyTypeName = "infiniteDataPool"
+            }, JsonSerializerOptions),
+            HitOutputs = [JsonSerializer.SerializeToElement(new DatabaseHitOutputOptionsDto
+            {
+                PolyTypeName = "databaseHitOutput"
+            }, JsonSerializerOptions)],
+            ProxySources = [JsonSerializer.SerializeToElement(new FileProxySourceOptionsDto
+            {
+                FileName = Path.Combine(UserDataFolder, "Wordlists", "guest-proxies.ps1"),
+                DefaultType = ProxyType.Http,
+                PolyTypeName = "fileProxySource"
+            }, JsonSerializerOptions)],
+            StartCondition = JsonSerializer.SerializeToElement(new RelativeTimeStartConditionDto
+            {
+                StartAfter = TimeSpan.FromSeconds(1),
+                PolyTypeName = "relativeTimeStartCondition"
+            }, JsonSerializerOptions)
+        };
+
+        // Act
+        var result = await PostJsonAsync<MultiRunJobDto>(
+            client, "/api/v1/job/multi-run", dto);
+
+        // Assert
+        Assert.False(result.IsSuccess);
+        Assert.Equal(HttpStatusCode.Forbidden, result.Error.Response.StatusCode);
+        Assert.Equal(ErrorCode.ScriptFileNotAllowed, result.Error.Content!.ErrorCode);
+        Assert.Empty(await dbContext.Jobs.ToListAsync(TestCancellationToken));
+    }
+
     // Admin can create a proxy check job
     [Fact]
     public async Task CreateProxyCheckJob_Admin_Success()
@@ -1465,6 +1525,85 @@ public async Task UpdateMultiRunJob_Guest_Owned_Success()
         Assert.Equal(dto.Name, mrJob.Name);
     }
 
+    [Fact]
+    public async Task UpdateMultiRunJob_Guest_ScriptFileProxySource_Forbidden()
+    {
+        // Arrange
+        using var client = Factory.CreateClient();
+        var jobManager = GetRequiredService<JobManagerService>();
+        var dbContext = GetRequiredService<ApplicationDbContext>();
+        var guest = new GuestEntity { Id = 1, Username = "guest", AccessExpiration = DateTime.MaxValue };
+        dbContext.Guests.Add(guest);
+        var mrJob = CreateMultiRunJob();
+        mrJob.Name = "Test MRJ";
+        mrJob.Id = 1;
+        mrJob.OwnerId = guest.Id;
+        var jobEntity = CreateMultiRunJobEntity(mrJob);
+        jobEntity.Id = mrJob.Id;
+        jobEntity.Owner = guest;
+        dbContext.Jobs.Add(jobEntity);
+        jobManager.AddJob(mrJob);
+        await dbContext.SaveChangesAsync(TestCancellationToken);
+
+        RequireLogin();
+        ImpersonateGuest(client, guest);
+
+        var configRepository = GetRequiredService<IConfigRepository>();
+        var config = new Config
+        {
+            Id = Guid.NewGuid().ToString(),
+            Metadata = new ConfigMetadata { Name = "Test Config" }
+        };
+        await configRepository.SaveAsync(config);
+
+        var dto = new UpdateMultiRunJobDto
+        {
+            Id = mrJob.Id,
+            Name = "Test MRJ2",
+            ConfigId = config.Id,
+            Bots = 10,
+            Skip = 5,
+            ProxyMode = JobProxyMode.On,
+            DataPool = JsonSerializer.SerializeToElement(new InfiniteDataPoolOptionsDto
+            {
+                PolyTypeName = "infiniteDataPool"
+            }, JsonSerializerOptions),
+            HitOutputs =
+            [
+                JsonSerializer.SerializeToElement(new DatabaseHitOutputOptionsDto
+                {
+                    PolyTypeName = "databaseHitOutput"
+                }, JsonSerializerOptions)
+            ],
+            ProxySources =
+            [
+                JsonSerializer.SerializeToElement(new FileProxySourceOptionsDto
+                {
+                    FileName = Path.Combine(UserDataFolder, "Wordlists", "guest-proxies.sh"),
+                    DefaultType = ProxyType.Http,
+                    PolyTypeName = "fileProxySource"
+                }, JsonSerializerOptions)
+            ],
+            StartCondition = JsonSerializer.SerializeToElement(new RelativeTimeStartConditionDto
+            {
+                StartAfter = TimeSpan.FromSeconds(1),
+                PolyTypeName = "relativeTimeStartCondition"
+            }, JsonSerializerOptions)
+        };
+
+        // Act
+        var response = await PutJsonAsync<MultiRunJobDto>(
+            client, "/api/v1/job/multi-run", dto);
+
+        // Assert
+        Assert.False(response.IsSuccess);
+        Assert.Equal(HttpStatusCode.Forbidden, response.Error.Response.StatusCode);
+        Assert.Equal(ErrorCode.ScriptFileNotAllowed, response.Error.Content!.ErrorCode);
+
+        mrJob = jobManager.Jobs.OfType<MultiRunJob>().Single();
+        Assert.Equal("Test MRJ", mrJob.Name);
+    }
+
     // Admin can update a proxy check job
     [Fact]
     public async Task UpdateProxyCheckJob_Admin_Success()
diff --git a/OpenBullet2.Web.Tests/Integration/WordlistIntegrationTests.cs b/OpenBullet2.Web.Tests/Integration/WordlistIntegrationTests.cs
@@ -1,11 +1,13 @@
 using System.Net;
+using System.Net.Http.Json;
 using System.Text.Json;
 using Microsoft.EntityFrameworkCore;
 using OpenBullet2.Core;
 using OpenBullet2.Core.Entities;
 using OpenBullet2.Web.Dtos.Common;
 using OpenBullet2.Web.Dtos.Wordlist;
 using OpenBullet2.Web.Exceptions;
+using OpenBullet2.Web.Models.Errors;
 using OpenBullet2.Web.Tests.Extensions;
 using RuriLib.Extensions;
 using Xunit;
@@ -555,6 +557,31 @@ public async Task UploadWordlistFile_Admin_Success()
             Path.Combine(UserDataFolder, "Wordlists")));
     }
 
+    [Fact]
+    public async Task UploadWordlistFile_ScriptExtension_Forbidden()
+    {
+        // Arrange
+        using var client = Factory.CreateClient();
+        await using var stream = new MemoryStream("echo test"u8.ToArray());
+        var content = new MultipartFormDataContent
+        {
+            { new StreamContent(stream), "file", "test.sh" }
+        };
+
+        // Act
+        var response = await client.PostAsync(
+            "/api/v1/wordlist/upload", content, TestCancellationToken);
+
+        // Assert
+        Assert.Equal(HttpStatusCode.Forbidden, response.StatusCode);
+
+        var dto = await response.Content.ReadFromJsonAsync<ApiError>(
+            JsonSerializerOptions, TestCancellationToken);
+
+        Assert.NotNull(dto);
+        Assert.Equal(ErrorCode.ScriptFileNotAllowed, dto.ErrorCode);
+    }
+
     [Fact]
     public async Task DeleteWordlist_Admin_WithoutFile_Success()
     {
diff --git a/OpenBullet2.Web/Controllers/JobController.cs b/OpenBullet2.Web/Controllers/JobController.cs
@@ -3,6 +3,7 @@
 using Microsoft.EntityFrameworkCore;
 using Newtonsoft.Json;
 using OpenBullet2.Core.Entities;
+using OpenBullet2.Core.Models.Data;
 using OpenBullet2.Core.Models.Hits;
 using OpenBullet2.Core.Models.Jobs;
 using OpenBullet2.Core.Models.Proxies;
@@ -19,6 +20,7 @@
 using OpenBullet2.Web.Interfaces;
 using OpenBullet2.Web.Models.Identity;
 using OpenBullet2.Web.Utils;
+using RuriLib.Extensions;
 using RuriLib.Models.Data.DataPools;
 using RuriLib.Models.Hits.HitOutputs;
 using RuriLib.Models.Jobs;
@@ -46,6 +48,7 @@ public class JobController(IJobRepository jobRepo, ILogger<JobController> logger
     private readonly IObjectMapper _mapper = mapper;
     private readonly IProxyGroupRepository _proxyGroupRepo = proxyGroupRepo;
     private readonly IRecordRepository _recordRepo = recordRepo;
+    private static readonly string[] ScriptExtensions = [".bat", ".ps1", ".sh"];
 
     /// <summary>
     /// Get overview information about all jobs.
@@ -243,6 +246,8 @@ public async Task<ActionResult<MultiRunJobDto>> CreateMultiRunJob(
         var apiUser = HttpContext.GetApiUser();
         var jobOptions = _mapper.Map<MultiRunJobOptions>(dto);
 
+        ValidateGuestLocalFileUsage(apiUser, jobOptions);
+
         var jsonSettings = new JsonSerializerSettings { TypeNameHandling = TypeNameHandling.Auto };
 
         var wrapper = new JobOptionsWrapper { Options = jobOptions };
@@ -343,6 +348,8 @@ public async Task<ActionResult<MultiRunJobDto>> UpdateMultiRunJob(
 
         var jobOptions = _mapper.Map<MultiRunJobOptions>(dto);
 
+        ValidateGuestLocalFileUsage(HttpContext.GetApiUser(), jobOptions);
+
         var jsonSettings = new JsonSerializerSettings { TypeNameHandling = TypeNameHandling.Auto };
 
         var wrapper = new JobOptionsWrapper { Options = jobOptions };
@@ -1071,4 +1078,28 @@ private static JobType GetJobType(Job job) =>
             ProxyCheckJob => JobType.ProxyCheck,
             _ => throw new NotImplementedException()
         };
+
+    private static void ValidateGuestLocalFileUsage(ApiUser apiUser, MultiRunJobOptions jobOptions)
+    {
+        if (apiUser.Role is not UserRole.Guest)
+        {
+            return;
+        }
+
+        if (jobOptions.DataPool is FileDataPoolOptions fileDataPool
+            && !fileDataPool.FileName.IsSubPathOf(Globals.UserDataFolder))
+        {
+            throw new ForbiddenException(
+                ErrorCode.FileOutsideAllowedPath,
+                $"Guest users cannot access files outside of the {Globals.UserDataFolder} folder");
+        }
+
+        if (jobOptions.ProxySources.OfType<FileProxySourceOptions>().Any(ps =>
+                ScriptExtensions.Contains(Path.GetExtension(ps.FileName), StringComparer.OrdinalIgnoreCase)))
+        {
+            throw new ForbiddenException(
+                ErrorCode.ScriptFileNotAllowed,
+                "Guest users cannot use script-based proxy sources");
+        }
+    }
 }
diff --git a/OpenBullet2.Web/Controllers/WordlistController.cs b/OpenBullet2.Web/Controllers/WordlistController.cs
@@ -22,16 +22,14 @@ namespace OpenBullet2.Web.Controllers;
 [TypeFilter<GuestFilter>]
 [ApiVersion("1.0")]
 public class WordlistController(IWordlistRepository wordlistRepo,
-    IConfiguration config,
     IGuestRepository guestRepo, IObjectMapper mapper,
     ILogger<WordlistController> logger) : ApiController
 {
-    private readonly string _baseDir = config.GetSection("Settings")
-            .GetValue<string>("UserDataFolder") ?? "UserData";
     private readonly IGuestRepository _guestRepo = guestRepo;
     private readonly ILogger<WordlistController> _logger = logger;
     private readonly IObjectMapper _mapper = mapper;
     private readonly IWordlistRepository _wordlistRepo = wordlistRepo;
+    private static readonly string[] ScriptExtensions = [".bat", ".ps1", ".sh"];
 
     /// <summary>
     /// Get a wordlist by id.
@@ -114,14 +112,14 @@ public async Task<ActionResult<WordlistDto>> Create(CreateWordlistDto dto,
 
         // If the user is a guest, make sure they are not accessing
         // anything outside the UserData folder.
-        if (apiUser.Role is UserRole.Guest && !dto.FilePath.IsSubPathOf(_baseDir))
+        if (apiUser.Role is UserRole.Guest && !dto.FilePath.IsSubPathOf(Globals.UserDataFolder))
         {
             _logger.LogWarning(
                 "Guest user {Username} tried to access a file outside of the allowed directory while creating a wordlist at {FilePath}",
                 apiUser.Username, dto.FilePath);
 
             throw new ForbiddenException(ErrorCode.FileOutsideAllowedPath,
-                $"Guest users cannot access files outside of the {_baseDir} folder");
+                $"Guest users cannot access files outside of the {Globals.UserDataFolder} folder");
         }
 
         // Make sure the file exists
@@ -171,8 +169,28 @@ public async Task<ActionResult<WordlistDto>> Create(CreateWordlistDto dto,
     [RequestSizeLimit(long.MaxValue)]
     public async Task<ActionResult<WordlistFileDto>> Upload(IFormFile file, CancellationToken cancellationToken)
     {
+        var uploadedFileName = Path.GetFileName(file.FileName);
+
+        if (string.IsNullOrWhiteSpace(uploadedFileName))
+        {
+            throw new BadRequestException(
+                ErrorCode.ValidationError, "The uploaded file name is invalid");
+        }
+
+        if (ScriptExtensions.Contains(Path.GetExtension(uploadedFileName),
+                StringComparer.OrdinalIgnoreCase))
+        {
+            throw new ForbiddenException(
+                ErrorCode.ScriptFileNotAllowed,
+                "Uploading script files as wordlists is not allowed");
+        }
+
+        var safeFileName = FileUtils.ReplaceInvalidFileNameChars(uploadedFileName);
+        var wordlistsDir = Path.Combine(Globals.UserDataFolder, "Wordlists");
+        Directory.CreateDirectory(wordlistsDir);
+
         var path = FileUtils.GetFirstAvailableFileName(
-            Path.Combine(_baseDir, "Wordlists", file.FileName));
+            Path.Combine(wordlistsDir, safeFileName));
 
         await using var fileStream = System.IO.File.OpenWrite(path);
         await file.CopyToAsync(fileStream, cancellationToken);
diff --git a/OpenBullet2.Web/Exceptions/ApiException.cs b/OpenBullet2.Web/Exceptions/ApiException.cs
@@ -104,6 +104,11 @@ public static class ErrorCode
     /// </summary>
     public const string FileOutsideAllowedPath = "FILE_OUTSIDE_ALLOWED_PATH";
 
+    /// <summary>
+    /// Script files are not allowed for this operation.
+    /// </summary>
+    public const string ScriptFileNotAllowed = "SCRIPT_FILE_NOT_ALLOWED";
+
     /// <summary>
     /// Remote resource not found.
     /// </summary>
diff --git a/RuriLib/Models/Proxies/ProxySource/FileProxySource.cs b/RuriLib/Models/Proxies/ProxySource/FileProxySource.cs
@@ -39,6 +39,12 @@ public async override Task<IEnumerable<Proxy>> GetAllAsync(CancellationToken can
         var fileExtension = (Path.GetExtension(FileName) ?? string.Empty).ToLowerInvariant();
         if (fileExtension.Length != 0 && supportedScripts.Contains(fileExtension))
         {
+            if (UserId > 0)
+            {
+                throw new UnauthorizedAccessException(
+                    "Script-based proxy sources are not allowed for guest users");
+            }
+
             var locker = asyncLocker ?? throw new ObjectDisposedException(nameof(FileProxySource));
 
             // The file is a script.
