[GeoNetwork-devel] GeoNetwork security risk - resource.get ?

Hi,

recently, I’ve been trying to implement thumbnails into my metadata records, in which I succeeded by inserting path to thumbnail into metadata record, as follows:
<…>…
<gmd:graphicOverview xmlns:srv=“http://www.isotc211.org/2005/srv”>
gmd:MD_BrowseGraphic
gmd:fileName
gco:CharacterString/ABSOLUTE/PATH/TO/THUMBNAIL.png</gco:CharacterString>
</gmd:fileName>
gmd:fileDescription
gco:CharacterStringthumbnail</gco:CharacterString>
</gmd:fileDescription>
gmd:fileType
gco:CharacterStringpng</gco:CharacterString>
</gmd:fileType>
</gmd:MD_BrowseGraphic>
</gmd:graphicOverview>
</…>…

GeoNetwork translates this to image url, which looks like:
http://myserver.cz:8080/geonetwork/srv/eng/resources.get?uuid=METADATA_UUID&fname=%2FABSOLUTE%2FPATH%2FTO1%2FTHUMBNAIL.png&access=public

and leads to the image. BUT using the resource.get, I can do something like

http://myserver.cz:8080/geonetwork/srv/eng/resources.get?uuid=METADATA_UUID&fname=%2Fetc%2Fpasswd&access=public
, or
http://server.cz:8080/geonetwork/srv/eng/resources.get?uuid=METADATA_UUID&fname=%2Fopt%2Ftomcat%2Fconf%2Ftomcat-users.xml&access=public

First I get the /etc/passwd and second gets me the user config for Tomcat along with username and password and so on…

Is this really an issue, or am I doing something wrong? Can I somehow restrict access for GeoNetwork?

Thank you

Jaroslav Urik

On Mon, Oct 12, 2015 at 7:55 PM, Jaroslav Urik <jarda.urik@anonymised.com> wrote:

Hi,
recently, I've been trying to implement thumbnails into my metadata
records, in which I succeeded by inserting path to thumbnail into metadata
record, as follows:
<...>...
<gmd:graphicOverview xmlns:srv="http://www.isotc211.org/2005/srv&quot;&gt;
    <gmd:MD_BrowseGraphic>
        <gmd:fileName>

<gco:CharacterString>/ABSOLUTE/PATH/TO/THUMBNAIL.png</gco:CharacterString>
        </gmd:fileName>
        <gmd:fileDescription>
            <gco:CharacterString>thumbnail</gco:CharacterString>
        </gmd:fileDescription>
        <gmd:fileType>
            <gco:CharacterString>png</gco:CharacterString>
        </gmd:fileType>
    </gmd:MD_BrowseGraphic>
</gmd:graphicOverview>
</...>...

GeoNetwork translates this to image url, which looks like:

http://myserver.cz:8080/geonetwork/srv/eng/resources.get?uuid=METADATA_UUID&fname=%2FABSOLUTE%2FPATH%2FTO1%2FTHUMBNAIL.png&access=public
<http://server.cz:8080/geonetwork/srv/eng/resources.get?uuid=METADATA_UUID&fname=%2FABSOLUTE%2FPATH%2FTO1%2FTHUMBNAIL.png&access=public&gt;

and leads to the image. BUT using the resource.get, I can do something
like

http://myserver.cz:8080/geonetwork/srv/eng/resources.get?uuid=METADATA_UUID&fname=%2Fetc%2Fpasswd&access=public
<http://server.cz:8080/geonetwork/srv/eng/resources.get?uuid=METADATA_UUID&fname=%2FABSOLUTE%2FPATH%2FTO1%2FTHUMBNAIL.png&access=public&gt;
, or

http://server.cz:8080/geonetwork/srv/eng/resources.get?uuid=METADATA_UUID&fname=%2Fopt%2Ftomcat%2Fconf%2Ftomcat-users.xml&access=public
<http://server.cz:8080/geonetwork/srv/eng/resources.get?uuid=METADATA_UUID&fname=%2FABSOLUTE%2FPATH%2FTO1%2FTHUMBNAIL.png&access=public&gt;
...
First I get the /etc/passwd and second gets me the user config for Tomcat
along with username and password and so on..

Is this really an issue, or am I doing something wrong? Can I somehow
restrict access for GeoNetwork?

Thank you

Jaroslav Urik

Hi,.

First of all: your tomcat should not have privileges to walk around the
system. It should be run with a specific user for that Tomcat. Then even if
you run unsecure webapps, your main system will be safe.

But you are right, that looks like a potential security issue. I will try
to fix it today.

Regards,
María.

On Tue, Oct 13, 2015 at 8:39 AM, María Arias de Reyna <delawen@anonymised.com.>
wrote:

On Mon, Oct 12, 2015 at 7:55 PM, Jaroslav Urik <jarda.urik@anonymised.com>
wrote:

Hi,
recently, I've been trying to implement thumbnails into my metadata
records, in which I succeeded by inserting path to thumbnail into metadata
record, as follows:
<...>...
<gmd:graphicOverview xmlns:srv="http://www.isotc211.org/2005/srv&quot;&gt;
    <gmd:MD_BrowseGraphic>
        <gmd:fileName>

<gco:CharacterString>/ABSOLUTE/PATH/TO/THUMBNAIL.png</gco:CharacterString>
        </gmd:fileName>
        <gmd:fileDescription>
            <gco:CharacterString>thumbnail</gco:CharacterString>
        </gmd:fileDescription>
        <gmd:fileType>
            <gco:CharacterString>png</gco:CharacterString>
        </gmd:fileType>
    </gmd:MD_BrowseGraphic>
</gmd:graphicOverview>
</...>...

GeoNetwork translates this to image url, which looks like:

http://myserver.cz:8080/geonetwork/srv/eng/resources.get?uuid=METADATA_UUID&fname=%2FABSOLUTE%2FPATH%2FTO1%2FTHUMBNAIL.png&access=public
<http://server.cz:8080/geonetwork/srv/eng/resources.get?uuid=METADATA_UUID&fname=%2FABSOLUTE%2FPATH%2FTO1%2FTHUMBNAIL.png&access=public&gt;

and leads to the image. BUT using the resource.get, I can do something
like

http://myserver.cz:8080/geonetwork/srv/eng/resources.get?uuid=METADATA_UUID&fname=%2Fetc%2Fpasswd&access=public
<http://server.cz:8080/geonetwork/srv/eng/resources.get?uuid=METADATA_UUID&fname=%2FABSOLUTE%2FPATH%2FTO1%2FTHUMBNAIL.png&access=public&gt;
, or

http://server.cz:8080/geonetwork/srv/eng/resources.get?uuid=METADATA_UUID&fname=%2Fopt%2Ftomcat%2Fconf%2Ftomcat-users.xml&access=public
<http://server.cz:8080/geonetwork/srv/eng/resources.get?uuid=METADATA_UUID&fname=%2FABSOLUTE%2FPATH%2FTO1%2FTHUMBNAIL.png&access=public&gt;
...
First I get the /etc/passwd and second gets me the user config for Tomcat
along with username and password and so on..

Is this really an issue, or am I doing something wrong? Can I somehow
restrict access for GeoNetwork?

Thank you

Jaroslav Urik

Hi,.

First of all: your tomcat should not have privileges to walk around the
system. It should be run with a specific user for that Tomcat. Then even if
you run unsecure webapps, your main system will be safe.

But you are right, that looks like a potential security issue. I will try
to fix it today.

Regards,
María.

Done:
https://github.com/geonetwork/core-geonetwork/commit/f0287a917cd222da57e9fb9715f9ae11f96aff61

Hi María,

thank you for the quick fix!

I just have one related question - how do I access my resources (thumbnails), if I can’t use absolute path? Is there some variable which I can use in the url (or somewhere else) and point it to “/storage/myData/” and I would just add “data1/thumbnails/thumb1.png” ? I think that the resource.get + uuid points to the data_dir/someID/, but my thumbnails are on different drive accessed via NFS…

Thanks for your help

Jaroslav

···

On Tue, Oct 13, 2015 at 8:39 AM, María Arias de Reyna <delawen@anonymised.com> wrote:

On Mon, Oct 12, 2015 at 7:55 PM, Jaroslav Urik <jarda.urik@anonymised.com> wrote:

Hi,

recently, I’ve been trying to implement thumbnails into my metadata records, in which I succeeded by inserting path to thumbnail into metadata record, as follows:
<…>…
<gmd:graphicOverview xmlns:srv=“http://www.isotc211.org/2005/srv”>
gmd:MD_BrowseGraphic
gmd:fileName
gco:CharacterString/ABSOLUTE/PATH/TO/THUMBNAIL.png</gco:CharacterString>
</gmd:fileName>
gmd:fileDescription
gco:CharacterStringthumbnail</gco:CharacterString>
</gmd:fileDescription>
gmd:fileType
gco:CharacterStringpng</gco:CharacterString>
</gmd:fileType>
</gmd:MD_BrowseGraphic>
</gmd:graphicOverview>
</…>…

GeoNetwork translates this to image url, which looks like:
http://myserver.cz:8080/geonetwork/srv/eng/resources.get?uuid=METADATA_UUID&fname=%2FABSOLUTE%2FPATH%2FTO1%2FTHUMBNAIL.png&access=public

and leads to the image. BUT using the resource.get, I can do something like

http://myserver.cz:8080/geonetwork/srv/eng/resources.get?uuid=METADATA_UUID&fname=%2Fetc%2Fpasswd&access=public
, or
http://server.cz:8080/geonetwork/srv/eng/resources.get?uuid=METADATA_UUID&fname=%2Fopt%2Ftomcat%2Fconf%2Ftomcat-users.xml&access=public

First I get the /etc/passwd and second gets me the user config for Tomcat along with username and password and so on…

Is this really an issue, or am I doing something wrong? Can I somehow restrict access for GeoNetwork?

Thank you

Jaroslav Urik

Hi,.

First of all: your tomcat should not have privileges to walk around the system. It should be run with a specific user for that Tomcat. Then even if you run unsecure webapps, your main system will be safe.

But you are right, that looks like a potential security issue. I will try to fix it today.

Regards,
María.

Done: https://github.com/geonetwork/core-geonetwork/commit/f0287a917cd222da57e9fb9715f9ae11f96aff61

On Wed, Oct 14, 2015 at 2:19 PM, Jaroslav Urik <jarda.urik@anonymised.com> wrote:

Hi María,
thank you for the quick fix!
I just have one related question - how do I access my resources
(thumbnails), if I can't use absolute path? Is there some variable which I
can use in the url (or somewhere else) and point it to "/storage/myData/"
and I would just add "data1/thumbnails/thumb1.png" ? I think that the
resource.get + uuid points to the data_dir/someID/, but my thumbnails are
on different drive accessed via NFS..

Hi Jaroslav,

It depends on your environment. If you can, a symbolic link[1] will be the
easiest way to introduce your thumbnails inside the directories GeoNetwork
allows you to get the images from. If that's not possible, I would try to
set up some kind of third party server (independent apache, maybe) and use
the "external" urls instead of the resource.get service.

But I have to warn you that this is not a good way to interact with
GeoNetwork, as it somehow "breaks" the upload images functionality (some
images will be on the GeoNetwork directory, some on your special folders).
Maybe you are looking for some way to get your data directory on an
external file system[2]?

Regards,
María.

[1] https://en.wikipedia.org/wiki/Symbolic_link
[2]
http://geonetwork-opensource.org/manuals/2.10.4/eng/users/admin/advanced-configuration/index.html#geonetwork-data-directory

Hi María,

you are right, I also think that the symbolic link would be the best solution - due to time shortage I think it is the quickest option.

But just to be sure - the resource.get points me to the geonetworkDataDir, where I put the link, so the thumbnail address will look like “link2dir/subdir/thumbnail.png” and the url will be something like
http://myserver.cz:8080/geonetwork/srv/eng/resources.get?fname=link2dir%2Fsubdir%2Fthumbnail.png&access=public
?

Thank you very much for your help!

Jaroslav

···

On Wed, Oct 14, 2015 at 2:19 PM, Jaroslav Urik <jarda.urik@anonymised.com> wrote:

Hi María,

thank you for the quick fix!

I just have one related question - how do I access my resources (thumbnails), if I can’t use absolute path? Is there some variable which I can use in the url (or somewhere else) and point it to “/storage/myData/” and I would just add “data1/thumbnails/thumb1.png” ? I think that the resource.get + uuid points to the data_dir/someID/, but my thumbnails are on different drive accessed via NFS…

Hi Jaroslav,

It depends on your environment. If you can, a symbolic link[1] will be the easiest way to introduce your thumbnails inside the directories GeoNetwork allows you to get the images from. If that’s not possible, I would try to set up some kind of third party server (independent apache, maybe) and use the “external” urls instead of the resource.get service.

But I have to warn you that this is not a good way to interact with GeoNetwork, as it somehow “breaks” the upload images functionality (some images will be on the GeoNetwork directory, some on your special folders). Maybe you are looking for some way to get your data directory on an external file system[2]?

Regards,
María.

[1] https://en.wikipedia.org/wiki/Symbolic_link
[2] http://geonetwork-opensource.org/manuals/2.10.4/eng/users/admin/advanced-configuration/index.html#geonetwork-data-directory

Hi María,

sorry to bother you again, but I still can’t figure it out… I have been trying to find some location (in GeoNetwork data dir) to insert the symbolic link you mentioned, to access my thumbnails (use the symlink as “root” dir), but without any luck. I need to somehow point to thumbnails stored on NFS through GeoNetwork…
Is this possible via the resource.get? Or is there some other “tool”?

Thanks in advance

Jaroslav

···

On Wed, Oct 14, 2015 at 2:19 PM, Jaroslav Urik <jarda.urik@anonymised.com> wrote:

Hi María,

thank you for the quick fix!

I just have one related question - how do I access my resources (thumbnails), if I can’t use absolute path? Is there some variable which I can use in the url (or somewhere else) and point it to “/storage/myData/” and I would just add “data1/thumbnails/thumb1.png” ? I think that the resource.get + uuid points to the data_dir/someID/, but my thumbnails are on different drive accessed via NFS…

Hi Jaroslav,

It depends on your environment. If you can, a symbolic link[1] will be the easiest way to introduce your thumbnails inside the directories GeoNetwork allows you to get the images from. If that’s not possible, I would try to set up some kind of third party server (independent apache, maybe) and use the “external” urls instead of the resource.get service.

But I have to warn you that this is not a good way to interact with GeoNetwork, as it somehow “breaks” the upload images functionality (some images will be on the GeoNetwork directory, some on your special folders). Maybe you are looking for some way to get your data directory on an external file system[2]?

Regards,
María.

[1] https://en.wikipedia.org/wiki/Symbolic_link
[2] http://geonetwork-opensource.org/manuals/2.10.4/eng/users/admin/advanced-configuration/index.html#geonetwork-data-directory

Hi,

Again, it depends on your filesystem structure.

The easiest way is to just replace the data or the metadata_data folders with your own filesystem. But then you need the folder structure that GeoNetwork uses.

If you have a different folder structure, you can try to replicate it with several symbolic links, maybe with a script? So the files are placed where they should.

I guess there is not much I can do on this side of the mailing list to help you here. It is a very customized usecase and I don’t know how to answer you on a general way.

If you want a solution that is integrated in trunk, it would be a nice addon to improve GeoNetwork so you can define a path for third party images, for example.

Regards,
María.

···

On Sat, Oct 17, 2015 at 7:16 PM, Jaroslav Urik <jarda.urik@anonymised.com> wrote:

Hi María,

sorry to bother you again, but I still can’t figure it out… I have been trying to find some location (in GeoNetwork data dir) to insert the symbolic link you mentioned, to access my thumbnails (use the symlink as “root” dir), but without any luck. I need to somehow point to thumbnails stored on NFS through GeoNetwork…
Is this possible via the resource.get? Or is there some other “tool”?

Thanks in advance

Jaroslav

On Wed, Oct 14, 2015 at 2:55 PM Jaroslav Urik <jarda.urik@anonymised.com> wrote:

Hi María,

you are right, I also think that the symbolic link would be the best solution - due to time shortage I think it is the quickest option.

But just to be sure - the resource.get points me to the geonetworkDataDir, where I put the link, so the thumbnail address will look like “link2dir/subdir/thumbnail.png” and the url will be something like
http://myserver.cz:8080/geonetwork/srv/eng/resources.get?fname=link2dir%2Fsubdir%2Fthumbnail.png&access=public
?

Thank you very much for your help!

Jaroslav

On Wed, Oct 14, 2015 at 2:27 PM María Arias de Reyna <delawen@anonymised.com> wrote:

On Wed, Oct 14, 2015 at 2:19 PM, Jaroslav Urik <jarda.urik@anonymised.com> wrote:

Hi María,

thank you for the quick fix!

I just have one related question - how do I access my resources (thumbnails), if I can’t use absolute path? Is there some variable which I can use in the url (or somewhere else) and point it to “/storage/myData/” and I would just add “data1/thumbnails/thumb1.png” ? I think that the resource.get + uuid points to the data_dir/someID/, but my thumbnails are on different drive accessed via NFS…

Hi Jaroslav,

It depends on your environment. If you can, a symbolic link[1] will be the easiest way to introduce your thumbnails inside the directories GeoNetwork allows you to get the images from. If that’s not possible, I would try to set up some kind of third party server (independent apache, maybe) and use the “external” urls instead of the resource.get service.

But I have to warn you that this is not a good way to interact with GeoNetwork, as it somehow “breaks” the upload images functionality (some images will be on the GeoNetwork directory, some on your special folders). Maybe you are looking for some way to get your data directory on an external file system[2]?

Regards,
María.

[1] https://en.wikipedia.org/wiki/Symbolic_link
[2] http://geonetwork-opensource.org/manuals/2.10.4/eng/users/admin/advanced-configuration/index.html#geonetwork-data-directory

Hi María,

thank you, this answer is what I needed (and also was kind of affraid of =).

Since I have different folder structure, I will try to use the symbolic links.

Is it even possible to have such folder structure? From what I have seen, this structure consists of “id”, which is given by geonetwork, eg. for #12305 the structure would be: */data/metadata_data/12300-12399/12305/public/thumbnail.png . So I will try to link the thumbnail.png to /storage/my/thumbnail.png…

Thank you for your help

Jaroslav

···

On Sat, Oct 17, 2015 at 7:16 PM, Jaroslav Urik <jarda.urik@anonymised.com> wrote:

Hi María,

sorry to bother you again, but I still can’t figure it out… I have been trying to find some location (in GeoNetwork data dir) to insert the symbolic link you mentioned, to access my thumbnails (use the symlink as “root” dir), but without any luck. I need to somehow point to thumbnails stored on NFS through GeoNetwork…
Is this possible via the resource.get? Or is there some other “tool”?

Thanks in advance

Jaroslav

On Wed, Oct 14, 2015 at 2:55 PM Jaroslav Urik <jarda.urik@anonymised.com> wrote:

Hi María,

you are right, I also think that the symbolic link would be the best solution - due to time shortage I think it is the quickest option.

But just to be sure - the resource.get points me to the geonetworkDataDir, where I put the link, so the thumbnail address will look like “link2dir/subdir/thumbnail.png” and the url will be something like
http://myserver.cz:8080/geonetwork/srv/eng/resources.get?fname=link2dir%2Fsubdir%2Fthumbnail.png&access=public
?

Thank you very much for your help!

Jaroslav

On Wed, Oct 14, 2015 at 2:27 PM María Arias de Reyna <delawen@anonymised.com> wrote:

On Wed, Oct 14, 2015 at 2:19 PM, Jaroslav Urik <jarda.urik@anonymised.com> wrote:

Hi María,

thank you for the quick fix!

I just have one related question - how do I access my resources (thumbnails), if I can’t use absolute path? Is there some variable which I can use in the url (or somewhere else) and point it to “/storage/myData/” and I would just add “data1/thumbnails/thumb1.png” ? I think that the resource.get + uuid points to the data_dir/someID/, but my thumbnails are on different drive accessed via NFS…

Hi Jaroslav,

It depends on your environment. If you can, a symbolic link[1] will be the easiest way to introduce your thumbnails inside the directories GeoNetwork allows you to get the images from. If that’s not possible, I would try to set up some kind of third party server (independent apache, maybe) and use the “external” urls instead of the resource.get service.

But I have to warn you that this is not a good way to interact with GeoNetwork, as it somehow “breaks” the upload images functionality (some images will be on the GeoNetwork directory, some on your special folders). Maybe you are looking for some way to get your data directory on an external file system[2]?

Regards,
María.

[1] https://en.wikipedia.org/wiki/Symbolic_link
[2] http://geonetwork-opensource.org/manuals/2.10.4/eng/users/admin/advanced-configuration/index.html#geonetwork-data-directory