Skip to content

R eplace SecureTemporaryFiles with an EphemeralFile implementation based on ChaCha20 #4369

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 4 commits into from
Closed

R eplace SecureTemporaryFiles with an EphemeralFile implementation based on ChaCha20 #4369

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
52183b8
Replace SecureTemporaryFile with EphemeralFile and EphemeralFS implem…
evilaliv3 Dec 30, 2024
25013a7
Implement packaging for the dependencies needed in the new EPH FS imp…
evilaliv3 Dec 31, 2024
90f6cc6
[doc] Update ApplicationSecurity spec with details about securization…
evilaliv3 Dec 30, 2024
b5387de
Deprecate bionic support since it misses support for new security fea…
evilaliv3 Dec 31, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/scripts/build_and_install.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ cd /build/globaleaks-whistleblowing-software

sudo apt-get -y update

sudo apt-get -y install curl git debhelper devscripts dh-apparmor dh-python python3-all python3-pip python3-setuptools python3-sphinx
sudo apt-get -y install curl git debhelper devscripts dh-apparmor dh-python libfuse2 python3-all python3-pip python3-setuptools python3-sphinx

curl -fsSL https://deb.nodesource.com/setup_lts.x | sudo -E bash -
sudo apt-get update
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/scripts/run_tests_backend.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ setupClient() {

echo "Running setup"
sudo apt-get update
sudo apt-get install -y tor
sudo apt-get install -y libfuse2 tor
npm install -g grunt grunt-cli
pip install coverage

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/scripts/run_tests_client.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ setupClient() {

echo "Running setup"
sudo apt-get update
sudo apt-get install -y tor
sudo apt-get install -y libfuse2 tor
npm install -g grunt grunt-cli
setupBackend
setupClient
Expand Down
6 changes: 6 additions & 0 deletions backend/bin/globaleaks-eph-fs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import sys
from globaleaks.utils.eph_fs import main
if __name__ == '__main__':
sys.exit(main())
6 changes: 2 additions & 4 deletions backend/globaleaks/handlers/base.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@
from globaleaks.utils.ip import check_ip
from globaleaks.utils.log import log
from globaleaks.utils.pgp import PGPContext
from globaleaks.utils.securetempfile import SecureTemporaryFile
from globaleaks.utils.eph_fs import EphemeralFile
from globaleaks.utils.utility import datetime_now

mimetypes.add_type('text/javascript', '.js')
Expand Down Expand Up @@ -347,7 +347,7 @@ def process_file_upload(self):
State.RateLimitingTable.check(self.request.path + b'#' + self.request.client_ip.encode(),
State.tenants[1].cache.threshold_attachments_per_hour_per_ip)

self.state.TempUploadFiles[file_id] = SecureTemporaryFile(Settings.tmp_path)
self.state.TempUploadFiles[file_id] = EphemeralFile(Settings.tmp_path)

f = self.state.TempUploadFiles[file_id]

Expand All @@ -364,8 +364,6 @@ def process_file_upload(self):
if self.request.args[b'flowChunkNumber'][0] != self.request.args[b'flowTotalChunks'][0]:
return None

f.finalize_write()

mime_type, _ = mimetypes.guess_type(self.request.args[b'flowFilename'][0].decode())
if mime_type is None:
mime_type = 'application/octet-stream'
Expand Down
5 changes: 2 additions & 3 deletions backend/globaleaks/handlers/recipient/export.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,8 @@
from globaleaks.rest import errors
from globaleaks.settings import Settings
from globaleaks.utils.crypto import Base64Encoder, GCE
from globaleaks.utils.eph_fs import EphemeralFile
from globaleaks.utils.fs import directory_traversal_check
from globaleaks.utils.securetempfile import SecureTemporaryFile
from globaleaks.utils.templating import Templating
from globaleaks.utils.utility import datetime_now, datetime_null, msdos_encode
from globaleaks.utils.zipstream import ZipStream
Expand Down Expand Up @@ -216,12 +216,11 @@ def get(self, itip_id):

zipstream = ZipStream(files)

stf = SecureTemporaryFile(self.state.settings.tmp_path)
stf = EphemeralFile(self.state.settings.tmp_path)

with stf.open('w') as f:
for x in zipstream:
f.write(x)
f.finalize_write()

with stf.open('r') as f:
yield self.write_file_as_download(filename, f, pgp_key)
5 changes: 2 additions & 3 deletions backend/globaleaks/tests/helpers.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@
from globaleaks.state import State, TenantState
from globaleaks.utils import tempdict, token
from globaleaks.utils.crypto import generateRandomKey, GCE
from globaleaks.utils.securetempfile import SecureTemporaryFile
from globaleaks.utils.eph_fs import EphemeralFile
from globaleaks.utils.utility import datetime_now, uuid4
from globaleaks.utils.log import log

Expand Down Expand Up @@ -432,11 +432,10 @@ def get_dummy_file(content=None):
if content is None:
content = base64.b64decode(VALID_BASE64_IMG)

temporary_file = SecureTemporaryFile(Settings.tmp_path)
temporary_file = EphemeralFile(Settings.tmp_path)

with temporary_file.open('w') as f:
f.write(content)
f.finalize_write()

State.TempUploadFiles[os.path.basename(temporary_file.filepath)] = temporary_file

Expand Down
Loading
Loading