Add DLL whitelist support for plugins

Emby.Server.Implementations/Library/PathExtensions.cs

@@ -1,6 +1,9 @@
 using System;
 using System.Diagnostics.CodeAnalysis;
+using System.IO;
+using System.Linq;
 using MediaBrowser.Common.Providers;
+using Nikse.SubtitleEdit.Core.Common;
 
 namespace Emby.Server.Implementations.Library
 {
@@ -86,24 +89,8 @@ namespace Emby.Server.Implementations.Library
                 return false;
             }
 
-            char oldDirectorySeparatorChar;
-            char newDirectorySeparatorChar;
-            // True normalization is still not possible https://github.com/dotnet/runtime/issues/2162
-            // The reasoning behind this is that a forward slash likely means it's a Linux path and
-            // so the whole path should be normalized to use / and vice versa for Windows (although Windows doesn't care much).
-            if (newSubPath.Contains('/', StringComparison.Ordinal))
-            {
-                oldDirectorySeparatorChar = '\\';
-                newDirectorySeparatorChar = '/';
-            }
-            else
-            {
-                oldDirectorySeparatorChar = '/';
-                newDirectorySeparatorChar = '\\';
-            }
-
-            path = path.Replace(oldDirectorySeparatorChar, newDirectorySeparatorChar);
-            subPath = subPath.Replace(oldDirectorySeparatorChar, newDirectorySeparatorChar);
+            subPath = subPath.NormalizePath(out var newDirectorySeparatorChar)!;
+            path = path.NormalizePath(newDirectorySeparatorChar)!;
 
             // We have to ensure that the sub path ends with a directory separator otherwise we'll get weird results
             // when the sub path matches a similar but in-complete subpath
@@ -120,12 +107,86 @@ namespace Emby.Server.Implementations.Library
                 return false;
             }
 
-            var newSubPathTrimmed = newSubPath.AsSpan().TrimEnd(newDirectorySeparatorChar);
+            var newSubPathTrimmed = newSubPath.AsSpan().TrimEnd((char)newDirectorySeparatorChar!);
             // Ensure that the path with the old subpath removed starts with a leading dir separator
             int idx = oldSubPathEndsWithSeparator ? subPath.Length - 1 : subPath.Length;
             newPath = string.Concat(newSubPathTrimmed, path.AsSpan(idx));
 
             return true;
         }
+
+        /// <summary>
+        /// Retrieves the full resolved path and normalizes path separators to the <see cref="Path.DirectorySeparatorChar"/>.
+        /// </summary>
+        /// <param name="path">The path to canonicalize.</param>
+        /// <returns>The fully expanded, normalized path.</returns>
+        public static string Canonicalize(this string path)
+        {
+            return Path.GetFullPath(path).NormalizePath()!;
+        }
+
+        /// <summary>
+        /// Normalizes the path's directory separator character to the currently defined <see cref="Path.DirectorySeparatorChar"/>.
+        /// </summary>
+        /// <param name="path">The path to normalize.</param>
+        /// <returns>The normalized path string or <see langword="null"/> if the input path is null or empty.</returns>
+        public static string? NormalizePath(this string? path)
+        {
+            return path.NormalizePath(Path.DirectorySeparatorChar);
+        }
+
+        /// <summary>
+        /// Normalizes the path's directory separator character.
+        /// </summary>
+        /// <param name="path">The path to normalize.</param>
+        /// <param name="separator">The separator character the path now uses or <see langword="null"/>.</param>
+        /// <returns>The normalized path string or <see langword="null"/> if the input path is null or empty.</returns>
+        public static string? NormalizePath(this string? path, out char separator)
+        {
+            if (string.IsNullOrEmpty(path))
+            {
+                separator = default;
+                return path;
+            }
+
+            var newSeparator = '\\';
+
+            // True normalization is still not possible https://github.com/dotnet/runtime/issues/2162
+            // The reasoning behind this is that a forward slash likely means it's a Linux path and
+            // so the whole path should be normalized to use / and vice versa for Windows (although Windows doesn't care much).
+            if (path.Contains('/', StringComparison.Ordinal))
+            {
+                newSeparator = '/';
+            }
+
+            separator = newSeparator;
+
+            return path?.NormalizePath(newSeparator);
+        }
+
+        /// <summary>
+        /// Normalizes the path's directory separator character to the specified character.
+        /// </summary>
+        /// <param name="path">The path to normalize.</param>
+        /// <param name="newSeparator">The replacement directory separator character. Must be a valid directory separator.</param>
+        /// <returns>The normalized path.</returns>
+        /// <exception cref="ArgumentException">Thrown if the new separator character is not a directory separator.</exception>
+        public static string? NormalizePath(this string? path, char newSeparator)
+        {
+            const char Bs = '\\';
+            const char Fs = '/';
+
+            if (!(newSeparator == Bs || newSeparator == Fs))
+            {
+                throw new ArgumentException("The character must be a directory separator.");
+            }
+
+            if (string.IsNullOrEmpty(path))
+            {
+                return path;
+            }
+
+            return newSeparator == Bs ? path?.Replace(Fs, newSeparator) : path?.Replace(Bs, newSeparator);
+        }
     }
 }

Emby.Server.Implementations/Plugins/PluginManager.cs

@@ -1,5 +1,6 @@
 using System;
 using System.Collections.Generic;
+using System.Data;
 using System.Globalization;
 using System.IO;
 using System.Linq;
@@ -9,6 +10,8 @@ using System.Runtime.Loader;
 using System.Text;
 using System.Text.Json;
 using System.Threading.Tasks;
+using Emby.Server.Implementations.Library;
+using Jellyfin.Extensions;
 using Jellyfin.Extensions.Json;
 using Jellyfin.Extensions.Json.Converters;
 using MediaBrowser.Common;
@@ -19,8 +22,11 @@ using MediaBrowser.Model.Configuration;
 using MediaBrowser.Model.IO;
 using MediaBrowser.Model.Plugins;
 using MediaBrowser.Model.Updates;
+using Microsoft.AspNetCore.Mvc.ApplicationParts;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
+using Nikse.SubtitleEdit.Core.Common;
+using SQLitePCL.pretty;
 
 namespace Emby.Server.Implementations.Plugins
 {
@@ -44,7 +50,7 @@ namespace Emby.Server.Implementations.Plugins
         /// <summary>
         /// Initializes a new instance of the <see cref="PluginManager"/> class.
         /// </summary>
-        /// <param name="logger">The <see cref="ILogger"/>.</param>
+        /// <param name="logger">The <see cref="ILogger{PluginManager}"/>.</param>
         /// <param name="appHost">The <see cref="IApplicationHost"/>.</param>
         /// <param name="config">The <see cref="ServerConfiguration"/>.</param>
         /// <param name="pluginsPath">The plugin path.</param>
@@ -424,7 +430,8 @@ namespace Emby.Server.Implementations.Plugins
                 Version = versionInfo.Version,
                 Status = status == PluginStatus.Disabled ? PluginStatus.Disabled : PluginStatus.Active, // Keep disabled state.
                 AutoUpdate = true,
-                ImagePath = imagePath
+                ImagePath = imagePath,
+                Assemblies = versionInfo.Assemblies
             };
 
             return SaveManifest(manifest, path);
@@ -688,7 +695,15 @@ namespace Emby.Server.Implementations.Plugins
                 var entry = versions[x];
                 if (!string.Equals(lastName, entry.Name, StringComparison.OrdinalIgnoreCase))
                 {
-                    entry.DllFiles = Directory.GetFiles(entry.Path, "*.dll", SearchOption.AllDirectories);
+                    if (!TryGetPluginDlls(entry, out var allowedDlls))
+                    {
+                        _logger.LogError("One or more assembly paths was invalid. Marking plugin {Plugin} as \"Malfunctioned\".", entry.Name);
+                        ChangePluginState(entry, PluginStatus.Malfunctioned);
+                        continue;
+                    }
+
+                    entry.DllFiles = allowedDlls;
+
                     if (entry.IsEnabledAndSupported)
                     {
                         lastName = entry.Name;
@@ -734,6 +749,68 @@ namespace Emby.Server.Implementations.Plugins
             return versions.Where(p => p.DllFiles.Count != 0);
         }
 
+        /// <summary>
+        /// Attempts to retrieve valid DLLs from the plugin path. This method will consider the assembly whitelist
+        /// from the manifest.
+        /// </summary>
+        /// <remarks>
+        /// Loading DLLs from externally supplied paths introduces a path traversal risk. This method
+        /// uses a safelisting tactic of considering DLLs from the plugin directory and only using
+        /// the plugin's canonicalized assembly whitelist for comparison. See
+        /// <see href="https://owasp.org/www-community/attacks/Path_Traversal"/> for more details.
+        /// </remarks>
+        /// <param name="plugin">The plugin.</param>
+        /// <param name="whitelistedDlls">The whitelisted DLLs. If the method returns <see langword="false"/>, this will be empty.</param>
+        /// <returns>
+        /// <see langword="true"/> if all assemblies listed in the manifest were available in the plugin directory.
+        /// <see langword="false"/> if any assemblies were invalid or missing from the plugin directory.
+        /// </returns>
+        /// <exception cref="ArgumentNullException">If the <see cref="LocalPlugin"/> is null.</exception>
+        private bool TryGetPluginDlls(LocalPlugin plugin, out IReadOnlyList<string> whitelistedDlls)
+        {
+            _ = plugin ?? throw new ArgumentNullException(nameof(plugin));
+
+            IReadOnlyList<string> pluginDlls = Directory.GetFiles(plugin.Path, "*.dll", SearchOption.AllDirectories);
+
+            whitelistedDlls = Array.Empty<string>();
+            if (pluginDlls.Count > 0 && plugin.Manifest.Assemblies.Count > 0)
+            {
+                _logger.LogInformation("Registering whitelisted assemblies for plugin \"{Plugin}\"...", plugin.Name);
+
+                var canonicalizedPaths = new List<string>();
+                foreach (var path in plugin.Manifest.Assemblies)
+                {
+                    var canonicalized = Path.Combine(plugin.Path, path).Canonicalize();
+
+                    // Ensure we stay in the plugin directory.
+                    if (!canonicalized.StartsWith(plugin.Path.NormalizePath()!, StringComparison.Ordinal))
+                    {
+                        _logger.LogError("Assembly path {Path} is not inside the plugin directory.", path);
+                        return false;
+                    }
+
+                    canonicalizedPaths.Add(canonicalized);
+                }
+
+                var intersected = pluginDlls.Intersect(canonicalizedPaths).ToList();
+
+                if (intersected.Count != canonicalizedPaths.Count)
+                {
+                    _logger.LogError("Plugin {Plugin} contained assembly paths that were not found in the directory.", plugin.Name);
+                    return false;
+                }
+
+                whitelistedDlls = intersected;
+            }
+            else
+            {
+                // No whitelist, default to loading all DLLs in plugin directory.
+                whitelistedDlls = pluginDlls;
+            }
+
+            return true;
+        }
+
         /// <summary>
         /// Changes the status of the other versions of the plugin to "Superceded".
         /// </summary>

MediaBrowser.Common/Plugins/PluginManifest.cs

@@ -1,4 +1,5 @@
 using System;
+using System.Collections.Generic;
 using System.Text.Json.Serialization;
 using MediaBrowser.Model.Plugins;
 
@@ -23,6 +24,7 @@ namespace MediaBrowser.Common.Plugins
             Overview = string.Empty;
             TargetAbi = string.Empty;
             Version = string.Empty;
+            Assemblies = new List<string>();
         }
 
         /// <summary>
@@ -104,5 +106,12 @@ namespace MediaBrowser.Common.Plugins
         /// </summary>
         [JsonPropertyName("imagePath")]
         public string? ImagePath { get; set; }
+
+        /// <summary>
+        /// Gets or sets the collection of assemblies that should be loaded.
+        /// Paths are considered relative to the plugin folder.
+        /// </summary>
+        [JsonPropertyName("assemblies")]
+        public IList<string> Assemblies { get; set; }
     }
 }

MediaBrowser.Model/Updates/VersionInfo.cs

@@ -1,3 +1,5 @@
+using System;
+using System.Collections.Generic;
 using System.Text.Json.Serialization;
 using SysVersion = System.Version;
 
@@ -73,5 +75,11 @@ namespace MediaBrowser.Model.Updates
         /// </summary>
         [JsonPropertyName("repositoryUrl")]
         public string RepositoryUrl { get; set; } = string.Empty;
+
+        /// <summary>
+        /// Gets or sets the assemblies whitelist for this version.
+        /// </summary>
+        [JsonPropertyName("assemblies")]
+        public IList<string> Assemblies { get; set; } = Array.Empty<string>();
     }
 }

tests/Jellyfin.Server.Implementations.Tests/Library/PathExtensionsTests.cs

@@ -1,4 +1,5 @@
 using System;
+using System.IO;
 using Emby.Server.Implementations.Library;
 using Xunit;
 
@@ -73,5 +74,47 @@ namespace Jellyfin.Server.Implementations.Tests.Library
             Assert.False(PathExtensions.TryReplaceSubPath(path, subPath, newSubPath, out var result));
             Assert.Null(result);
         }
+
+        [Theory]
+        [InlineData(null, '/', null)]
+        [InlineData(null, '\\', null)]
+        [InlineData("/home/jeff/myfile.mkv", '\\', "\\home\\jeff\\myfile.mkv")]
+        [InlineData("C:\\Users\\Jeff\\myfile.mkv", '/', "C:/Users/Jeff/myfile.mkv")]
+        [InlineData("\\home/jeff\\myfile.mkv", '\\', "\\home\\jeff\\myfile.mkv")]
+        [InlineData("\\home/jeff\\myfile.mkv", '/', "/home/jeff/myfile.mkv")]
+        [InlineData("", '/', "")]
+        public void NormalizePath_SpecifyingSeparator_Normalizes(string path, char separator, string expectedPath)
+        {
+            Assert.Equal(expectedPath, path.NormalizePath(separator));
+        }
+
+        [Theory]
+        [InlineData("/home/jeff/myfile.mkv")]
+        [InlineData("C:\\Users\\Jeff\\myfile.mkv")]
+        [InlineData("\\home/jeff\\myfile.mkv")]
+        public void NormalizePath_NoArgs_UsesDirectorySeparatorChar(string path)
+        {
+            var separator = Path.DirectorySeparatorChar;
+
+            Assert.Equal(path.Replace('\\', separator).Replace('/', separator), path.NormalizePath());
+        }
+
+        [Theory]
+        [InlineData("/home/jeff/myfile.mkv", '/')]
+        [InlineData("C:\\Users\\Jeff\\myfile.mkv", '\\')]
+        [InlineData("\\home/jeff\\myfile.mkv", '/')]
+        public void NormalizePath_OutVar_Correct(string path, char expectedSeparator)
+        {
+            var result = path.NormalizePath(out var separator);
+
+            Assert.Equal(expectedSeparator, separator);
+            Assert.Equal(path.Replace('\\', separator).Replace('/', separator), result);
+        }
+
+        [Fact]
+        public void NormalizePath_SpecifyInvalidSeparator_ThrowsException()
+        {
+            Assert.Throws<ArgumentException>(() => string.Empty.NormalizePath('a'));
+        }
     }
 }

tests/Jellyfin.Server.Implementations.Tests/Plugins/PluginManagerTests.cs

@@ -1,7 +1,12 @@
 using System;
 using System.IO;
+using System.Text.Json;
+using Emby.Server.Implementations.Library;
 using Emby.Server.Implementations.Plugins;
+using Jellyfin.Extensions.Json;
+using Jellyfin.Extensions.Json.Converters;
 using MediaBrowser.Common.Plugins;
+using MediaBrowser.Model.Plugins;
 using Microsoft.Extensions.Logging.Abstractions;
 using Xunit;
 
@@ -40,6 +45,136 @@ namespace Jellyfin.Server.Implementations.Tests.Plugins
             Assert.Equal(manifest.Status, res.Manifest.Status);
             Assert.Equal(manifest.AutoUpdate, res.Manifest.AutoUpdate);
             Assert.Equal(manifest.ImagePath, res.Manifest.ImagePath);
+            Assert.Equal(manifest.Assemblies, res.Manifest.Assemblies);
+        }
+
+        /// <summary>
+        ///  Tests safe traversal within the plugin directory.
+        /// </summary>
+        /// <param name="dllFile">The safe path to evaluate.</param>
+        [Theory]
+        [InlineData("./some.dll")]
+        [InlineData("some.dll")]
+        [InlineData("sub/path/some.dll")]
+        public void Constructor_DiscoversSafePluginAssembly_Status_Active(string dllFile)
+        {
+            var manifest = new PluginManifest
+            {
+                Id = Guid.NewGuid(),
+                Name = "Safe Assembly",
+                Assemblies = new string[] { dllFile }
+            };
+
+            var filename = Path.GetFileName(dllFile)!;
+            var (tempPath, pluginPath) = GetTestPaths("safe");
+
+            Directory.CreateDirectory(Path.Combine(pluginPath, dllFile.Replace(filename, string.Empty, StringComparison.OrdinalIgnoreCase)));
+            File.Create(Path.Combine(pluginPath, dllFile));
+
+            var options = GetTestSerializerOptions();
+            var data = JsonSerializer.Serialize(manifest, options);
+            var metafilePath = Path.Combine(tempPath, "safe", "meta.json");
+
+            File.WriteAllText(metafilePath, data);
+
+            var pluginManager = new PluginManager(new NullLogger<PluginManager>(), null!, null!, tempPath, new Version(1, 0));
+
+            var res = JsonSerializer.Deserialize<PluginManifest>(File.ReadAllText(metafilePath), options);
+
+            var expectedFullPath = Path.Combine(pluginPath, dllFile).Canonicalize();
+
+            Assert.NotNull(res);
+            Assert.NotEmpty(pluginManager.Plugins);
+            Assert.Equal(PluginStatus.Active, res!.Status);
+            Assert.Equal(expectedFullPath, pluginManager.Plugins[0].DllFiles[0]);
+            Assert.StartsWith(Path.Combine(tempPath, "safe"), expectedFullPath, StringComparison.InvariantCulture);
+        }
+
+        /// <summary>
+        ///  Tests unsafe attempts to traverse to higher directories.
+        /// </summary>
+        /// <remarks>
+        ///  Attempts to load directories outside of the plugin should be
+        ///  constrained. Path traversal, shell expansion, and double encoding
+        ///  can be used to load unintended files.
+        ///  See <see href="https://owasp.org/www-community/attacks/Path_Traversal"/> for more.
+        /// </remarks>
+        /// <param name="unsafePath">The unsafe path to evaluate.</param>
+        [Theory]
+        [InlineData("/some.dll")] // Root path.
+        [InlineData("../some.dll")] // Simple traversal.
+        [InlineData("C:\\some.dll")] // Windows root path.
+        [InlineData("test.txt")] // Not a DLL
+        [InlineData(".././.././../some.dll")] // Traversal with current and parent
+        [InlineData("..\\.\\..\\.\\..\\some.dll")] // Windows traversal with current and parent
+        [InlineData("\\\\network\\resource.dll")] // UNC Path
+        [InlineData("https://jellyfin.org/some.dll")] // URL
+        [InlineData("....//....//some.dll")] // Path replacement risk if a single "../" replacement occurs.
+        [InlineData("~/some.dll")] // Tilde poses a shell expansion risk, but is a valid path character.
+        public void Constructor_DiscoversUnsafePluginAssembly_Status_Malfunctioned(string unsafePath)
+        {
+            var manifest = new PluginManifest
+            {
+                Id = Guid.NewGuid(),
+                Name = "Unsafe Assembly",
+                Assemblies = new string[] { unsafePath }
+            };
+
+            var (tempPath, pluginPath) = GetTestPaths("unsafe");
+
+            Directory.CreateDirectory(pluginPath);
+
+            var files = new string[]
+            {
+                "../other.dll",
+                "some.dll"
+            };
+
+            foreach (var file in files)
+            {
+                File.Create(Path.Combine(pluginPath, file));
+            }
+
+            var options = GetTestSerializerOptions();
+            var data = JsonSerializer.Serialize(manifest, options);
+            var metafilePath = Path.Combine(tempPath, "unsafe", "meta.json");
+
+            File.WriteAllText(metafilePath, data);
+
+            var pluginManager = new PluginManager(new NullLogger<PluginManager>(), null!, null!, tempPath, new Version(1, 0));
+
+            var res = JsonSerializer.Deserialize<PluginManifest>(File.ReadAllText(metafilePath), options);
+
+            Assert.NotNull(res);
+            Assert.Empty(pluginManager.Plugins);
+            Assert.Equal(PluginStatus.Malfunctioned, res!.Status);
+        }
+
+        private JsonSerializerOptions GetTestSerializerOptions()
+        {
+            var options = new JsonSerializerOptions(JsonDefaults.Options)
+            {
+                WriteIndented = true
+            };
+
+            for (var i = 0; i < options.Converters.Count; i++)
+            {
+                // Remove the Guid converter for parity with plugin manager.
+                if (options.Converters[i] is JsonGuidConverter converter)
+                {
+                    options.Converters.Remove(converter);
+                }
+            }
+
+            return options;
+        }
+
+        private (string TempPath, string PluginPath) GetTestPaths(string pluginFolderName)
+        {
+            var tempPath = Path.Combine(_testPathRoot, "plugins-" + Path.GetRandomFileName());
+            var pluginPath = Path.Combine(tempPath, pluginFolderName);
+
+            return (tempPath, pluginPath);
         }
     }
 }

tests/Jellyfin.Server.Implementations.Tests/Test Data/Updates/manifest-stable.json

@@ -13,7 +13,8 @@
                 "targetAbi": "10.6.0.0",
                 "sourceUrl": "https://repo.jellyfin.org/releases/plugin/anime/anime_10.0.0.0.zip",
                 "checksum": "93e969adeba1050423fc8817ed3c36f8",
-                "timestamp": "2020-08-17T01:41:13Z"
+                "timestamp": "2020-08-17T01:41:13Z",
+                "assemblies": [ "Jellyfin.Plugin.Anime.dll" ]
             },
             {
                 "version": "9.0.0.0",
@@ -21,9 +22,10 @@
                 "targetAbi": "10.6.0.0",
                 "sourceUrl": "https://repo.jellyfin.org/releases/plugin/anime/anime_9.0.0.0.zip",
                 "checksum": "9b1cebff835813e15f414f44b40c41c8",
-                "timestamp": "2020-07-20T01:30:16Z"
+                "timestamp": "2020-07-20T01:30:16Z",
+                "assemblies": [ "Jellyfin.Plugin.Anime.dll" ]
             }
-        ]
+        ]        
     },
     {
         "guid": "70b7b43b-471b-4159-b4be-56750c795499",
@@ -681,4 +683,4 @@
             }
         ]
     }
-]
+]

tests/Jellyfin.Server.Implementations.Tests/Updates/InstallationManagerTests.cs

@@ -106,5 +106,19 @@ namespace Jellyfin.Server.Implementations.Tests.Updates
             var ex = await Record.ExceptionAsync(() => _installationManager.InstallPackage(packageInfo, CancellationToken.None)).ConfigureAwait(false);
             Assert.Null(ex);
         }
+
+        [Fact]
+        public async Task InstallPackage_WithAssemblies_Success()
+        {
+            PackageInfo[] packages = await _installationManager.GetPackages(
+                "Jellyfin Stable",
+                "https://repo.jellyfin.org/releases/plugin/manifest-stable.json",
+                false);
+
+            packages = _installationManager.FilterPackages(packages, "Anime").ToArray();
+            Assert.Single(packages);
+            Assert.NotEmpty(packages[0].Versions[0].Assemblies);
+            Assert.Equal("Jellyfin.Plugin.Anime.dll", packages[0].Versions[0].Assemblies[0]);
+        }
     }
 }