Skip to content

0.3.1
Compare
Choose a tag to compare
@Abbe98 Abbe98 released this 20 Mar 15:35
· 63 commits to main since this release
0.3.1
43ccc42

Snowman 0.3.1 ⛄

This release is a security release for Snowman, a static site generator for SPARQL backends. It resolves an issue with multipage views which could lead to a malicious actor in control of a SPARQL endpoint, creating files outside of your project directory.

Features and changes 🎈

Breaking changes

You can no longer use the following characters in the variables used to render multipage view at a given path: ~ / / / : / * / ? / " / < / > / |

If such a character is present Snowman will replace it with _.

Security issue explanation

Snowman's multipage views take an argument to decide the path in which to render a file.

 -  output: "prints/{{qid}}.html"

Using versions prior to 0.3.1 one could escape out of the project directory with variable values such as ../.., which would result in Snowman rendering pages outside of the intended directory. This could be used by a malicious actor if they controlled the contents of your SPARQL endpoint.

How to check if you are affected

If you use a SPARQL endpoint in which you trust the contents and which hasen't suffered breaches you should not be affected. It can still be good to verify this using the following steps.

You can find suspicious data by searching the contents of your SPARQL cache files which Snowman stores in your project directory under .snomwan/cache. Search these files for patterns like ../ and inspect the results.

If you have a lot of data in your cache directory or want to review the files related to the query used to generate multipage views. Then you can inspect the content of such files using the Snowman cache command(snowman cache <name-of-query>).

If you are in a temporary or sandboxed environment such as a container you can build your site as usual and inspect the Rendered page at messages as these will display the full path.

Acknowledgments

This issue was discovered and reported by @lucaswerkmeister. ⭐

Installing Snowman 🌨

Download the binary for your OS/architecture, rename it to "snowman", and place it in a directory on your path. Alternatively, place it in your project folder and execute it with the ./ prefix.

We provide binaries for six architectures/operation systems, if none of these are suitable for you, you can build it from source. If you think we should provide pre-built binaries for additional platforms, consider raising an issue.

Roadmap and Snowman 0.4.0 🗺

Snowman 0.4.0 has yet to reach feature freeze.

Snowman 0.4.0 milestone.

Discuss 💬

You can discuss this release or other aspects of Snowman in the forum.

Contributors

lucaswerkmeister
Assets 8
Loading
0 Join discussion