How to Protect Django vulnerabilities using KubeArmor?

Django is a popular python framework known for its Ease of use and takes care of web development without hassle. Django provides immediate patches once there is a vulnerability for a specific version and just upgrading it will solve the issue.

Introduction:

Django is a popular python framework known for its Ease of use and takes care of web development without hassle. Django provides immediate patches once there is a vulnerability for a specific version and just upgrading it will solve the issue. Still, attackers try to exploit the application and misuse the libraries and functions.We'll take a look at a popular vulnerability on Django which can be solved using Kubearmor. Let us analyze the cve first and then write a policy. To know more about the KubeArmor project check out the  KubeArmor Github

CVE Analysis:

Let us look into this CVE-2021-31542. This vulnerability is about directory traversal via uploaded files with suitably crafted file names. Let us deploy a sample file upload application and create a policy to audit the functions. The goal here is to audit the functions that are vulnerable.

Deploy the demo application:

Step1: Clone the repo.

https://github.com/tamilmaran-7/minimal-django-file-upload-example.git

Step2: Run your application:

cd minimal-django-file-upload-example
cd src/for_django_2-0/myproject #select your django version
python manage.py makemigrations
python manage.py migrate --run-syncdb
python manage.py runserver

Note [Select your Django version list and get inside that directory]

So while the server is running you will see something like this in your browser.

I have uploaded some documents you can see below.

There is a flaw in “MultiPartParser”, “UploadedFile”, and “FileField” that allows directory-traversal via uploaded files. In case you're wondering what these terms are, let’s take a closer look at them.

1.MultiPartParser

Parses multipart HTML form content, which supports file uploads.

2.UploadedFile

During file uploads, the actual file data is stored in the request.FILES. Each entry in this dictionary is a UploadedFile object or a subclass.

3. FileField

It is a file-upload field. This attribute provides a way of setting the upload directory and file name and can be set in two ways.

These inbuild models, handlers, and parsers are prone to attack vectors and adversaries can easily misuse this. The highest challenge here is to protect the information and to ensure the data is limited to the developers.

Deploying & Creating Policy:

Now we will create a policy and then apply it in our cluster and then we will check for audit logs.

Step1: Deploy the Multiubuntu pods.

kubectl apply -f https://raw.githubusercontent.com/kubearmor/KubeArmor/master/examples/multiubuntu/multiubuntu-deployment.yaml
-> kubectl apply -f https://raw.githubusercontent.com/kubearmor/KubeArmor/main/examples/multiubuntu/multiubuntu-deployment.yaml

namespace/multiubuntu created



deployment.apps/ubuntu-1-deployment created
deployment.apps/ubuntu-2-deployment created
deployment.apps/ubuntu-3-deployment created
deployment.apps/ubuntu-4-deployment created
deployment.apps/ubuntu-5-deployment created

Step 2: Apply the policy

Kubectl apply -f https://raw.githubusercontent.com/tamilmaran-7/django/main/cve-2021-31542.yaml

# KubeArmor is an open source software that enables you to protect your cloud workload at run-time.
# To learn more about KubeArmor visit:
# https://www.accuknox.com/kubearmor/
 
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: ksp-django-cve-2021-31542
  namespace: multiubuntu 
spec:
  tags: ["Django", "CVE-2021-31542", "dir traversal", "Django 3.2"]
  message: "Alert! Django package files are accessed"
  selector:
    matchLabels:
      group: group-1 
  file:
    severity: 2
    matchPaths:
      - path: /usr/local/lib/python2.7/site-packages/django/core/files/uploadedfile.py 
      - path: /usr/local/lib/python2.7/site-packages/django/core/files/uploadhandler.py
      - 
path: /usr/local/lib/python2.7/site-packages/django/http/multipartparser.py
    matchDirectories:
      - dir: /usr/local/lib/python2.7/dist-packages/django/ 
      - dir: /usr/local/lib/python2.7/dist-packages/django/core/
      - dir: /usr/local/lib/python2.7/dist-packages/django/conf/
      - dir: /usr/local/lib/python2.7/dist-packages/
    action: Audit

After applying the policy get inside the ubuntu-1 pod and then run the application.

Following are the steps to execute the application inside the ubuntu-1 pod.

Step1: List the number of pods. Just copy and paste the following command in your terminal.

kubectl get pods -n multiubuntu

kubectl get pods -n multiubuntu
NAME                                   READY   STATUS    RESTARTS   AGE
ubuntu-1-deployment-5d6b975744-rjhtr   1/1     Running   0          26h
ubuntu-2-deployment-6c464dc68-wp6wh    1/1     Running   0          26h
ubuntu-3-deployment-7cb8ff55fb-6kscg   1/1     Running   0          26h
ubuntu-4-deployment-666b6dd9-wpsbz     1/1     Running   0          26h
ubuntu-5-deployment-7f746bfc45-6scj7   1/1     Running   0          26h

Step2: Let us get into the ubuntu-1 pod. Just copy and paste the following command in your terminal. Note [Pod name may vary]

kubectl exec -n multiubuntu -it ubuntu-1-deployment-5d6b975744-rjhtr -- bash

Step3: Once your are inside the pod follow the demo application steps and run the application.

The packages that are used in the application like MultiPartParser, UploadedFile, and FieldFile are audited and we can check the logs below. To know more about deployment and to check logs kindly go through these links Check logs Sample Deployment

{
  "timestamp": 1640089369,
  "updatedTime": "2021-12-21T12:22:49.017450Z",
  "hostName": "gke-cluster-1-default-pool-bda82183-9v81",
  "namespaceName": "multiubuntu",
  "podName": "ubuntu-1-deployment-5d6b975744-rjhtr",
  "containerID": "cb3aa03d04f43734a8ee0bee8509a104890cbfc74a7a93b0b864445b0da29a72",
  "containerName": "ubuntu-1-container",
  "hostPid": 395255,
  "ppid": 1376,
  "pid": 1378,
  "uid": 0,
  "policyName": "ksp-django-cve-2021-31542",
  "severity": "2",
  "tags": "Django,CVE-2021-31542,dir traversal,Django 3.2",
  "message": "Alert! Django core files are accessed",
  "type": "MatchedPolicy",
  "source": "/usr/bin/python manage.py runserver",
  "operation": "File",
  "resource": "/usr/local/lib/python2.7/dist-packages/django/http/multipartparser.py",
  "data": "syscall=SYS_OPENAT fd=-100 flags=/usr/local/lib/python2.7/dist-packages/django/http/multipartparser.py",
  "action": "Audit",
  "result": "Passed"
}

Conclusion:

Developers use many functions and libraries to increase their productivity. There is always a possibility of an exploit in functions. Monitoring, Detecting is the best way to check if there are any vulnerabilities and security gaps in your application.

KubeArmor provides a way for you to secure your applications in real-time. We have a template in which we provide security policies for different workloads.

To know more follow the links given below.

KubeArmor website: https://kubearmor.com/

KubeArmor PolicyTemplates: https://github.com/kubearmor/policy-templates

Subscribe to Accuknox Docs

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
[email protected]
Subscribe