Remove the RANCID migration page

The RANCID migration page could be used by an unauthentcated user to
gain control over the linux user running oxidized-web.
Thank you to Jon O'Reilly and Jamie Riden from NetSPI for discovering
and reporting this security issue!

Author: robertcheramy

CHANGELOG.md

@@ -5,13 +5,20 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
 ## [Unreleased]
+This release fixes a security issue on the RANCID migration page.
+A non-authenticated user could gain control over the Linux user running
+oxidized-web. The RANCID migration page was already deprecated in version
+0.14.0, so it has been completely removed in this new version.
+Thank you to Jon O'Reilly and Jamie Riden from NetSPI for discovering and
+reporting this security issue!
 
 ### Added
 
 ### Changed
 - Update datatables.net to 2.2.2 and datatables.net-buttons to 3.2.2 (@robertcheramy)
 - remove the RANCID migration page (@robertchreamy)
 - dependency on oxidized 0.31  (@robertchreamy)
+- Update datatables.net to 2.2.1 and datatables.net-buttons to 3.2.1 (@robertcheramy)
 
 ### Fixed
 - #302: group name containing a '/' produced a Sinatra error (@robertcheramy)

lib/oxidized/web/mig.rb

@@ -1,30 +1,3 @@
-// Add a line for a new file to upload
-var add_file_upload = function() {
-  var rancidDbDiv = $("div[id^='rancidDb']:last");
-  var num = parseInt(rancidDbDiv.prop("id").match(/\d+/g)) + 1;
-  rancidDbDiv.clone(true)
-    .prop("id", "rancidDb" + num)
-    .insertAfter(rancidDbDiv);
-  $("input[id^='file']:last")
-    .prop("id", "file" + num)
-    .prop("name", "file" + num)
-    .parents('.input-group')
-    .find(':text')
-    .val('');
-  $("input[id^='group']:last")
-    .prop("id", "group" + num)
-    .prop("name", "group" + num);
-};
-
-var onFileSelected = function() {
-  $(document).on('change', '.btn-file :file', function() {
-    var input = $(this),
-        numFiles = input.get(0).files ? input.get(0).files.length : 1,
-        label = input.val().replace(/\\/g, '/').replace(/.*\//, '');
-    input.trigger('fileSelect', [numFiles, label]);
-  });
-};
-
 var convertTime = function() {
   /* Convert UTC times to local browser times
   *  Requires that the times on the server are UTC
@@ -51,15 +24,6 @@ var convertTime = function() {
 $(function() {
   onFileSelected();
   convertTime();
-  // Add a row to the migration form
-  $("#add").click(function() {
-    add_file_upload();
-  });
-
-  // Updates textbox with filename on fileSelect event
-  $('.btn-file :file').on('fileSelect', function(e, numFiles, label) {
-    $(this).parents('.input-group').find(':text').val(label);
-  });
 
   // Reloads the nodes from a source by calling the /reload.json URI
   $('#reload').click(function() {

lib/oxidized/web/public/scripts/oxidized.js

@@ -20,10 +20,6 @@
               %a.nav-link{class: request.path_info == '/nodes/stats' ? 'active' : '',
                             :'aria-current' => request.path_info == '/nodes/stats' ? 'page' : 'false',
                             href: url_for('/nodes/stats')} Stats
-            %li.nav-item
-              %a.nav-link{class: request.path_info == '/migration' ? 'active' : '',
-                            :'aria-current' => request.path_info == '/migration' ? 'page' : 'false',
-                            href: url_for('/migration')} Migration
           %form.d-flex{role: 'search',
                       action: url_for('/nodes/conf_search'),
                       method: 'post'}

lib/oxidized/web/public/scripts/script-migration.js

@@ -6,7 +6,6 @@
 # rubocop:disable Lint/RedundantRequireStatement
 require 'pp'
 # rubocop:enable Lint/RedundantRequireStatement
-require 'oxidized/web/mig'
 require 'htmlentities'
 require 'charlock_holmes'
 module Oxidized
@@ -136,30 +135,6 @@ class WebApp < Sinatra::Base
         out :node
       end
 
-      # redirect to the web page for rancid - oxidized migration
-      get '/migration' do
-        out :migration
-      end
-
-      # get the files send
-      post '/migration' do
-        number = params[:number].to_i
-        cloginrc_file = params['cloginrc'][:tempfile]
-        path_new_file = params['path_new_file']
-
-        router_db_files = []
-
-        i = 1
-        while i <= number
-          router_db_files.push({ file: params["file#{i}"][:tempfile], group: params["group#{i}"] })
-          i += 1
-        end
-
-        migration = Mig.new(router_db_files, cloginrc_file, path_new_file)
-        migration.go_rancid_migration
-        redirect url_for('//nodes')
-      end
-
       # display the versions of a node
       # URL: /node/version[.json]?node_full=<GroupName/NodeName>
       get '/node/version.?:format?' do