pkg/symlink: avoid following out of scope
Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack)
This commit is contained in:
parent
1942888a9f
commit
ffb90589a5
3 changed files with 172 additions and 27 deletions
|
@ -12,6 +12,12 @@ const maxLoopCounter = 100
|
||||||
|
|
||||||
// FollowSymlink will follow an existing link and scope it to the root
|
// FollowSymlink will follow an existing link and scope it to the root
|
||||||
// path provided.
|
// path provided.
|
||||||
|
// The role of this function is to return an absolute path in the root
|
||||||
|
// or normalize to the root if the symlink leads to a path which is
|
||||||
|
// outside of the root.
|
||||||
|
// Errors encountered while attempting to follow the symlink in path
|
||||||
|
// will be reported.
|
||||||
|
// Normalizations to the root don't constitute errors.
|
||||||
func FollowSymlinkInScope(link, root string) (string, error) {
|
func FollowSymlinkInScope(link, root string) (string, error) {
|
||||||
root, err := filepath.Abs(root)
|
root, err := filepath.Abs(root)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -60,25 +66,36 @@ func FollowSymlinkInScope(link, root string) (string, error) {
|
||||||
}
|
}
|
||||||
return "", err
|
return "", err
|
||||||
}
|
}
|
||||||
if stat.Mode()&os.ModeSymlink == os.ModeSymlink {
|
|
||||||
dest, err := os.Readlink(prev)
|
|
||||||
if err != nil {
|
|
||||||
return "", err
|
|
||||||
}
|
|
||||||
|
|
||||||
if path.IsAbs(dest) {
|
// let's break if we're not dealing with a symlink
|
||||||
prev = filepath.Join(root, dest)
|
if stat.Mode()&os.ModeSymlink != os.ModeSymlink {
|
||||||
} else {
|
|
||||||
prev, _ = filepath.Abs(prev)
|
|
||||||
|
|
||||||
if prev = filepath.Join(filepath.Dir(prev), dest); len(prev) < len(root) {
|
|
||||||
prev = filepath.Join(root, filepath.Base(dest))
|
|
||||||
}
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
break
|
break
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// process the symlink
|
||||||
|
dest, err := os.Readlink(prev)
|
||||||
|
if err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
|
||||||
|
if path.IsAbs(dest) {
|
||||||
|
prev = filepath.Join(root, dest)
|
||||||
|
} else {
|
||||||
|
prev, _ = filepath.Abs(prev)
|
||||||
|
|
||||||
|
dir := filepath.Dir(prev)
|
||||||
|
prev = filepath.Join(dir, dest)
|
||||||
|
if dir == root && !strings.HasPrefix(prev, root) {
|
||||||
|
prev = root
|
||||||
|
}
|
||||||
|
if len(prev) < len(root) || (len(prev) == len(root) && prev != root) {
|
||||||
|
prev = filepath.Join(root, filepath.Base(dest))
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
if prev == "/" {
|
||||||
|
prev = root
|
||||||
|
}
|
||||||
return prev, nil
|
return prev, nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -46,6 +46,7 @@ func TestFollowSymLinkUnderLinkedDir(t *testing.T) {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatal(err)
|
t.Fatal(err)
|
||||||
}
|
}
|
||||||
|
defer os.RemoveAll(dir)
|
||||||
|
|
||||||
os.Mkdir(filepath.Join(dir, "realdir"), 0700)
|
os.Mkdir(filepath.Join(dir, "realdir"), 0700)
|
||||||
os.Symlink("realdir", filepath.Join(dir, "linkdir"))
|
os.Symlink("realdir", filepath.Join(dir, "linkdir"))
|
||||||
|
@ -97,25 +98,151 @@ func TestFollowSymLinkRelativeLink(t *testing.T) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestFollowSymLinkRelativeLinkScope(t *testing.T) {
|
func TestFollowSymLinkRelativeLinkScope(t *testing.T) {
|
||||||
link := "testdata/fs/a/f"
|
// avoid letting symlink f lead us out of the "testdata" scope
|
||||||
|
// we don't normalize because symlink f is in scope and there is no
|
||||||
|
// information leak
|
||||||
|
{
|
||||||
|
link := "testdata/fs/a/f"
|
||||||
|
|
||||||
rewrite, err := FollowSymlinkInScope(link, "testdata")
|
rewrite, err := FollowSymlinkInScope(link, "testdata")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatal(err)
|
t.Fatal(err)
|
||||||
|
}
|
||||||
|
|
||||||
|
if expected := abs(t, "testdata/test"); expected != rewrite {
|
||||||
|
t.Fatalf("Expected %s got %s", expected, rewrite)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if expected := abs(t, "testdata/test"); expected != rewrite {
|
// avoid letting symlink f lead us out of the "testdata/fs" scope
|
||||||
t.Fatalf("Expected %s got %s", expected, rewrite)
|
// we don't normalize because symlink f is in scope and there is no
|
||||||
|
// information leak
|
||||||
|
{
|
||||||
|
link := "testdata/fs/a/f"
|
||||||
|
|
||||||
|
rewrite, err := FollowSymlinkInScope(link, "testdata/fs")
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal(err)
|
||||||
|
}
|
||||||
|
|
||||||
|
if expected := abs(t, "testdata/fs/test"); expected != rewrite {
|
||||||
|
t.Fatalf("Expected %s got %s", expected, rewrite)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
link = "testdata/fs/b/h"
|
// avoid letting symlink g (pointed at by symlink h) take out of scope
|
||||||
|
// TODO: we should probably normalize to scope here because ../[....]/root
|
||||||
|
// is out of scope and we leak information
|
||||||
|
{
|
||||||
|
link := "testdata/fs/b/h"
|
||||||
|
|
||||||
rewrite, err = FollowSymlinkInScope(link, "testdata")
|
rewrite, err := FollowSymlinkInScope(link, "testdata")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatal(err)
|
t.Fatal(err)
|
||||||
|
}
|
||||||
|
|
||||||
|
if expected := abs(t, "testdata/root"); expected != rewrite {
|
||||||
|
t.Fatalf("Expected %s got %s", expected, rewrite)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if expected := abs(t, "testdata/root"); expected != rewrite {
|
// avoid letting allowing symlink e lead us to ../b
|
||||||
t.Fatalf("Expected %s got %s", expected, rewrite)
|
// normalize to the "testdata/fs/a"
|
||||||
|
{
|
||||||
|
link := "testdata/fs/a/e"
|
||||||
|
|
||||||
|
rewrite, err := FollowSymlinkInScope(link, "testdata/fs/a")
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal(err)
|
||||||
|
}
|
||||||
|
|
||||||
|
if expected := abs(t, "testdata/fs/a"); expected != rewrite {
|
||||||
|
t.Fatalf("Expected %s got %s", expected, rewrite)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// avoid letting symlink -> ../directory/file escape from scope
|
||||||
|
// normalize to "testdata/fs/j"
|
||||||
|
{
|
||||||
|
link := "testdata/fs/j/k"
|
||||||
|
|
||||||
|
rewrite, err := FollowSymlinkInScope(link, "testdata/fs/j")
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal(err)
|
||||||
|
}
|
||||||
|
|
||||||
|
if expected := abs(t, "testdata/fs/j"); expected != rewrite {
|
||||||
|
t.Fatalf("Expected %s got %s", expected, rewrite)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// make sure we don't allow escaping to /
|
||||||
|
// normalize to dir
|
||||||
|
{
|
||||||
|
dir, err := ioutil.TempDir("", "docker-fs-test")
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal(err)
|
||||||
|
}
|
||||||
|
defer os.RemoveAll(dir)
|
||||||
|
|
||||||
|
linkFile := filepath.Join(dir, "foo")
|
||||||
|
os.Mkdir(filepath.Join(dir, ""), 0700)
|
||||||
|
os.Symlink("/", linkFile)
|
||||||
|
|
||||||
|
rewrite, err := FollowSymlinkInScope(linkFile, dir)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal(err)
|
||||||
|
}
|
||||||
|
|
||||||
|
if rewrite != dir {
|
||||||
|
t.Fatalf("Expected %s got %s", dir, rewrite)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// make sure we don't allow escaping to /
|
||||||
|
// normalize to dir
|
||||||
|
{
|
||||||
|
dir, err := ioutil.TempDir("", "docker-fs-test")
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal(err)
|
||||||
|
}
|
||||||
|
defer os.RemoveAll(dir)
|
||||||
|
|
||||||
|
linkFile := filepath.Join(dir, "foo")
|
||||||
|
os.Mkdir(filepath.Join(dir, ""), 0700)
|
||||||
|
os.Symlink("/../../", linkFile)
|
||||||
|
|
||||||
|
rewrite, err := FollowSymlinkInScope(linkFile, dir)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal(err)
|
||||||
|
}
|
||||||
|
|
||||||
|
if rewrite != dir {
|
||||||
|
t.Fatalf("Expected %s got %s", dir, rewrite)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// make sure we stay in scope without leaking information
|
||||||
|
// this also checks for escaping to /
|
||||||
|
// normalize to dir
|
||||||
|
{
|
||||||
|
dir, err := ioutil.TempDir("", "docker-fs-test")
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal(err)
|
||||||
|
}
|
||||||
|
defer os.RemoveAll(dir)
|
||||||
|
|
||||||
|
linkFile := filepath.Join(dir, "foo")
|
||||||
|
os.Mkdir(filepath.Join(dir, ""), 0700)
|
||||||
|
os.Symlink("../../", linkFile)
|
||||||
|
|
||||||
|
rewrite, err := FollowSymlinkInScope(linkFile, dir)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal(err)
|
||||||
|
}
|
||||||
|
|
||||||
|
if rewrite != dir {
|
||||||
|
t.Fatalf("Expected %s got %s", dir, rewrite)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
1
symlink/testdata/fs/j/k
vendored
Symbolic link
1
symlink/testdata/fs/j/k
vendored
Symbolic link
|
@ -0,0 +1 @@
|
||||||
|
../i/a
|
Loading…
Reference in a new issue