Skip to content

Commit

Permalink
Merge pull request containers#319 from cgwalters/more-validation
Browse files Browse the repository at this point in the history
More validation
  • Loading branch information
alexlarsson authored Aug 20, 2024
2 parents bbda399 + a6b0a65 commit cf6368c
Show file tree
Hide file tree
Showing 9 changed files with 112 additions and 3 deletions.
1 change: 1 addition & 0 deletions libcomposefs/lcfs-writer-erofs.c
Original file line number Diff line number Diff line change
Expand Up @@ -509,6 +509,7 @@ static void compute_erofs_inode_size(struct lcfs_node_s *node)
compute_erofs_dir_size(node);
} else if (type == S_IFLNK) {
node->erofs_n_blocks = 0;
assert(node->payload);
node->erofs_tailsize = strlen(node->payload);
} else if (type == S_IFREG && file_size > 0) {
if (node->content != NULL) {
Expand Down
10 changes: 10 additions & 0 deletions libcomposefs/lcfs-writer.c
Original file line number Diff line number Diff line change
Expand Up @@ -216,6 +216,16 @@ int lcfs_compute_tree(struct lcfs_ctx_s *ctx, struct lcfs_node_s *root)
node->inode.st_nlink = n_link;
}

// Disallow directory hardlinks; the EROFS generation does
// do this specially for `.` and `..`, but that happens after this.
if (node->link_to != NULL) {
if ((node->inode.st_mode & S_IFMT) == S_IFDIR ||
(node->link_to->inode.st_mode & S_IFMT) == S_IFDIR) {
errno = EINVAL;
return -1;
}
}

/* Canonical order */
if (node->xattrs)
qsort(node->xattrs, node->n_xattrs,
Expand Down
83 changes: 80 additions & 3 deletions rust/composefs/src/dumpfile.rs
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ use std::str::FromStr;

use anyhow::Context;
use anyhow::{anyhow, Result};
use libc::S_IFDIR;

/// https://github.com/torvalds/linux/blob/47ac09b91befbb6a235ab620c32af719f8208399/include/uapi/linux/limits.h#L15
/// This isn't exposed in libc/rustix, and in any case we should be conservative...if this ever
Expand Down Expand Up @@ -167,6 +168,10 @@ fn unescape_to_path(s: &str) -> Result<Cow<Path>> {
if v.is_empty() {
anyhow::bail!("Invalid empty path");
}
let l = v.len();
if l > libc::PATH_MAX as usize {
anyhow::bail!("Path is too long: {l} bytes");
}
Ok(v)
})?;
let r = match v {
Expand All @@ -176,6 +181,42 @@ fn unescape_to_path(s: &str) -> Result<Cow<Path>> {
Ok(r)
}

/// Like [`unescape_to_path`], but also ensures the path is in "canonical"
/// form; this has the same semantics as Rust https://doc.rust-lang.org/std/path/struct.Path.html#method.components
/// which in particular removes `.` and extra `//`.
///
/// We also deny uplinks `..` and empty paths.
fn unescape_to_path_canonical(s: &str) -> Result<Cow<Path>> {
let p = unescape_to_path(s)?;
let mut components = p.components();
let mut r = std::path::PathBuf::new();
let Some(first) = components.next() else {
anyhow::bail!("Invalid empty path");
};
if first != std::path::Component::RootDir {
anyhow::bail!("Invalid non-absolute path");
}
r.push(first);
for component in components {
match component {
// Prefix is a windows thing; I don't think RootDir or CurDir are reachable
// after the first component has been RootDir.
std::path::Component::Prefix(_)
| std::path::Component::RootDir
| std::path::Component::CurDir => {
anyhow::bail!("Internal error in unescape_to_path_canonical");
}
std::path::Component::ParentDir => {
anyhow::bail!("Invalid \"..\" in path");
}
std::path::Component::Normal(_) => {
r.push(component);
}
}
}
Ok(r.into())
}

#[derive(Debug, Clone, Copy, PartialEq, Eq)]
enum EscapeMode {
Standard,
Expand Down Expand Up @@ -261,7 +302,7 @@ impl<'p> Entry<'p> {
pub fn parse(s: &'p str) -> Result<Entry<'p>> {
let mut components = s.split(' ');
let mut next = |name: &str| components.next().ok_or_else(|| anyhow!("Missing {name}"));
let path = unescape_to_path(next("path")?)?;
let path = unescape_to_path_canonical(next("path")?)?;
let size = u64::from_str(next("size")?)?;
let modeval = next("mode")?;
let (is_hardlink, mode) = if let Some((_, rest)) = modeval.split_once('@') {
Expand All @@ -279,18 +320,26 @@ impl<'p> Entry<'p> {
let fsverity_digest = optional_str(next("digest")?);
let xattrs = components.map(Xattr::parse).collect::<Result<Vec<_>>>()?;

let ty = libc::S_IFMT & mode;
let item = if is_hardlink {
let target = unescape_to_path(payload.ok_or_else(|| anyhow!("Missing payload"))?)?;
if ty == S_IFDIR {
anyhow::bail!("Invalid hardlinked directory");
}
let target =
unescape_to_path_canonical(payload.ok_or_else(|| anyhow!("Missing payload"))?)?;
Item::Hardlink { target }
} else {
match libc::S_IFMT & mode {
match ty {
libc::S_IFREG => Item::Regular {
size,
nlink,
inline_content: content.map(unescape).transpose()?,
fsverity_digest: fsverity_digest.map(ToOwned::to_owned),
},
libc::S_IFLNK => {
// Note that the target of *symlinks* is not required to be in canonical form,
// as we don't actually traverse those links on our own, and we need to support
// symlinks that e.g. contain `//` or other things.
let target =
unescape_to_path(payload.ok_or_else(|| anyhow!("Missing payload"))?)?;
let targetlen = target.as_os_str().as_bytes().len();
Expand Down Expand Up @@ -469,6 +518,30 @@ mod tests {
#[test]
fn test_unescape_path() {
assert!(unescape_to_path("").is_err());
let mut p = std::iter::repeat('a')
.take(libc::PATH_MAX.try_into().unwrap())
.collect::<String>();
assert!(unescape_to_path(&p).is_ok());
p.push('a');
assert!(unescape_to_path(&p).is_err());
}

#[test]
fn test_unescape_path_canonical() {
assert!(unescape_to_path_canonical("foo").is_err());
assert!(unescape_to_path_canonical("/foo/..").is_err());
assert!(unescape_to_path_canonical("/foo/../blah").is_err());
assert_eq!(
unescape_to_path_canonical("///foo/bar//baz")
.unwrap()
.to_str()
.unwrap(),
"/foo/bar/baz"
);
assert_eq!(
unescape_to_path_canonical("/.").unwrap().to_str().unwrap(),
"/"
);
}

#[test]
Expand Down Expand Up @@ -514,6 +587,10 @@ mod tests {
"long xattr value",
include_str!("../../../tests/assets/should-fail-long-xattr-value.dump"),
),
(
"dir hardlink",
include_str!("../../../tests/assets/should-fail-dir-hardlink.dump"),
),
];
for (name, case) in CASES.iter().copied() {
assert!(
Expand Down
2 changes: 2 additions & 0 deletions tests/assets/should-fail-dir-hardlink.dump
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
/ 4096 40555 2 0 0 0 1633950376.0 - - -
/rootlink 4096 @40555 2 0 0 0 1633950376.0 / - -
2 changes: 2 additions & 0 deletions tests/assets/should-fail-dot-name.dump
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
/ 4096 40555 2 0 0 0 1633950376.0 - - -
/. 4096 40555 2 0 0 0 1633950376.0 - - -
2 changes: 2 additions & 0 deletions tests/assets/should-fail-dotdot-name.dump
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
/ 4096 40555 2 0 0 0 1633950376.0 - - -
/.. 4096 40555 2 0 0 0 1633950376.0 - - -
2 changes: 2 additions & 0 deletions tests/assets/should-fail-empty-link-name.dump
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
/ 4096 40555 2 0 0 0 1633950376.0 - - -
/nolinkname 0 120777 1 0 0 0 0.0 - - -
4 changes: 4 additions & 0 deletions tests/meson.build
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,10 @@ test_assets_should_fail = [
'should-fail-long-xattr-value.dump',
'should-fail-no-ftype.dump',
'should-fail-empty-name.dump',
'should-fail-empty-link-name.dump',
'should-fail-dot-name.dump',
'should-fail-dotdot-name.dump',
'should-fail-dir-hardlink.dump',
]

test_assets = test_assets_small + [
Expand Down
9 changes: 9 additions & 0 deletions tools/mkcomposefs.c
Original file line number Diff line number Diff line change
Expand Up @@ -343,6 +343,9 @@ static char *tree_add_node(dump_info *info, const char *path, struct lcfs_node_s

if (!lcfs_node_dirp(parent))
return make_error("Parent must be a directory for %s", path);
if (strcmp(name, ".") == 0 || strcmp(name, "..") == 0) {
return make_error("Invalid . or .. in path: %s", path);
}

int r = lcfs_node_add_child(parent, node, name);
if (r < 0) {
Expand Down Expand Up @@ -511,6 +514,12 @@ static char *tree_from_dump_line(dump_info *info, const char *line, size_t line_
lcfs_node_set_gid(node, gid);
lcfs_node_set_rdev(node, rdev);
lcfs_node_set_mtime(node, &mtime);
// Validate that symlinks are non-empty
if ((mode & S_IFMT) == S_IFLNK) {
if (payload == NULL) {
return make_error("Invalid empty symlink");
}
}
if (lcfs_node_set_payload(node, payload) < 0)
return make_error("Invalid payload");
if (content) {
Expand Down

0 comments on commit cf6368c

Please sign in to comment.