mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-11-29 14:41:09 +01:00
Code Issues Projects Releases Wiki Activity

Don't allow parent references in file paths

Browse Source
This commit is contained in:
Jeff Mitchell 2017-05-12 13:52:33 -04:00
parent b8c4c3e26b
commit 3d34c087a1
7 changed files with 60 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
helper/consts/error.go
View File

@ -10,4 +10,7 @@ var (
// ErrStandby is returned if an operation is performed on a standby Vault. // ErrStandby is returned if an operation is performed on a standby Vault.
// No operation is expected to succeed until active. // No operation is expected to succeed until active.
ErrStandby = errors.New("Vault is in standby mode") ErrStandby = errors.New("Vault is in standby mode")
// Used when .. is used in a path
ErrPathContainsParentReferences = errors.New("path cannot contain parent references")
) )

26
physical/file.go
View File

@ -11,6 +11,7 @@ import (
log "github.com/mgutz/logxi/v1" log "github.com/mgutz/logxi/v1"
"github.com/hashicorp/vault/helper/consts"
"github.com/hashicorp/vault/helper/jsonutil" "github.com/hashicorp/vault/helper/jsonutil"
) )
@ -77,6 +78,10 @@ func (b *FileBackend) DeleteInternal(path string) error {
return nil return nil
} }
if err := b.validatePath(path); err != nil {
return err
}
basePath, key := b.expandPath(path) basePath, key := b.expandPath(path)
fullPath := filepath.Join(basePath, key) fullPath := filepath.Join(basePath, key)
@ -138,6 +143,10 @@ func (b *FileBackend) Get(k string) (*Entry, error) {
} }
func (b *FileBackend) GetInternal(k string) (*Entry, error) { func (b *FileBackend) GetInternal(k string) (*Entry, error) {
if err := b.validatePath(k); err != nil {
return nil, err
}
path, key := b.expandPath(k) path, key := b.expandPath(k)
path = filepath.Join(path, key) path = filepath.Join(path, key)
@ -172,6 +181,10 @@ func (b *FileBackend) Put(entry *Entry) error {
} }
func (b *FileBackend) PutInternal(entry *Entry) error { func (b *FileBackend) PutInternal(entry *Entry) error {
if err := b.validatePath(entry.Key); err != nil {
return err
}
path, key := b.expandPath(entry.Key) path, key := b.expandPath(entry.Key)
// Make the parent tree // Make the parent tree
@ -205,6 +218,10 @@ func (b *FileBackend) List(prefix string) ([]string, error) {
} }
func (b *FileBackend) ListInternal(prefix string) ([]string, error) { func (b *FileBackend) ListInternal(prefix string) ([]string, error) {
if err := b.validatePath(prefix); err != nil {
return nil, err
}
path := b.path path := b.path
if prefix != "" { if prefix != "" {
path = filepath.Join(path, prefix) path = filepath.Join(path, prefix)
@ -246,6 +263,15 @@ func (b *FileBackend) expandPath(k string) (string, string) {
return path, "_" + key return path, "_" + key
} }
func (b *FileBackend) validatePath(path string) error {
switch {
case strings.Contains(path, ".."):
return consts.ErrPathContainsParentReferences
}
return nil
}
func (b *TransactionalFileBackend) Transaction(txns []TxnEntry) error { func (b *TransactionalFileBackend) Transaction(txns []TxnEntry) error {
b.permitPool.Acquire() b.permitPool.Acquire()
defer b.permitPool.Release() defer b.permitPool.Release()

9
physical/file_test.go
View File

@ -131,6 +131,15 @@ func TestFileBackend_Base64URLEncoding(t *testing.T) {
} }
} }
func TestFileBackend_ValidatePath(t *testing.T) {
if validatePath("foo/bar/../zip") {
t.Fatal("expected error")
}
if !validatePath("foo/bar/zip") {
t.Fatal("did not expect error")
}
}
func TestFileBackend(t *testing.T) { func TestFileBackend(t *testing.T) {
dir, err := ioutil.TempDir("", "vault") dir, err := ioutil.TempDir("", "vault")
if err != nil { if err != nil {

4
vault/expiration.go
View File

@ -696,6 +696,10 @@ func (m *ExpirationManager) RegisterAuth(source string, auth *logical.Auth) erro
return fmt.Errorf("expiration: cannot register an auth lease with an empty token") return fmt.Errorf("expiration: cannot register an auth lease with an empty token")
} }
if strings.Contains(source, "..") {
return fmt.Errorf("expiration: %s", consts.ErrPathContainsParentReferences)
}
// Create a lease entry // Create a lease entry
le := leaseEntry{ le := leaseEntry{
LeaseID: path.Join(source, m.tokenStore.SaltID(auth.ClientToken)), LeaseID: path.Join(source, m.tokenStore.SaltID(auth.ClientToken)),

5
vault/expiration_test.go
View File

@ -454,6 +454,11 @@ func TestExpiration_RegisterAuth(t *testing.T) {
if err != nil { if err != nil {
t.Fatalf("err: %v", err) t.Fatalf("err: %v", err)
} }
err = exp.RegisterAuth("auth/github/../login", auth)
if err == nil {
t.Fatal("expected error")
}
} }
func TestExpiration_RegisterAuth_NoLease(t *testing.T) { func TestExpiration_RegisterAuth_NoLease(t *testing.T) {

8
vault/plugin_catalog.go
View File

@ -10,6 +10,7 @@ import (
"sync" "sync"
"github.com/hashicorp/vault/helper/builtinplugins" "github.com/hashicorp/vault/helper/builtinplugins"
"github.com/hashicorp/vault/helper/consts"
"github.com/hashicorp/vault/helper/jsonutil" "github.com/hashicorp/vault/helper/jsonutil"
"github.com/hashicorp/vault/helper/pluginutil" "github.com/hashicorp/vault/helper/pluginutil"
"github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical"
@ -84,6 +85,13 @@ func (c *PluginCatalog) Set(name, command string, sha256 []byte) error {
return ErrDirectoryNotConfigured return ErrDirectoryNotConfigured
} }
switch {
case strings.Contains(name, ".."):
fallthrough
case strings.Contains(command, ".."):
return consts.ErrPathContainsParentReferences
}
c.lock.Lock() c.lock.Lock()
defer c.lock.Unlock() defer c.lock.Unlock()

5
vault/token_store.go
View File

@ -14,6 +14,7 @@ import (
"github.com/armon/go-metrics" "github.com/armon/go-metrics"
"github.com/hashicorp/go-multierror" "github.com/hashicorp/go-multierror"
"github.com/hashicorp/go-uuid" "github.com/hashicorp/go-uuid"
"github.com/hashicorp/vault/helper/consts"
"github.com/hashicorp/vault/helper/jsonutil" "github.com/hashicorp/vault/helper/jsonutil"
"github.com/hashicorp/vault/helper/locksutil" "github.com/hashicorp/vault/helper/locksutil"
"github.com/hashicorp/vault/helper/parseutil" "github.com/hashicorp/vault/helper/parseutil"
@ -2246,6 +2247,10 @@ func (ts *TokenStore) tokenStoreRoleCreateUpdate(
entry.PathSuffix = data.Get("path_suffix").(string) entry.PathSuffix = data.Get("path_suffix").(string)
} }
if strings.Contains(entry.PathSuffix, "..") {
return logical.ErrorResponse(fmt.Sprintf("error registering path suffix: %s", consts.ErrPathContainsParentReferences)), nil
}
allowedPoliciesStr, ok := data.GetOk("allowed_policies") allowedPoliciesStr, ok := data.GetOk("allowed_policies")
if ok { if ok {
entry.AllowedPolicies = policyutil.SanitizePolicies(strings.Split(allowedPoliciesStr.(string), ","), policyutil.DoNotAddDefaultPolicy) entry.AllowedPolicies = policyutil.SanitizePolicies(strings.Split(allowedPoliciesStr.(string), ","), policyutil.DoNotAddDefaultPolicy)