Constrain APEX_ASP_CACHE_DIR to a safe base directory#2011
Open
LeSingh1 wants to merge 2 commits into
Open
Conversation
The ASP permutation cache read APEX_ASP_CACHE_DIR directly and used it as the np.save() destination with no validation, so an externally controlled env var could redirect cache writes to an arbitrary writable location (CWE-22/CWE-73), enabling cache poisoning or file overwrite. Resolve the requested cache dir and require it to stay within the default cache base, otherwise warn and fall back to the safe default. Add regression tests covering a rejected traversal attempt and a normal in-base path. Signed-off-by: LeSingh1 <sshaurya914@gmail.com>
for more information, see https://pre-commit.ci
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The ASP permutation cache reads
APEX_ASP_CACHE_DIRand uses it directly as the destination passed tonp.save(), with no validation (apex/contrib/sparsity/permutation_search_kernels/exhaustive_search.py). A caller who controls that environment variable can redirect cache writes outside the intended directory, including via..traversal or an absolute path (CWE-22 / CWE-73), as reported in #1998.Fix
Add
_resolve_cache_dir(), which canonicalizes the requested directory withos.path.realpathand requires it to stay within the default.cachebase (checked viaos.path.commonpath). If the requested path escapes the base, it warns and falls back to the safe default.generate_all_unique_combinationsnow routes through this helper. Stdlib-only, minimal.Testing
apex/contrib/sparsity/test/test_asp_cache_path.py(3 tests): a normal in-base path is used, the helper resolves correctly, and a traversal attempt is rejected./.../evil/...path); with the fix it is blocked.pytest→ 3 passed;ruff checkclean.Fixes #1998