Skip to content
This repository has been archived by the owner on Jan 10, 2023. It is now read-only.

Fix Darion directory traversal vuln #231

Merged
merged 2 commits into from Feb 18, 2019
Merged

Fix Darion directory traversal vuln #231

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b924f4b
Fix Darion directory traversal vuln
sargun Feb 17, 2019
df507f7
Add test for leaked file
sargun Feb 17, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
10 changes: 9 additions & 1 deletion darion/api/handlers.go
View file
Open in desktop
Expand Up @@ -15,6 +15,7 @@ import (
"github.com/Netflix/titus-executor/darion/conf"
"github.com/Netflix/titus-executor/filesystems"
"github.com/Netflix/titus-executor/filesystems/xattr"
securejoin "github.com/cyphar/filepath-securejoin"
log "github.com/sirupsen/logrus"
)

Expand All @@ -39,7 +40,14 @@ func LogHandler(w http.ResponseWriter, r *http.Request) {
}

func logHandler(w http.ResponseWriter, r *http.Request, containerID, fileName string) {
filePath := filepath.Join(conf.ContainersHome, containerID, "logs", fileName)
containerLogsRoot := filepath.Join(conf.ContainersHome, containerID, "logs")
filePath, err := securejoin.SecureJoin(containerLogsRoot, fileName)
log.Infof("Joined log file %s and %s", containerLogsRoot, filePath)
if err != nil {
log.WithError(err).Error("Unable to build secure path")
http.Error(w, "Cannot build log file path: "+err.Error(), 503)
return
}
fout, err := os.Open(filePath) // nolint: gosec
if os.IsNotExist(err) {
err = maybeVirtualFileStdioLogHandler(w, r, containerID, fileName)
Expand Down
9 changes: 9 additions & 0 deletions darion/api/handlers_test.go
View file
Open in desktop
Expand Up @@ -219,6 +219,15 @@ func TestReadLogsMissingContainer(t *testing.T) {
testReadLogs(verifyFun, "/logs/Titus-fake-container-missing?f=missing", t)
}

func TestReadLogsLeakedFile(t *testing.T) {
verifyFun := func(resp *http.Response, t *testing.T) {
if resp.StatusCode != 404 {
t.Fatal("Received non-404 return code: ", resp.StatusCode)
}
}
testReadLogs(verifyFun, "/logs/Titus-fake-container?f=../../leak", t)
}

func verifyHelper(resp *http.Response, t *testing.T) string {
data, err := ioutil.ReadAll(resp.Body)
if err != nil {
Expand Down
1 change: 1 addition & 0 deletions darion/api/testdata/leak
View file
Open in desktop
@@ -0,0 +1 @@
If this file is viewable, it means there is a directory escape vuln.
28 changes: 28 additions & 0 deletions vendor/github.com/cyphar/filepath-securejoin/LICENSE
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

79 changes: 79 additions & 0 deletions vendor/github.com/cyphar/filepath-securejoin/README.md
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions vendor/github.com/cyphar/filepath-securejoin/VERSION
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

134 changes: 134 additions & 0 deletions vendor/github.com/cyphar/filepath-securejoin/join.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions vendor/github.com/cyphar/filepath-securejoin/vendor.conf
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

41 changes: 41 additions & 0 deletions vendor/github.com/cyphar/filepath-securejoin/vfs.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 6 additions & 0 deletions vendor/vendor.json
View file
Open in desktop
Expand Up @@ -336,6 +336,12 @@
"revision": "099530d80109cc4876ac866c38dded19786731d0",
"revisionTime": "2017-04-05T07:26:53Z"
},
{
"checksumSHA1": "Ov+ja3hmONKxbhq9HAgK/vHSi/0=",
"path": "github.com/cyphar/filepath-securejoin",
"revision": "7efe413b52e1bceaaee7efafebe396f9d648f258",
"revisionTime": "2019-02-05T14:40:30Z"
},
{
"checksumSHA1": "CSPbwbyzqA6sfORicn4HFtIhF/c=",
"path": "github.com/davecgh/go-spew/spew",
Expand Down