[SSHD-1324] Rooted file system can leak informations

[gnodet]

• More unix like
• Symlinks improvements

[lgoldstein]

I have not looked yet in depth - at cursory glance, there are some visibility issues. Basically, IMO in any open-source project the overwhelming if not all of the methods/fields/definitions should be public or protected in order to provide users the maximum possible flexibility to override and/or use the code.

[tomaswolf]

It would be extremely helpful to have meaningful commit messages. Just "More unix like" is not helpful. If someone looks at this code a few months or years from now he or she will have no idea what this is about from the git history. There's not even any link to any issue, PR, or mailing list message. In this case I do not expect the commit message to give a full explanation, but brief descriptions should be possible.

At the very least there must be a meaningful summary line so that git log --oneline gives a result that correctly summarizes the scope and topic.

Absent a JIRA or Github issue, a link back to this PR might also helpful.

Something like

RootedFileSystem: more Unix-like path handling

Clean up and fix path checks to be more like in Unix.
Add unit tests for Unix, OSX, and Windows via JimFs.
See also [1].

[1] https://github.com/apache/mina-sshd/pull/362

should be the minimum for the first commit. And likewise for the second commit.

[tomaswolf]

This looks suspicious. In CI, we're on drive D:.

[lgoldstein]

I second that - someone else might run on drive X: or Z: (or any other letter of the alphabet). The code should auto-detect if running on Windows and then also auto detect the drive letter.

[pyckle]

I made the suggested changes here: https://github.com/gnodet/mina-sshd/pull/2/files

[gnodet]

@tomaswolf I plan to squash the commits into a single commit

[tomaswolf]

@gnodet: seems this needs more work. I suggest we publish a 2.10.0 without this change, and do a 2.10.1 once this is ready. I'd really like to have 2.10.0 in Eclipse 2023-06, but to make that work, I'll need a release next week. Otherwise it'll be too late in the Eclipse release process.

[lgoldstein]

I suggest we publish a 2.10.0 without this change, and do a 2.10.1 once this is ready.

I second that...

[07070529]

@gnodet Hi, we see from the NVD that this issue is related to vulnerability CVE-2023-35887 and affect Apache MINA(https://nvd.nist.gov/vuln/detail/CVE-2023-35887).

Then in the content of the reference link (https://lists.apache.org/thread/b9qgtqvhnvgfpn0w1gz918p21p53tqk2), we see:
This issue affects Apache MINA: from 1.0 before 2.10.

Sorry, we're a little confused:

1. The affected software scope is different with the title (Affected versions: Apache MINA SSHD 1.0 before 2.10).
2. We looked for a lot of information, including the Apache MINA community(https://mina.apache.org/mina-project, http://issues.apache.org/jira/browse/DIRMINA), but we didn't see any discussion about whether this issue affected the Apache MINA.

We'd greatly appreciate it if you could give us some advice on whether the CVE-2023-35887 vulnerability affects Apache MINA 2.1.X and 2.2.X?

[gnodet]

We'd greatly appreciate it if you could give us some advice on whether the CVE-2023-35887 vulnerability affects Apache MINA 2.1.X and 2.2.X?

The issue affects the Apache Mina SSHD project, not the Apache Mina library.

[07070529]

Thanks a lot for your reply, and we appreciate your prompt attention to this issue.