New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SSHD-1324] Rooted file system can leak informations #362
Conversation
gnodet
commented
Apr 18, 2023
- More unix like
- Symlinks improvements
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have not looked yet in depth - at cursory glance, there are some visibility issues. Basically, IMO in any open-source project the overwhelming if not all of the methods/fields/definitions should be public or protected in order to provide users the maximum possible flexibility to override and/or use the code.
sshd-common/src/main/java/org/apache/sshd/common/file/root/RootedDirectoryStream.java
Outdated
Show resolved
Hide resolved
sshd-common/src/main/java/org/apache/sshd/common/file/root/RootedFileSystemUtils.java
Outdated
Show resolved
Hide resolved
sshd-common/src/main/java/org/apache/sshd/common/file/root/RootedSecureDirectoryStream.java
Outdated
Show resolved
Hide resolved
sshd-common/src/main/java/org/apache/sshd/common/file/root/RootedSecureDirectoryStream.java
Outdated
Show resolved
Hide resolved
sshd-common/src/main/java/org/apache/sshd/common/file/util/BaseFileSystem.java
Outdated
Show resolved
Hide resolved
sshd-common/src/main/java/org/apache/sshd/common/util/io/IoUtils.java
Outdated
Show resolved
Hide resolved
sshd-common/src/main/java/org/apache/sshd/common/util/io/IoUtils.java
Outdated
Show resolved
Hide resolved
sshd-common/src/main/java/org/apache/sshd/common/util/io/IoUtils.java
Outdated
Show resolved
Hide resolved
sshd-sftp/src/main/java/org/apache/sshd/sftp/server/AbstractSftpSubsystemHelper.java
Outdated
Show resolved
Hide resolved
sshd-sftp/src/main/java/org/apache/sshd/sftp/server/AbstractSftpSubsystemHelper.java
Outdated
Show resolved
Hide resolved
sshd-common/src/main/java/org/apache/sshd/common/util/io/IoUtils.java
Outdated
Show resolved
Hide resolved
sshd-common/src/main/java/org/apache/sshd/common/util/io/IoUtils.java
Outdated
Show resolved
Hide resolved
sshd-common/src/main/java/org/apache/sshd/common/util/io/IoUtils.java
Outdated
Show resolved
Hide resolved
sshd-common/src/main/java/org/apache/sshd/common/util/io/IoUtils.java
Outdated
Show resolved
Hide resolved
It would be extremely helpful to have meaningful commit messages. Just "More unix like" is not helpful. If someone looks at this code a few months or years from now he or she will have no idea what this is about from the git history. There's not even any link to any issue, PR, or mailing list message. In this case I do not expect the commit message to give a full explanation, but brief descriptions should be possible. At the very least there must be a meaningful summary line so that Absent a JIRA or Github issue, a link back to this PR might also helpful. Something like
should be the minimum for the first commit. And likewise for the second commit. |
|
||
private Path getTargetFolderOnHostFs(Path targetFolder) { | ||
return this.hostFilesystem.getSeparator().equals("\\") | ||
? this.hostFilesystem.getPath("C:", targetFolder.toString()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks suspicious. In CI, we're on drive D:.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I second that - someone else might run on drive X:
or Z:
(or any other letter of the alphabet). The code should auto-detect if running on Windows and then also auto detect the drive letter.
I made the suggested changes here: https://github.com/gnodet/mina-sshd/pull/2/files |
@tomaswolf I plan to squash the commits into a single commit |
@gnodet: seems this needs more work. I suggest we publish a 2.10.0 without this change, and do a 2.10.1 once this is ready. I'd really like to have 2.10.0 in Eclipse 2023-06, but to make that work, I'll need a release next week. Otherwise it'll be too late in the Eclipse release process. |
3d27135
to
2b13c8a
Compare
I second that... |
@gnodet Hi, we see from the NVD that this issue is related to vulnerability CVE-2023-35887 and affect Apache MINA(https://nvd.nist.gov/vuln/detail/CVE-2023-35887). Then in the content of the reference link (https://lists.apache.org/thread/b9qgtqvhnvgfpn0w1gz918p21p53tqk2), we see: Sorry, we're a little confused:
We'd greatly appreciate it if you could give us some advice on whether the CVE-2023-35887 vulnerability affects Apache MINA 2.1.X and 2.2.X? |
The issue affects the Apache Mina SSHD project, not the Apache Mina library. |
Thanks a lot for your reply, and we appreciate your prompt attention to this issue. |