feat: block out of bounds symlinks (#9738)

[notfromstatefarm]

Signed-off-by: notfromstatefarm 86763948+notfromstatefarm@users.noreply.github.com

Checklist:

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
• The title of the PR states what changed and the related issues number (used for the release note).
• I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
• Does this PR require documentation updates?
• I've updated documentation as required by this PR.
• I have signed off all my commits as required by DCO
• I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
• My build is green (troubleshooting builds).

Fixes #9738

This PR implements @crenshaw-dev's idea of traversing the repository for symlinks and blocking further processing if any are found to traverse outside of the directory, even if the final target is within it. The check can be disabled via the repo server argument allow-oob-symlinks.

I believe this should cover all our bases since it is implemented inside runRepoOperation. It will print to the console whenever any are found.

I had to change many of the repository tests because they have the root of the mock repo being the root of the Argo repository. This meant that any time it 'fetched' the repository, it was finding the test files I created for the unit tests and thereby failing as it should.

Creating new app:

Refreshing an app that had bad symlinks added to it:

argocd-repo-server time="2022-07-01T03:52:31Z" level=warning msg="repository contains out-of-bounds symlink. repo: https://github.com/notfromstatefarm/argocd-symlink-test.git revision: f9c92205557f4b02e63268d1964e6a0acdb83310 file: badlinksinhere/badlink"

[notfromstatefarm]

Hah. It works SO good, it broke another test because it errored out complaining about the symlinks! Gotta figure out how to fix this..

[codecov]

Codecov Report

Merging #9843 (ae22f98) into master (71c1f54) will decrease coverage by 0.07%.
The diff coverage is 71.15%.

@@            Coverage Diff             @@
##           master    #9843      +/-   ##
==========================================
- Coverage   45.86%   45.78%   -0.08%     
==========================================
  Files         227      227              
  Lines       26862    27005     +143     
==========================================
+ Hits        12320    12364      +44     
- Misses      12862    12954      +92     
- Partials     1680     1687       +7     

Impacted Files	Coverage Δ
util/app/path/path.go	66.66% <57.69%> (-17.95%)	⬇️
reposerver/repository/repository.go	64.30% <84.61%> (+0.51%)	⬆️
cmd/argocd-k8s-auth/commands/aws.go	17.64% <0.00%> (-0.36%)	⬇️
cmd/argocd/commands/admin/settings_rbac.go	23.80% <0.00%> (-0.26%)	⬇️
cmd/argocd/commands/admin/project.go	27.97% <0.00%> (-0.20%)	⬇️
cmd/argocd/commands/cluster.go	8.97% <0.00%> (-0.20%)	⬇️
cmd/argocd/commands/app.go	20.00% <0.00%> (-0.15%)	⬇️
cmd/argocd/commands/admin/app.go	30.37% <0.00%> (-0.13%)	⬇️
cmd/argocd/commands/app_resources.go	8.47% <0.00%> (-0.08%)	⬇️
server/server.go	53.18% <0.00%> (ø)
... and 21 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 71c1f54...ae22f98. Read the comment docs.

[crenshaw-dev]

You gotta quit putting up PRs so fast, I can't review them all! 😆 But for real, thanks for working on this.

Hah. It works SO good, it broke another test because it errored out complaining about the symlinks!

lol, I'm not surprised. Hopefully you were able to sort it.

A bunch of tests use relative paths, when the code really should only accept absolute paths.

[notfromstatefarm]

You gotta quit putting up PRs so fast, I can't review them all! 😆 But for real, thanks for working on this.

Sorry! I saw a low-hanging fruit, had a slow day, and I love security. 😆

lol, I'm not surprised. Hopefully you were able to sort it.

Seems I've broken an E2E test.. Not entirely sure how since I'm not seeing my error. I have absolutely no idea how to dig into that yet but I'll figure it out. Is it OK if I DM you on the CNCF Slack every once in a while for assistance?

[crenshaw-dev]

This is awesome. First pass review finished. :-)

[crenshaw-dev]

Can you add a log.Warn? Out-of-bounds symlinks are suspicious, so it'd be nice to give admins a way to monitor them.

[notfromstatefarm]

The log.Warn is in runRepoOperation 😄

Should I move it to the path function?

[crenshaw-dev]

Is it OK if I DM you on the CNCF Slack every once in a while for assistance?

Sure! Generally I don't have time for support DMs, but I can always make time for contribution DMs. :-)

[notfromstatefarm]

Okay, refactored how the data is returned from the helper by using custom errors that carry the filename. Also added log fields and a repository integration test for out of bounds symlinks (instead of just out-of-bounds values files). Fixed the issue with files that contain ... Lets see if the E2E passes!

[crenshaw-dev]

Hm. Is there an e2e test with a symlink up to the base repo dir?

time="2022-07-01T14:46:38Z" level=error msg="`../../dist/argocd app create test-helm-repo --repo https://localhost:9444/argo-e2e/testdata.git/helm-repo/local --dest-server https://kubernetes.default.svc/ --helm-chart helm --project default --revision 1.0.0 --dest-namespace argocd-e2e--test-helm-repo-lltho --plaintext --server 127.0.0.1:8088 --auth-token *** --insecure` failed exit status 20: time=\"2022-07-01T14:46:38Z\" level=fatal msg=\"rpc error: code = InvalidArgument desc = application spec for test-helm-repo is invalid: InvalidSpecError: Unable to generate manifests in : rpc error: code = Unknown desc = open /tmp/_argocd-repo: permission denied\"" execID=b89db

[notfromstatefarm]

Added another integration test into repository_test.go. Interestingly, I had to make a separate testdata2 directory for it - the other tests would fail as soon as it saw the out-of-bounds symlink in the 'helm chart root' aka testdata. This check is working too well. 😄

[crenshaw-dev]

I'm considering whether we should move the goalposts just a little.

What if, along with preventing the symlink target from being outside the root dir, we prevented any part of the symlink path from ever leaving the root dir. This would prevent an attacker from being able to brute-force (or otherwise guess) the root dir path.

For example, consider this directory structure.

/tmp
  /_argocd-repo
    /{randomized dir name 1}
      secret
    /{randomized dir name 2}
      link (-> ../{randomized dir name 2}/../{randomized dir name 1})

I believe the current check would allow this symlink to pass, because its eventual destination does not lie outside the root dir. But the passing check allows the attacker to confirm that they've correctly guessed some external path. Then the attacker could start working on a different path traversal to get to the now-known external directory.

Granted, all the sensitive paths should be 128 bits of cryptographically secure entropy. But this would be an extra layer of protection in case of a particularly persistent adversary or a CSPRNG flaw.

I think the solution would involve splitting the link path and then reconstructing it, checking for an out-of-bounds error at each step. It would be all string manipulation operations (no filesystem work), so should be reasonably fast.

[crenshaw-dev]

But if we want to save that work for another time, that's understandable. 😆

[notfromstatefarm]

I had to think about this one for a minute, but you're right! Even though the ultimate target can't be outside of the repository, the intermediate directories in the link must exist or it will fail, thus giving a way to determine if a path exists.

You're really good at thinking of these edge cases. 😄

I also seem to have introduced a flaky test.. Charts are switching spots. Bah.

[crenshaw-dev]

You're really good at thinking of these edge cases. 😄

Comes from pondering about 6 CVEs related to path traversal. 😆

I'll take a look at the flaky tests in a bit. Being lazy on the weekend so far and only thinking of ways to make things more difficult rather than more easy. 😉

[notfromstatefarm]

I think this'll do the trick! It now traverses each step of the symlink to make sure it never leaves the bounds of the repo. Still gotta figure out that flaky test, though.

I added a unit test specifically to check this (../badlink3/test.txt) and it works!

[notfromstatefarm]

Okay, flaky test should be fixed. Ran it 100x locally. I think that's everything!

[crenshaw-dev]

I'm going to give this one last pass before smashing merge. But I'm 99.9% sure it's 100% awesome. :-)

Would you kindly add docs/operator-manual/upgrading/2.4-2.5.md and include a note about this change? Ideally the note would explain that we're trying to prevent 1) out-of-bounds symlinks that might be missed by other checks and 2) leaking any information about the presence or absence of files or directories outside the app's repo.

Also feel free to say "naw I'm busy," and I'll add the note later. :-)

[crenshaw-dev]

Down to optional nitpicks. I'm "go" for merge. :-) Going to look for someone to do a second review for good measure.

[pasha-codefresh]

just cosmetic change , i think it would be nice move this block to some dedicate function, so you will not need duplicate it fully in bottom

[crenshaw-dev]

Gonna go ahead and merge this, and @notfromstatefarm can follow up with another PR if this can be DRY'ed out.