Merge pull request from GHSA-x3r5-q6mj-m485

sanitize target names and delegate role names
awslabs · Oct 19, 2021 · 1809b9b · 1809b9b
2 parents a9a0f5e + 31ca710
commit 1809b9b
Show file tree

Hide file tree

Showing 61 changed files with 2,418 additions and 346 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/tough-kms/CHANGELOG.md b/tough-kms/CHANGELOG.md
@@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.3.4] - 2021-10-19
+### Changes
+- Update dependencies.
+
 ## [0.3.3] - 2021-09-15
 ### Changes
 - Update dependencies.
@@ -60,6 +64,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 - Everything!
 
+[0.3.4]: https://github.com/awslabs/tough/compare/tough-kms-v0.3.3...tough-kms-v0.3.4
 [0.3.3]: https://github.com/awslabs/tough/compare/tough-kms-v0.3.2...tough-kms-v0.3.3
 [0.3.2]: https://github.com/awslabs/tough/compare/tough-kms-v0.3.1...tough-kms-v0.3.2
 [0.3.1]: https://github.com/awslabs/tough/compare/tough-kms-v0.3.0...tough-kms-v0.3.1

diff --git a/tough-kms/Cargo.toml b/tough-kms/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "tough-kms"
-version = "0.3.3"
+version = "0.3.4"
 description = "Implements AWS KMS as a key source for TUF signing keys"
 authors = ["Shailesh Gothi <gothisg@amazon.com>"]
 license = "MIT OR Apache-2.0"
@@ -15,7 +15,7 @@ rusoto-native-tls = ["rusoto_core/native-tls", "rusoto_credential", "rusoto_kms/
 rusoto-rustls = ["rusoto_core/rustls", "rusoto_credential", "rusoto_kms/rustls"]
 
 [dependencies]
-tough = { version = "0.11.3", path = "../tough", features = ["http"] }
+tough = { version = "0.12.0", path = "../tough", features = ["http"] }
 ring = { version = "0.16.16", features = ["std"] }
 rusoto_core = { version = "0.47", optional = true, default-features = false }
 rusoto_credential = { version = "0.47", optional = true }

diff --git a/tough-ssm/CHANGELOG.md b/tough-ssm/CHANGELOG.md
@@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.6.4] - 2021-10-19
+### Changes
+- Update dependencies.
+
 ## [0.6.3] - 2021-09-15
 ### Changes
 - Update dependencies.
@@ -69,6 +73,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 - Everything!
 
+[0.6.4]: https://github.com/awslabs/tough/compare/tough-ssm-v0.6.3...tough-ssm-v0.6.4
 [0.6.3]: https://github.com/awslabs/tough/compare/tough-ssm-v0.6.2...tough-ssm-v0.6.3
 [0.6.2]: https://github.com/awslabs/tough/compare/tough-ssm-v0.6.1...tough-ssm-v0.6.2
 [0.6.1]: https://github.com/awslabs/tough/compare/tough-ssm-v0.6.0...tough-ssm-v0.6.1

diff --git a/tough-ssm/Cargo.toml b/tough-ssm/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "tough-ssm"
-version = "0.6.3"
+version = "0.6.4"
 description = "Implements AWS SSM as a key source for TUF signing keys"
 authors = ["Zac Mrowicki <mrowicki@amazon.com>"]
 license = "MIT OR Apache-2.0"
@@ -15,7 +15,7 @@ rusoto-native-tls = ["rusoto_core/native-tls", "rusoto_credential", "rusoto_ssm/
 rusoto-rustls = ["rusoto_core/rustls", "rusoto_credential", "rusoto_ssm/rustls"]
 
 [dependencies]
-tough = { version = "0.11.3", path = "../tough", features = ["http"] }
+tough = { version = "0.12.0", path = "../tough", features = ["http"] }
 rusoto_core = { version = "0.47", optional = true, default-features = false }
 rusoto_credential = { version = "0.47", optional = true }
 rusoto_ssm = { version = "0.47", optional = true, default-features = false }

diff --git a/tough/CHANGELOG.md b/tough/CHANGELOG.md
@@ -4,6 +4,15 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.12.0] - 2021-10-19
+### Breaking Changes
+- Target names are now specified with a struct, `TargetName`, instead of `String`.
+
+### Changes
+- Update dependencies.
+- Fix an issue where delegated role names with path traversal constructs could cause files to be written in unexpected locations.
+- Fix a similar issue with path traversal constructs in target names.
+
 ## [0.11.3] - 2021-09-15
 ### Changes
 - Update dependencies.
@@ -149,7 +158,8 @@ For changes that require modification of calling code see #120 and #121.
 ### Added
 - Everything!
 
-[Unreleased]: https://github.com/awslabs/tough/compare/tough-v0.11.3...HEAD
+[Unreleased]: https://github.com/awslabs/tough/compare/tough-v0.12.0...HEAD
+[0.12.0]: https://github.com/awslabs/tough/compare/tough-v0.11.3...tough-v0.12.0
 [0.11.3]: https://github.com/awslabs/tough/compare/tough-v0.11.2...tough-v0.11.3
 [0.11.2]: https://github.com/awslabs/tough/compare/tough-v0.11.1...tough-v0.11.2
 [0.11.1]: https://github.com/awslabs/tough/compare/tough-v0.11.0...tough-v0.11.1

diff --git a/tough/Cargo.toml b/tough/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "tough"
-version = "0.11.3"
+version = "0.12.0"
 description = "The Update Framework (TUF) repository client"
 authors = ["iliana destroyer of worlds <iweller@amazon.com>"]
 license = "MIT OR Apache-2.0"
@@ -15,7 +15,9 @@ globset = { version = "0.4.8" }
 hex = "0.4.2"
 log = "0.4.8"
 olpc-cjson = { version = "0.1.0", path = "../olpc-cjson" }
+path-absolutize = "3"
 pem = "1.0.0"
+percent-encoding = "2"
 reqwest = { version = "0.11.1", optional = true, default-features = false, features = ["blocking"] }
 ring = { version = "0.16.16", features = ["std"] }
 serde = { version = "1.0.125", features = ["derive"] }
@@ -30,6 +32,7 @@ walkdir = "2.3.2"
 [dev-dependencies]
 hex-literal = "0.3.3"
 httptest = "0.15"
+maplit = "1.0.1"
 
 [features]
 http = ["reqwest"]

diff --git a/tough/src/cache.rs b/tough/src/cache.rs
@@ -1,9 +1,8 @@
 use crate::error::{self, Result};
 use crate::fetch::{fetch_max_size, fetch_sha256};
 use crate::schema::{RoleType, Target};
-use crate::Repository;
+use crate::{encode_filename, Prefix, Repository, TargetName};
 use snafu::{OptionExt, ResultExt};
-use std::fs::OpenOptions;
 use std::io::{Read, Write};
 use std::path::Path;
 
@@ -38,8 +37,9 @@ impl Repository {
 
         // Fetch targets and save them to the outdir
         if let Some(target_list) = targets_subset {
-            for target_name in target_list.iter() {
-                self.cache_target(&targets_outdir, target_name.as_ref())?;
+            for raw_name in target_list.iter() {
+                let target_name = TargetName::new(raw_name.as_ref())?;
+                self.cache_target(&targets_outdir, &target_name)?;
             }
         } else {
             let targets = &self.targets.signed.targets_map();
@@ -162,10 +162,10 @@ impl Repository {
                     .meta
                     .get(&format!("{}.json", name))?
                     .version,
-                name
+                encode_filename(name)
             ))
         } else {
-            Some(format!("{}.json", name))
+            Some(format!("{}.json", encode_filename(name)))
         }
     }
 
@@ -203,24 +203,16 @@ impl Repository {
 
     /// Saves a signed target to the specified `outdir`. Retains the digest-prepended filename if
     /// consistent snapshots are used.
-    fn cache_target<P: AsRef<Path>>(&self, outdir: P, name: &str) -> Result<()> {
-        let t = self
-            .targets
-            .signed
-            .find_target(name)
-            .context(error::CacheTargetMissing {
-                target_name: name.to_owned(),
-            })?;
-        let (sha, filename) = self.target_digest_and_filename(t, name);
-        let mut reader = self.fetch_target(t, &sha, filename.as_str())?;
-        let path = outdir.as_ref().join(filename);
-        let mut f = OpenOptions::new()
-            .write(true)
-            .create(true)
-            .open(&path)
-            .context(error::CacheTargetWrite { path: path.clone() })?;
-        let _ = std::io::copy(&mut reader, &mut f).context(error::CacheTargetWrite { path })?;
-        Ok(())
+    fn cache_target<P: AsRef<Path>>(&self, outdir: P, name: &TargetName) -> Result<()> {
+        self.save_target(
+            name,
+            outdir,
+            if self.consistent_snapshot {
+                Prefix::Digest
+            } else {
+                Prefix::None
+            },
+        )
     }
 
     /// Gets the max size of the snapshot.json file as specified by the timestamp file.
@@ -242,13 +234,16 @@ impl Repository {
     pub(crate) fn target_digest_and_filename(
         &self,
         target: &Target,
-        name: &str,
+        name: &TargetName,
     ) -> (Vec<u8>, String) {
         let sha256 = &target.hashes.sha256.clone().into_vec();
         if self.consistent_snapshot {
-            (sha256.clone(), format!("{}.{}", hex::encode(sha256), name))
+            (
+                sha256.clone(),
+                format!("{}.{}", hex::encode(sha256), name.resolved()),
+            )
         } else {
-            (sha256.clone(), name.to_owned())
+            (sha256.clone(), name.resolved().to_owned())
         }
     }