Merge pull request from GHSA-8459-6rc9-8vf8

NETDEV-4268: Fix octorpki path traversal vulnerability
cloudflare · Feb 14, 2022 · 4e5c4f1 · 4e5c4f1
2 parents f5aeb07 + eb9cc4d
commit 4e5c4f1
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 7 deletions.
diff --git a/cmd/octorpki/octorpki.go b/cmd/octorpki/octorpki.go
@@ -316,8 +316,10 @@ func (s *state) WriteRsyncFileOnDisk(path string, data []byte, withdraw bool) er
 	if err != nil {
 		log.Fatal(err)
 	}
-	// GHSA-cqh2-vc2f-q4fh: Prevent parent directory writes outside of Basepath
-	fPath = strings.ReplaceAll(fPath, "../", "")
+	// GHSA-8459-6rc9-8vf8: Prevent parent directory writes outside of Basepath
+	if strings.Contains(fPath, "../") || strings.Contains(fPath, "..\\") {
+		return fmt.Errorf("Path %q contains illegal path element", fPath)
+	}
 
 	f, err := os.Create(filepath.Join(s.Basepath, fPath))
 	if err != nil {

diff --git a/validator/pki/pki.go b/validator/pki/pki.go
@@ -596,7 +596,10 @@ func (v *Validator) ValidateROA(roa *librpki.RPKIROA) error {
 }
 
 func (v *Validator) AddManifest(pkifile *PKIFile, mft *librpki.RPKIManifest) (bool, []*PKIFile, *Resource, error) {
-	pathCert := ExtractPathManifest(mft)
+	pathCert, err := ExtractPathManifest(mft)
+	if err != nil {
+		return false, nil, nil, fmt.Errorf("ExtractPathManifest failed: %v", err)
+	}
 
 	valid, _, res, err := v.AddCert(mft.Certificate, false)
 	if res == nil {
@@ -751,22 +754,24 @@ func ExtractPathCert(cert *librpki.RPKICertificate) []*PKIFile {
 }
 
 // Returns the list of files from the Manifest
-func ExtractPathManifest(mft *librpki.RPKIManifest) []*PKIFile {
+func ExtractPathManifest(mft *librpki.RPKIManifest) ([]*PKIFile, error) {
 	fileList := make([]*PKIFile, 0)
 	for _, file := range mft.Content.FileList {
 		curFile := file.Name
 		path := string(curFile)
-		// GHSA-cqh2-vc2f-q4fh: Prevent file path references to parent
+		// GHSA-8459-6rc9-8vf8: Prevent file path references to parent
 		// directories.
-		path = strings.ReplaceAll(path, "../", "")
+		if strings.Contains(path, "../") || strings.Contains(path, "..\\") {
+			return nil, fmt.Errorf("Path %q contains illegal path element", path)
+		}
 		item := PKIFile{
 			Type:         DetermineType(path),
 			Path:         path,
 			ManifestHash: file.GetHash(),
 		}
 		fileList = append(fileList, &item)
 	}
-	return fileList
+	return fileList, nil
 }
 
 func (sm *SimpleManager) AddInitial(fileList []*PKIFile) {