Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Comparing changes

Choose two branches to see what's changed or to start a new pull request. If you need to, you can also compare across forks.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also compare across forks.
base fork: cloudfoundry-attic/vcap
...
head fork: cloudfoundry-attic/vcap
Checking mergeability… Don't worry, you can still create the pull request.
  • 2 commits
  • 2 files changed
  • 0 commit comments
  • 1 contributor
Commits on Dec 15, 2011
Tal Garfinkel resolve paths given in resource lists and ensure that they do not
reference files outside of the applications directory.

Change-Id: Ic9020b57579a3f55bdecab9d13021495d4eec05a
df09dee
Tal Garfinkel small fix to accomodate symlinked tmp directories.
Change-Id: I5d82e870c362f3e634061b9e1704aaccc65461ef
5d9831a
View
19 cloud_controller/app/models/app_package.rb
@@ -96,8 +96,6 @@ def self.blocking_defer(&blk)
end
end
-private
-
def package_dir
self.class.package_dir
end
@@ -128,6 +126,19 @@ def unpack_upload
working_dir
end
+ # enforce property that any file in resource list must be located in the
+ # apps directory e.g. '../../foo' or a symlink pointing outside working_dir
+ # should raise an exception.
+ def resolve_path(working_dir, tainted_path)
+ expanded_dir = File.realdirpath(working_dir)
+ expanded_path = File.realdirpath(tainted_path, expanded_dir)
+ pattern = "#{expanded_dir}/*"
+ unless File.fnmatch?(pattern, expanded_path)
+ raise ArgumentError, "Resource path sanity check failed #{pattern}:#{expanded_path}!!!!"
+ end
+ expanded_path
+ end
+
# Do resource pool synch, needs to be called with a Fiber context
def synchronize_pool_with(working_dir)
timed_section(CloudController.logger, 'process_app_resources') do
@@ -135,8 +146,8 @@ def synchronize_pool_with(working_dir)
pool = CloudController.resource_pool
pool.add_directory(working_dir)
@resource_descriptors.each do |descriptor|
- target = File.join(working_dir, descriptor[:fn])
- pool.copy(descriptor, target)
+ path = resolve_path(working_dir, descriptor[:fn])
+ pool.copy(descriptor, path)
end
end
end
View
35 cloud_controller/spec/models/app_package_spec.rb
@@ -1,10 +1,45 @@
require 'spec_helper'
+require 'tmpdir'
describe AppPackage do
before :all do
EM.instance_variable_set(:@next_tick_queue, [])
end
+ describe '#resolve_path' do
+ before(:all) do
+ @tmpdir = Dir.mktmpdir
+ @dummy_zip = Tempfile.new('app_package_test')
+ @app_package = AppPackage.new(nil, @dummy_zip)
+ end
+
+ after(:all) do
+ FileUtils.rm_rf @tmpdir
+ end
+
+ it 'should succeed if the given path points to a file in the apps directory' do
+ testpath = File.join(@tmpdir,'testfile')
+ File.new(testpath, 'w+')
+ @app_package.resolve_path(@tmpdir, 'testfile').should == File.realdirpath(testpath)
+ end
+
+ it 'should fail if the given path does not resolve to a file in the applications directory' do
+ expect do
+ @app_package.resolve_path(@tmpdir, '../foo')
+ end.to raise_error(ArgumentError)
+ end
+
+ it 'should fail if the given path contains a symlink that points outside of the applications directory' do
+ Dir.chdir(@tmpdir) {
+ File.symlink('/etc', 'foo')
+ }
+ expect do
+ @app_package.resolve_path(@tmpdir, 'foo/bar')
+ end.to raise_error(ArgumentError)
+ end
+ end
+
+
describe '#unpack_upload' do
it 'should raise an instance of AppPackageError if unzip exits with a nonzero status code' do
invalid_zip = Tempfile.new('app_package_test')

No commit comments for this range

Something went wrong with that request. Please try again.