Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix filelib:safe_relative_path/2 #7208

Merged
merged 1 commit into from Jun 19, 2023
Merged

Fix filelib:safe_relative_path/2 #7208

merged 1 commit into from Jun 19, 2023

Conversation

juhlig
Copy link
Contributor

@juhlig juhlig commented May 4, 2023

Fixes #6460.

The function would return a wrong path if the second argument was a link and the path in the first argument would descend and then ascend again to the top level.

The function would also report a path as unsafe by falsely detecting a link loop if a link would target another link, which in turn would target a file of the same name like bar --> foo/bar --> (foo/)foo/bar.

As the link resolving and CWD-breakout and loop detection is pretty tricky, I'm not 100% sure it is correct in every aspect and corner case. Please review carefully.

@github-actions
Copy link
Contributor

github-actions bot commented May 4, 2023
edited

CT Test Results

       2 files       89 suites   40m 3s ⏱️
1 908 tests 1 860 ✔️ 48 💤 0
2 202 runs  2 152 ✔️ 50 💤 0

Results for commit 8e83401.

♻️ This comment has been updated with latest results.

To speed up review, make sure that you have read Contributing to Erlang/OTP and that all checks pass.

See the TESTING and DEVELOPMENT HowTo guides for details about how to run test locally.

Artifacts

// Erlang/OTP Github Action Bot

@bjorng bjorng added the team:VM Assigned to OTP team VM label May 4, 2023
@juhlig
Copy link
Contributor Author

juhlig commented May 5, 2023

It might be worth noting that a path is always reported as unsafe if it contains a link with an absolute target, even if that target is really located under the given Cwd. This behavior is the same as in the current implementation.

@juhlig
Copy link
Contributor Author

juhlig commented May 5, 2023

It may also be worth noting that the given Cwd is not checked in any way, ie assumed to be safe. That means that it may actually contain link loops, without safe_relative_path reporting the fact. Only the given Path is checked.

@juhlig
Copy link
Contributor Author

juhlig commented May 5, 2023

Finally, it may be worth noting that if a call to safe_relative_path reports a given Path as safe (or unsafe for that matter), it is only so at the very moment when a path segment is checked. The actual directory/link structure may change immediately after or even while the path is being checked.

@Maria-12648430
Copy link
Contributor

@rickard-green @bjorng @jhogberg what is the status of this PR, on your side? The issue behind this looks somewhat serious to me, which should be discussed and seen to 😅

@Maria-12648430
Copy link
Contributor

That said, I would suggest as much as the complete removal of the function because, as @juhlig already said, the result is not unconditionally trustworthy on OSes that support symlinks: A path that is reported as safe (or unsafe for that matter) may not be safe (or unsafe) when it is used afterwards, as the filesystem may have changed. Even while it is being checked, actually.

Nevertheless, it carries a strong connotation of "if you just use this function, nothing bad can happen". The alternative is to plaster the documentation with appropriate warnings.

Just my 2ct 😉

@bjorng
Copy link
Contributor

bjorng commented Jun 7, 2023

@Maria-12648430 We intend to review this pull request but haven't gotten to it yet.

bjorng
bjorng reviewed Jun 12, 2023
View reviewed changes
Copy link
Contributor

@bjorng bjorng left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have taken a first look at the code. So far I haven't found any flaws. I will do some more thinking and probably discuss this PR with one or more colleagues.

lib/stdlib/src/filelib.erl Outdated Show resolved Hide resolved
lib/stdlib/test/filelib_SUITE.erl Outdated Show resolved Hide resolved
lib/stdlib/test/filelib_SUITE.erl Outdated Show resolved Hide resolved
@bjorng bjorng changed the base branch from master to maint June 12, 2023 09:44
@juhlig @bjorng
Fix filelib:safe_relative_path/2
8e83401 
The function would return a wrong path if the second argument was a link
and the path in the first argument would descend and then ascend again to
the top level.

The function would also report a path as unsafe by falsely detecting a
link loop if a link would target another link, which in turn would target
a file of the same name like bar --> foo/bar --> (foo/)foo/bar.

Co-authored-by: Björn Gustavsson <bgustavsson@gmail.com>
@juhlig
Copy link
Contributor Author

juhlig commented Jun 14, 2023

@bjorng suggestions applied 👍

@bjorng bjorng added the testing currently being tested, tag is used by OTP internal CI label Jun 16, 2023
@bjorng
Copy link
Contributor

bjorng commented Jun 16, 2023

Thanks! Added to our daily builds.

@bjorng bjorng merged commit de3733e into erlang:maint Jun 19, 2023
15 checks passed
@bjorng
Copy link
Contributor

bjorng commented Jun 19, 2023

Thanks for your pull request.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bjorng bjorng bjorng left review comments

Assignees

@bjorng bjorng

@jhogberg jhogberg

Labels
team:VM Assigned to OTP team VM testing currently being tested, tag is used by OTP internal CI
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

the filelib:safe_relative_path may return wrong result in macos
4 participants
@juhlig @Maria-12648430 @bjorng @jhogberg