Skip to content
Permalink
Browse files
Add test for metadata validation
This tests for invalid metadata, missing xa.metadata and mismatched
values in xa.metadata and the real metadata, including the embedded
null leading to the hidden permissions of CVE-2021-43860.
  • Loading branch information
mwleeds authored and alexlarsson committed Jan 12, 2022
1 parent 65cbfac commit 54ec1a482dfc668127eaae57f135e6a8e0bc52da
Showing 3 changed files with 160 additions and 0 deletions.
@@ -37,6 +37,7 @@ TEST_MATRIX_DIST= \
tests/test-http-utils.sh \
tests/test-history.sh \
tests/test-default-remotes.sh \
tests/test-metadata-validation.sh \
tests/test-extensions.sh \
tests/test-oci.sh \
tests/test-override.sh \
@@ -269,6 +269,7 @@ TEST_MATRIX_SOURCE = \
tests/test-history.sh \
tests/test-sideload.sh{user+system} \
tests/test-default-remotes.sh \
tests/test-metadata-validation.sh \
tests/test-extensions.sh \
tests/test-bundle.sh{user+system+system-norevokefs} \
tests/test-oci.sh \
@@ -0,0 +1,158 @@
#!/bin/bash
#
# Copyright (C) 2021 Matthew Leeds <mwleeds@protonmail.com>
#
# SPDX-License-Identifier: LGPL-2.0-or-later

set -euo pipefail

. $(dirname $0)/libtest.sh

echo "1..7"

setup_repo

COUNTER=1

create_app () {
local OPTIONS="$1"
local DIR=`mktemp -d`

mkdir ${DIR}/files
echo $COUNTER > ${DIR}/files/counter
let COUNTER=COUNTER+1

local INVALID=""
if [[ $OPTIONS =~ "invalid" ]]; then
INVALID=invalidkeyfileline
fi
cat > ${DIR}/metadata <<EOF
[Application]
name=org.test.Malicious
runtime=org.test.Platform/${ARCH}/master
$INVALID
[Context]
EOF
if [[ $OPTIONS =~ "mismatch" ]]; then
echo -e "filesystems=host;" >> ${DIR}/metadata
fi
if [[ $OPTIONS =~ "hidden" ]]; then
echo -ne "\0" >> ${DIR}/metadata
echo -e "\nfilesystems=home;" >> ${DIR}/metadata
fi
local XA_METADATA=--add-metadata-string=xa.metadata="$(head -n6 ${DIR}/metadata)"$'\n'
if [[ $OPTIONS =~ "no-xametadata" ]]; then
XA_METADATA="--add-metadata-string=xa.nometadata=1"
fi
ostree commit --repo=repos/test --branch=app/org.test.Malicious/${ARCH}/master ${FL_GPGARGS} "$XA_METADATA" ${DIR}/
if [[ $OPTIONS =~ "no-cache-in-summary" ]]; then
ostree --repo=repos/test ${FL_GPGARGS} summary -u
# force use of legacy summary format
rm -rf repos/test/summary.idx repos/test/summaries
else
update_repo
fi
rm -rf ${DIR}
}

cleanup_repo () {
ostree refs --repo=repos/test --delete app/org.test.Malicious/${ARCH}/master
update_repo
}

create_app "hidden"

if ${FLATPAK} ${U} install -y test-repo org.test.Malicious 2>install-error-log; then
assert_not_reached "Should not be able to install app with hidden permissions"
fi

assert_file_has_content install-error-log "not matching expected metadata"

assert_not_has_dir $FL_DIR/app/org.test.Malicious/current/active

cleanup_repo

ok "app with hidden permissions can't be installed (CVE-2021-43860)"

create_app no-xametadata

# The install will fail because the metadata in the summary doesn't match the metadata on the commit
# The missing xa.metadata in the commit got turned into "" in the xa.cache
if ${FLATPAK} ${U} install -y test-repo org.test.Malicious 2>install-error-log; then
assert_not_reached "Should not be able to install app with missing xa.metadata"
fi

assert_file_has_content install-error-log "not matching expected metadata"

assert_not_has_dir $FL_DIR/app/org.test.Malicious/current/active

cleanup_repo

ok "app with no xa.metadata can't be installed"

create_app "no-xametadata no-cache-in-summary"

# The install will fail because there's no metadata in the summary or on the commit
if ${FLATPAK} ${U} install -y test-repo org.test.Malicious 2>install-error-log; then
assert_not_reached "Should not be able to install app with missing metadata"
fi
assert_file_has_content install-error-log "No xa.metadata in local commit"

assert_not_has_dir $FL_DIR/app/org.test.Malicious/current/active

cleanup_repo

ok "app with no xa.metadata and no metadata in summary can't be installed"

create_app "invalid"

if ${FLATPAK} ${U} install -y test-repo org.test.Malicious 2>install-error-log; then
assert_not_reached "Should not be able to install app with invalid metadata"
fi
assert_file_has_content install-error-log "Metadata for .* is invalid"

assert_not_has_dir $FL_DIR/app/org.test.Malicious/current/active

cleanup_repo

ok "app with invalid metadata (in summary) can't be installed"

create_app "invalid no-cache-in-summary"

if ${FLATPAK} ${U} install -y test-repo org.test.Malicious 2>install-error-log; then
assert_not_reached "Should not be able to install app with invalid metadata"
fi
assert_file_has_content install-error-log "Metadata for .* is invalid"

assert_not_has_dir $FL_DIR/app/org.test.Malicious/current/active

cleanup_repo

ok "app with invalid metadata (in commit) can't be installed"

create_app "mismatch no-cache-in-summary"

if ${FLATPAK} ${U} install -y test-repo org.test.Malicious 2>install-error-log; then
assert_not_reached "Should not be able to install app with non-matching metadata"
fi
assert_file_has_content install-error-log "Commit metadata for .* not matching expected metadata"

assert_not_has_dir $FL_DIR/app/org.test.Malicious/current/active

cleanup_repo

ok "app with mismatched metadata (in commit) can't be installed"

create_app "mismatch"

if ${FLATPAK} ${U} install -y test-repo org.test.Malicious 2>install-error-log; then
assert_not_reached "Should not be able to install app with non-matching metadata"
fi
assert_file_has_content install-error-log "Commit metadata for .* not matching expected metadata"

assert_not_has_dir $FL_DIR/app/org.test.Malicious/current/active

cleanup_repo

ok "app with mismatched metadata (in summary) can't be installed"

0 comments on commit 54ec1a4

Please sign in to comment.