Skip to content

Commit 54ec1a4

Browse files
mwleedsalexlarsson
authored andcommitted
Add test for metadata validation
This tests for invalid metadata, missing xa.metadata and mismatched values in xa.metadata and the real metadata, including the embedded null leading to the hidden permissions of CVE-2021-43860.
1 parent 65cbfac commit 54ec1a4

File tree

3 files changed

+160
-0
lines changed

3 files changed

+160
-0
lines changed

Diff for: tests/Makefile-test-matrix.am.inc

+1
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,7 @@ TEST_MATRIX_DIST= \
3737
tests/test-http-utils.sh \
3838
tests/test-history.sh \
3939
tests/test-default-remotes.sh \
40+
tests/test-metadata-validation.sh \
4041
tests/test-extensions.sh \
4142
tests/test-oci.sh \
4243
tests/test-override.sh \

Diff for: tests/Makefile.am.inc

+1
Original file line numberDiff line numberDiff line change
@@ -269,6 +269,7 @@ TEST_MATRIX_SOURCE = \
269269
tests/test-history.sh \
270270
tests/test-sideload.sh{user+system} \
271271
tests/test-default-remotes.sh \
272+
tests/test-metadata-validation.sh \
272273
tests/test-extensions.sh \
273274
tests/test-bundle.sh{user+system+system-norevokefs} \
274275
tests/test-oci.sh \

Diff for: tests/test-metadata-validation.sh

+158
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,158 @@
1+
#!/bin/bash
2+
#
3+
# Copyright (C) 2021 Matthew Leeds <mwleeds@protonmail.com>
4+
#
5+
# SPDX-License-Identifier: LGPL-2.0-or-later
6+
7+
set -euo pipefail
8+
9+
. $(dirname $0)/libtest.sh
10+
11+
echo "1..7"
12+
13+
setup_repo
14+
15+
COUNTER=1
16+
17+
create_app () {
18+
local OPTIONS="$1"
19+
local DIR=`mktemp -d`
20+
21+
mkdir ${DIR}/files
22+
echo $COUNTER > ${DIR}/files/counter
23+
let COUNTER=COUNTER+1
24+
25+
local INVALID=""
26+
if [[ $OPTIONS =~ "invalid" ]]; then
27+
INVALID=invalidkeyfileline
28+
fi
29+
cat > ${DIR}/metadata <<EOF
30+
[Application]
31+
name=org.test.Malicious
32+
runtime=org.test.Platform/${ARCH}/master
33+
$INVALID
34+
35+
[Context]
36+
EOF
37+
if [[ $OPTIONS =~ "mismatch" ]]; then
38+
echo -e "filesystems=host;" >> ${DIR}/metadata
39+
fi
40+
if [[ $OPTIONS =~ "hidden" ]]; then
41+
echo -ne "\0" >> ${DIR}/metadata
42+
echo -e "\nfilesystems=home;" >> ${DIR}/metadata
43+
fi
44+
local XA_METADATA=--add-metadata-string=xa.metadata="$(head -n6 ${DIR}/metadata)"$'\n'
45+
if [[ $OPTIONS =~ "no-xametadata" ]]; then
46+
XA_METADATA="--add-metadata-string=xa.nometadata=1"
47+
fi
48+
ostree commit --repo=repos/test --branch=app/org.test.Malicious/${ARCH}/master ${FL_GPGARGS} "$XA_METADATA" ${DIR}/
49+
if [[ $OPTIONS =~ "no-cache-in-summary" ]]; then
50+
ostree --repo=repos/test ${FL_GPGARGS} summary -u
51+
# force use of legacy summary format
52+
rm -rf repos/test/summary.idx repos/test/summaries
53+
else
54+
update_repo
55+
fi
56+
rm -rf ${DIR}
57+
}
58+
59+
cleanup_repo () {
60+
ostree refs --repo=repos/test --delete app/org.test.Malicious/${ARCH}/master
61+
update_repo
62+
}
63+
64+
create_app "hidden"
65+
66+
if ${FLATPAK} ${U} install -y test-repo org.test.Malicious 2>install-error-log; then
67+
assert_not_reached "Should not be able to install app with hidden permissions"
68+
fi
69+
70+
assert_file_has_content install-error-log "not matching expected metadata"
71+
72+
assert_not_has_dir $FL_DIR/app/org.test.Malicious/current/active
73+
74+
cleanup_repo
75+
76+
ok "app with hidden permissions can't be installed (CVE-2021-43860)"
77+
78+
create_app no-xametadata
79+
80+
# The install will fail because the metadata in the summary doesn't match the metadata on the commit
81+
# The missing xa.metadata in the commit got turned into "" in the xa.cache
82+
if ${FLATPAK} ${U} install -y test-repo org.test.Malicious 2>install-error-log; then
83+
assert_not_reached "Should not be able to install app with missing xa.metadata"
84+
fi
85+
86+
assert_file_has_content install-error-log "not matching expected metadata"
87+
88+
assert_not_has_dir $FL_DIR/app/org.test.Malicious/current/active
89+
90+
cleanup_repo
91+
92+
ok "app with no xa.metadata can't be installed"
93+
94+
create_app "no-xametadata no-cache-in-summary"
95+
96+
# The install will fail because there's no metadata in the summary or on the commit
97+
if ${FLATPAK} ${U} install -y test-repo org.test.Malicious 2>install-error-log; then
98+
assert_not_reached "Should not be able to install app with missing metadata"
99+
fi
100+
assert_file_has_content install-error-log "No xa.metadata in local commit"
101+
102+
assert_not_has_dir $FL_DIR/app/org.test.Malicious/current/active
103+
104+
cleanup_repo
105+
106+
ok "app with no xa.metadata and no metadata in summary can't be installed"
107+
108+
create_app "invalid"
109+
110+
if ${FLATPAK} ${U} install -y test-repo org.test.Malicious 2>install-error-log; then
111+
assert_not_reached "Should not be able to install app with invalid metadata"
112+
fi
113+
assert_file_has_content install-error-log "Metadata for .* is invalid"
114+
115+
assert_not_has_dir $FL_DIR/app/org.test.Malicious/current/active
116+
117+
cleanup_repo
118+
119+
ok "app with invalid metadata (in summary) can't be installed"
120+
121+
create_app "invalid no-cache-in-summary"
122+
123+
if ${FLATPAK} ${U} install -y test-repo org.test.Malicious 2>install-error-log; then
124+
assert_not_reached "Should not be able to install app with invalid metadata"
125+
fi
126+
assert_file_has_content install-error-log "Metadata for .* is invalid"
127+
128+
assert_not_has_dir $FL_DIR/app/org.test.Malicious/current/active
129+
130+
cleanup_repo
131+
132+
ok "app with invalid metadata (in commit) can't be installed"
133+
134+
create_app "mismatch no-cache-in-summary"
135+
136+
if ${FLATPAK} ${U} install -y test-repo org.test.Malicious 2>install-error-log; then
137+
assert_not_reached "Should not be able to install app with non-matching metadata"
138+
fi
139+
assert_file_has_content install-error-log "Commit metadata for .* not matching expected metadata"
140+
141+
assert_not_has_dir $FL_DIR/app/org.test.Malicious/current/active
142+
143+
cleanup_repo
144+
145+
ok "app with mismatched metadata (in commit) can't be installed"
146+
147+
create_app "mismatch"
148+
149+
if ${FLATPAK} ${U} install -y test-repo org.test.Malicious 2>install-error-log; then
150+
assert_not_reached "Should not be able to install app with non-matching metadata"
151+
fi
152+
assert_file_has_content install-error-log "Commit metadata for .* not matching expected metadata"
153+
154+
assert_not_has_dir $FL_DIR/app/org.test.Malicious/current/active
155+
156+
cleanup_repo
157+
158+
ok "app with mismatched metadata (in summary) can't be installed"

0 commit comments

Comments
 (0)