Block symlink dir traversal for /static

This is in line with how it behaved before, but it was lifted a little for the project mount for Hugo Modules, but that could create hard-to-detect loops.
gohugoio · Jul 25, 2019 · e5f2299 · e5f2299
1 parent 87a0728
commit e5f2299
Show file tree

Hide file tree

Showing 24 changed files with 320 additions and 130 deletions.
diff --git a/cache/filecache/filecache_test.go b/cache/filecache/filecache_test.go
@@ -292,7 +292,7 @@ func newPathsSpec(t *testing.T, fs afero.Fs, configStr string) *helpers.PathSpec
 	cfg, err := config.FromConfigString(configStr, "toml")
 	assert.NoError(err)
 	initConfig(fs, cfg)
-	p, err := helpers.NewPathSpec(hugofs.NewFrom(fs, cfg), cfg)
+	p, err := helpers.NewPathSpec(hugofs.NewFrom(fs, cfg), cfg, nil)
 	assert.NoError(err)
 	return p
 

diff --git a/deps/deps.go b/deps/deps.go
@@ -207,7 +207,7 @@ func New(cfg DepsCfg) (*Deps, error) {
 		cfg.OutputFormats = output.DefaultFormats
 	}
 
-	ps, err := helpers.NewPathSpec(fs, cfg.Language)
+	ps, err := helpers.NewPathSpec(fs, cfg.Language, logger)
 
 	if err != nil {
 		return nil, errors.Wrap(err, "create PathSpec")
@@ -272,7 +272,7 @@ func (d Deps) ForLanguage(cfg DepsCfg, onCreated func(d *Deps) error) (*Deps, er
 	l := cfg.Language
 	var err error
 
-	d.PathSpec, err = helpers.NewPathSpecWithBaseBaseFsProvided(d.Fs, l, d.BaseFs)
+	d.PathSpec, err = helpers.NewPathSpecWithBaseBaseFsProvided(d.Fs, l, d.Log, d.BaseFs)
 	if err != nil {
 		return nil, err
 	}

diff --git a/helpers/path_test.go b/helpers/path_test.go
@@ -60,7 +60,7 @@ func TestMakePath(t *testing.T) {
 		v.Set("removePathAccents", test.removeAccents)
 
 		l := langs.NewDefaultLanguage(v)
-		p, err := NewPathSpec(hugofs.NewMem(v), l)
+		p, err := NewPathSpec(hugofs.NewMem(v), l, nil)
 		require.NoError(t, err)
 
 		output := p.MakePath(test.input)
@@ -73,7 +73,7 @@ func TestMakePath(t *testing.T) {
 func TestMakePathSanitized(t *testing.T) {
 	v := newTestCfg()
 
-	p, _ := NewPathSpec(hugofs.NewMem(v), v)
+	p, _ := NewPathSpec(hugofs.NewMem(v), v, nil)
 
 	tests := []struct {
 		input    string
@@ -101,7 +101,7 @@ func TestMakePathSanitizedDisablePathToLower(t *testing.T) {
 	v.Set("disablePathToLower", true)
 
 	l := langs.NewDefaultLanguage(v)
-	p, _ := NewPathSpec(hugofs.NewMem(v), l)
+	p, _ := NewPathSpec(hugofs.NewMem(v), l, nil)
 
 	tests := []struct {
 		input    string

diff --git a/helpers/pathspec.go b/helpers/pathspec.go
@@ -16,6 +16,7 @@ package helpers
 import (
 	"strings"
 
+	"github.com/gohugoio/hugo/common/loggers"
 	"github.com/gohugoio/hugo/config"
 	"github.com/gohugoio/hugo/hugofs"
 	"github.com/gohugoio/hugo/hugolib/filesystems"
@@ -37,13 +38,13 @@ type PathSpec struct {
 }
 
 // NewPathSpec creats a new PathSpec from the given filesystems and language.
-func NewPathSpec(fs *hugofs.Fs, cfg config.Provider) (*PathSpec, error) {
-	return NewPathSpecWithBaseBaseFsProvided(fs, cfg, nil)
+func NewPathSpec(fs *hugofs.Fs, cfg config.Provider, logger *loggers.Logger) (*PathSpec, error) {
+	return NewPathSpecWithBaseBaseFsProvided(fs, cfg, logger, nil)
 }
 
 // NewPathSpecWithBaseBaseFsProvided creats a new PathSpec from the given filesystems and language.
 // If an existing BaseFs is provided, parts of that is reused.
-func NewPathSpecWithBaseBaseFsProvided(fs *hugofs.Fs, cfg config.Provider, baseBaseFs *filesystems.BaseFs) (*PathSpec, error) {
+func NewPathSpecWithBaseBaseFsProvided(fs *hugofs.Fs, cfg config.Provider, logger *loggers.Logger, baseBaseFs *filesystems.BaseFs) (*PathSpec, error) {
 
 	p, err := paths.New(fs, cfg)
 	if err != nil {
@@ -56,7 +57,7 @@ func NewPathSpecWithBaseBaseFsProvided(fs *hugofs.Fs, cfg config.Provider, baseB
 			filesystems.WithBaseFs(baseBaseFs),
 		}
 	}
-	bfs, err := filesystems.NewBase(p, options...)
+	bfs, err := filesystems.NewBase(p, logger, options...)
 	if err != nil {
 		return nil, err
 	}

diff --git a/helpers/pathspec_test.go b/helpers/pathspec_test.go
@@ -42,7 +42,7 @@ func TestNewPathSpecFromConfig(t *testing.T) {
 	fs := hugofs.NewMem(v)
 	fs.Source.MkdirAll(filepath.FromSlash("thework/thethemes/thetheme"), 0777)
 
-	p, err := NewPathSpec(fs, l)
+	p, err := NewPathSpec(fs, l, nil)
 
 	require.NoError(t, err)
 	require.True(t, p.CanonifyURLs)

diff --git a/helpers/testhelpers_test.go b/helpers/testhelpers_test.go
@@ -10,7 +10,7 @@ import (
 
 func newTestPathSpec(fs *hugofs.Fs, v *viper.Viper) *PathSpec {
 	l := langs.NewDefaultLanguage(v)
-	ps, _ := NewPathSpec(fs, l)
+	ps, _ := NewPathSpec(fs, l, nil)
 	return ps
 }
 

diff --git a/helpers/url_test.go b/helpers/url_test.go
@@ -28,7 +28,7 @@ func TestURLize(t *testing.T) {
 
 	v := newTestCfg()
 	l := langs.NewDefaultLanguage(v)
-	p, _ := NewPathSpec(hugofs.NewMem(v), l)
+	p, _ := NewPathSpec(hugofs.NewMem(v), l, nil)
 
 	tests := []struct {
 		input    string
@@ -90,7 +90,7 @@ func doTestAbsURL(t *testing.T, defaultInSubDir, addLanguage, multilingual bool,
 		v.Set("baseURL", test.baseURL)
 		v.Set("contentDir", "content")
 		l := langs.NewLanguage(lang, v)
-		p, _ := NewPathSpec(hugofs.NewMem(v), l)
+		p, _ := NewPathSpec(hugofs.NewMem(v), l, nil)
 
 		output := p.AbsURL(test.input, addLanguage)
 		expected := test.expected
@@ -168,7 +168,7 @@ func doTestRelURL(t *testing.T, defaultInSubDir, addLanguage, multilingual bool,
 		v.Set("baseURL", test.baseURL)
 		v.Set("canonifyURLs", test.canonify)
 		l := langs.NewLanguage(lang, v)
-		p, _ := NewPathSpec(hugofs.NewMem(v), l)
+		p, _ := NewPathSpec(hugofs.NewMem(v), l, nil)
 
 		output := p.RelURL(test.input, addLanguage)
 
@@ -256,7 +256,7 @@ func TestURLPrep(t *testing.T) {
 		v := newTestCfg()
 		v.Set("uglyURLs", d.ugly)
 		l := langs.NewDefaultLanguage(v)
-		p, _ := NewPathSpec(hugofs.NewMem(v), l)
+		p, _ := NewPathSpec(hugofs.NewMem(v), l, nil)
 
 		output := p.URLPrep(d.input)
 		if d.output != output {

diff --git a/hugofs/decorators.go b/hugofs/decorators.go
@@ -90,19 +90,14 @@ func NewBaseFileDecorator(fs afero.Fs) afero.Fs {
 		isSymlink := isSymlink(fi)
 		if isSymlink {
 			meta[metaKeyOriginalFilename] = filename
-			link, err := filepath.EvalSymlinks(filename)
+			var link string
+			var err error
+			link, fi, err = evalSymlinks(fs, filename)
 			if err != nil {
 				return nil, err
 			}
-
-			fi, err = fs.Stat(link)
-			if err != nil {
-				return nil, err
-			}
-
 			filename = link
 			meta[metaKeyIsSymlink] = true
-
 		}
 
 		opener := func() (afero.File, error) {
@@ -117,6 +112,20 @@ func NewBaseFileDecorator(fs afero.Fs) afero.Fs {
 	return ffs
 }
 
+func evalSymlinks(fs afero.Fs, filename string) (string, os.FileInfo, error) {
+	link, err := filepath.EvalSymlinks(filename)
+	if err != nil {
+		return "", nil, err
+	}
+
+	fi, err := fs.Stat(link)
+	if err != nil {
+		return "", nil, err
+	}
+
+	return link, fi, nil
+}
+
 type baseFileDecoratorFs struct {
 	afero.Fs
 	decorate func(fi os.FileInfo, filename string) (os.FileInfo, error)

diff --git a/hugofs/fileinfo.go b/hugofs/fileinfo.go
@@ -180,9 +180,20 @@ type FileMetaInfo interface {
 
 type fileInfoMeta struct {
 	os.FileInfo
+
 	m FileMeta
 }
 
+// Name returns the file's name. Note that we follow symlinks,
+// if supported by the file system, and the Name given here will be the
+// name of the symlink, which is what Hugo needs in all situations.
+func (fi *fileInfoMeta) Name() string {
+	if name := fi.m.Name(); name != "" {
+		return name
+	}
+	return fi.FileInfo.Name()
+}
+
 func (fi *fileInfoMeta) Meta() FileMeta {
 	return fi.m
 }
@@ -295,3 +306,11 @@ func normalizeFilename(filename string) string {
 	}
 	return filename
 }
+
+func fileInfosToNames(fis []os.FileInfo) []string {
+	names := make([]string, len(fis))
+	for i, d := range fis {
+		names[i] = d.Name()
+	}
+	return names
+}
diff --git a/hugofs/nosymlink_fs.go b/hugofs/nosymlink_fs.go
@@ -16,6 +16,9 @@ package hugofs
 import (
 	"errors"
 	"os"
+	"path/filepath"
+
+	"github.com/gohugoio/hugo/common/loggers"
 
 	"github.com/spf13/afero"
 )
@@ -24,15 +27,48 @@ var (
 	ErrPermissionSymlink = errors.New("symlinks not allowed in this filesystem")
 )
 
-func NewNoSymlinkFs(fs afero.Fs) afero.Fs {
-	return &noSymlinkFs{Fs: fs}
+// NewNoSymlinkFs creates a new filesystem that prevents symlinks.
+func NewNoSymlinkFs(fs afero.Fs, logger *loggers.Logger, allowFiles bool) afero.Fs {
+	return &noSymlinkFs{Fs: fs, logger: logger, allowFiles: allowFiles}
 }
 
 // noSymlinkFs is a filesystem that prevents symlinking.
 type noSymlinkFs struct {
+	allowFiles bool // block dirs only
+	logger     *loggers.Logger
 	afero.Fs
 }
 
+type noSymlinkFile struct {
+	fs *noSymlinkFs
+	afero.File
+}
+
+func (f *noSymlinkFile) Readdir(count int) ([]os.FileInfo, error) {
+	fis, err := f.File.Readdir(count)
+
+	filtered := fis[:0]
+	for _, x := range fis {
+		filename := filepath.Join(f.Name(), x.Name())
+		if _, err := f.fs.checkSymlinkStatus(filename, x); err != nil {
+			// Log a warning and drop the file from the list
+			logUnsupportedSymlink(filename, f.fs.logger)
+		} else {
+			filtered = append(filtered, x)
+		}
+	}
+
+	return filtered, err
+}
+
+func (f *noSymlinkFile) Readdirnames(count int) ([]string, error) {
+	dirs, err := f.Readdir(count)
+	if err != nil {
+		return nil, err
+	}
+	return fileInfosToNames(dirs), nil
+}
+
 func (fs *noSymlinkFs) LstatIfPossible(name string) (os.FileInfo, bool, error) {
 	return fs.stat(name)
 }
@@ -53,33 +89,68 @@ func (fs *noSymlinkFs) stat(name string) (os.FileInfo, bool, error) {
 	if lstater, ok := fs.Fs.(afero.Lstater); ok {
 		fi, wasLstat, err = lstater.LstatIfPossible(name)
 	} else {
-
 		fi, err = fs.Fs.Stat(name)
 	}
 
+	if err != nil {
+		return nil, false, err
+	}
+
+	fi, err = fs.checkSymlinkStatus(name, fi)
+
+	return fi, wasLstat, err
+}
+
+func (fs *noSymlinkFs) checkSymlinkStatus(name string, fi os.FileInfo) (os.FileInfo, error) {
 	var metaIsSymlink bool
 
 	if fim, ok := fi.(FileMetaInfo); ok {
-		metaIsSymlink = fim.Meta().IsSymlink()
+		meta := fim.Meta()
+		metaIsSymlink = meta.IsSymlink()
 	}
 
-	if metaIsSymlink || isSymlink(fi) {
-		return nil, wasLstat, ErrPermissionSymlink
+	if metaIsSymlink {
+		if fs.allowFiles && !fi.IsDir() {
+			return fi, nil
+		}
+		return nil, ErrPermissionSymlink
 	}
 
-	return fi, wasLstat, err
+	// Also support non-decorated filesystems, e.g. the Os fs.
+	if isSymlink(fi) {
+		// Need to determine if this is a directory or not.
+		_, sfi, err := evalSymlinks(fs.Fs, name)
+		if err != nil {
+			return nil, err
+		}
+		if fs.allowFiles && !sfi.IsDir() {
+			// Return the original FileInfo to get the expected Name.
+			return fi, nil
+		}
+		return nil, ErrPermissionSymlink
+	}
+
+	return fi, nil
 }
 
 func (fs *noSymlinkFs) Open(name string) (afero.File, error) {
 	if _, _, err := fs.stat(name); err != nil {
 		return nil, err
 	}
-	return fs.Fs.Open(name)
+	return fs.wrapFile(fs.Fs.Open(name))
 }
 
 func (fs *noSymlinkFs) OpenFile(name string, flag int, perm os.FileMode) (afero.File, error) {
 	if _, _, err := fs.stat(name); err != nil {
 		return nil, err
 	}
-	return fs.Fs.OpenFile(name, flag, perm)
+	return fs.wrapFile(fs.Fs.OpenFile(name, flag, perm))
+}
+
+func (fs *noSymlinkFs) wrapFile(f afero.File, err error) (afero.File, error) {
+	if err != nil {
+		return nil, err
+	}
+
+	return &noSymlinkFile{File: f, fs: fs}, nil
 }