Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: ensure TraverseParent bails on resource path exit #46100

Merged
merged 2 commits into from
Mar 24, 2025
Merged

fix: ensure TraverseParent bails on resource path exit #46100

merged 2 commits into from
Mar 24, 2025
+69 −0

Conversation

codebytere
Copy link
Member

Description of Change

Electron's security model requires that we do not traverse outside of the resource path. This PR ensures that the TraverseParent function bails out if the parent path is outside of the resource path.

Checklist

Release Notes

Notes: none

@codebytere codebytere added semver/patch backwards-compatible bug fixes target/35-x-y PR should also be added to the "35-x-y" branch. target/36-x-y PR should also be added to the "36-x-y" branch. labels Mar 18, 2025
@codebytere codebytere requested a review from a team as a code owner March 18, 2025 09:45
@electron-cation electron-cation bot added the new-pr 🌱 PR opened in the last 24 hours label Mar 18, 2025
@codebytere codebytere marked this pull request as draft March 18, 2025 09:59
@codebytere codebytere force-pushed the fix-potential-path-dos branch from a029b69 to 5b2409f Compare March 18, 2025 10:10
@codebytere codebytere marked this pull request as ready for review March 18, 2025 10:11
@codebytere codebytere requested review from deepak1556 and removed request for erickzhao March 18, 2025 10:12
@codebytere codebytere force-pushed the fix-potential-path-dos branch 3 times, most recently from df72c27 to c94c6a1 Compare March 18, 2025 10:31
samuelmaddock
samuelmaddock approved these changes Mar 18, 2025
View reviewed changes
Copy link
Member

@samuelmaddock samuelmaddock left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm pending CI

ckerr
ckerr approved these changes Mar 18, 2025
View reviewed changes
Copy link
Member

@ckerr ckerr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Concept LGTM. 👍

I had some implementation nit suggestions but nothing major

@codebytere codebytere force-pushed the fix-potential-path-dos branch from c94c6a1 to 827b5d8 Compare March 18, 2025 18:37
@codebytere codebytere force-pushed the fix-potential-path-dos branch from 827b5d8 to df1b767 Compare March 18, 2025 20:18
@electron-cation electron-cation bot removed the new-pr 🌱 PR opened in the last 24 hours label Mar 19, 2025
@codebytere codebytere force-pushed the fix-potential-path-dos branch from 9dd38d6 to 6efc060 Compare March 19, 2025 14:32
@codebytere codebytere force-pushed the fix-potential-path-dos branch from 6efc060 to 6f28203 Compare March 19, 2025 21:03
@codebytere codebytere force-pushed the fix-potential-path-dos branch from 6f28203 to 3a2b0eb Compare March 20, 2025 07:00
@codebytere
Copy link
Member Author

@MarshallOfSound i think
this should be good to go!

MarshallOfSound
MarshallOfSound approved these changes Mar 24, 2025
View reviewed changes
Copy link
Member

@MarshallOfSound MarshallOfSound left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving as it fixes the underlying issues, one fast-follow request and two non-blocking comments

patches/node/fix_ensure_traverseparent_bails_on_resource_path_exit.patch
const bool is_permissions_enabled = env->permission()->enabled();

+ // Get the resources path with trailing slash.
+ std::string resources_path;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

non-blocking-fast-follow: This is susceptible to userland modification of resourcesPath, unlike the impl in node/init.ts which captures the value before userland code runs.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

non-blocking: this also has a perf hit during module loading as we're reading this on every module load, we should be able to cache this in a base::NoDestructor<std::string> or something for future use

patches/node/fix_ensure_traverseparent_bails_on_resource_path_exit.patch
Comment on lines +40 to +48
+ auto starts_with = [](const std::string& str, const std::string& prefix) -> bool {
+ if (prefix.size() > str.size()) return false;
+ return std::equal(
+ prefix.begin(), prefix.end(), str.begin(),
+ [](char a, char b) {
+ return std::tolower(static_cast<unsigned char>(a)) ==
+ std::tolower(static_cast<unsigned char>(b));
+ });
+ };
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

non-blocking-question: does this have to be here? or could it be in an anonymous namespace? Wondering if this was just for patch readability

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@MarshallOfSound it was for patch readability and keeping changes closer together, yeah

@codebytere codebytere merged commit 964090d into main Mar 24, 2025
56 checks passed
@codebytere codebytere deleted the fix-potential-path-dos branch March 24, 2025 09:07
@release-clerk
Copy link

release-clerk bot commented Mar 24, 2025

No Release Notes

This was referenced Mar 24, 2025
Merged
Merged
@trop
Copy link
Contributor

trop bot commented Mar 24, 2025

I have automatically backported this PR to "36-x-y", please check out #46212

@trop trop bot added in-flight/36-x-y and removed target/36-x-y PR should also be added to the "36-x-y" branch. labels Mar 24, 2025
@trop
Copy link
Contributor

trop bot commented Mar 24, 2025

I have automatically backported this PR to "35-x-y", please check out #46213

@trop trop bot added in-flight/35-x-y merged/36-x-y PR was merged to the "36-x-y" branch. merged/35-x-y PR was merged to the "35-x-y" branch. and removed target/35-x-y PR should also be added to the "35-x-y" branch. in-flight/36-x-y in-flight/35-x-y labels Mar 24, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ckerr ckerr

@samuelmaddock samuelmaddock

@VerteDinde VerteDinde

@MarshallOfSound MarshallOfSound

@deepak1556 deepak1556

Assignees
No one assigned
Labels
merged/35-x-y PR was merged to the "35-x-y" branch. merged/36-x-y PR was merged to the "36-x-y" branch. semver/patch backwards-compatible bug fixes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@codebytere @ckerr @samuelmaddock @VerteDinde @MarshallOfSound