-
Notifications
You must be signed in to change notification settings - Fork 482
Expand file tree
/
Copy patht_secure_relpath.c
More file actions
151 lines (130 loc) · 4.26 KB
/
t_secure_relpath.c
File metadata and controls
151 lines (130 loc) · 4.26 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
/*
* Test harness for secure_relative_open()'s front-door input
* validation. Codex audit Finding 5 noted that the existing check
*
* if (strncmp(relpath, "../", 3) == 0 || strstr(relpath, "/../"))
*
* catches "../foo" and "foo/../bar" but misses bare ".." (an actual
* one-level escape on platforms that fall back to the per-component
* walk), as well as "a/..", "foo/..", and any other form that
* decomposes to a ".." component when split on "/". The kernel-
* enforced RESOLVE_BENEATH (Linux 5.6+) and O_RESOLVE_BENEATH
* (FreeBSD 13+, macOS 15+) reject these in-kernel; the per-
* component fallback used on NetBSD, OpenBSD, Solaris, Cygwin and
* pre-5.6 Linux does not, so the validation must happen at the
* front door.
*
* This helper invokes secure_relative_open() with each suspect
* input and checks both the failure (rc < 0) and the errno
* (EINVAL means "rejected at the front door"). Pre-fix, the kernel
* may reject with a different errno (EXDEV from RESOLVE_BENEATH);
* post-fix, the front-door check catches every variant up front
* with a consistent EINVAL across platforms.
*
* Not linked into rsync itself.
*/
#include "rsync.h"
#include <sys/stat.h>
int dry_run = 0;
int am_root = 0;
int am_sender = 0;
int read_only = 0;
int list_only = 0;
int copy_links = 0;
int copy_unsafe_links = 0;
extern int am_daemon, am_chrooted;
short info_levels[COUNT_INFO], debug_levels[COUNT_DEBUG];
static int errs = 0;
static void check_relpath(const char *relpath)
{
int fd;
int saved_errno;
errno = 0;
fd = secure_relative_open(NULL, relpath, O_RDONLY | O_DIRECTORY, 0);
saved_errno = errno;
if (fd >= 0) {
fprintf(stderr,
"FAIL [relpath=%-12s]: returned valid fd %d (escape) -- expected -1 EINVAL\n",
relpath, fd);
close(fd);
errs++;
return;
}
if (saved_errno != EINVAL) {
fprintf(stderr,
"FAIL [relpath=%-12s]: rejected but errno=%d (%s), expected EINVAL\n",
relpath, saved_errno, strerror(saved_errno));
errs++;
return;
}
fprintf(stderr, "OK [relpath=%-12s]: rejected with EINVAL\n", relpath);
}
static void check_basedir(const char *basedir)
{
int fd;
int saved_errno;
errno = 0;
fd = secure_relative_open(basedir, "ok", O_RDONLY | O_DIRECTORY, 0);
saved_errno = errno;
if (fd >= 0) {
fprintf(stderr,
"FAIL [basedir=%-12s]: returned valid fd %d -- expected -1 EINVAL\n",
basedir, fd);
close(fd);
errs++;
return;
}
if (saved_errno != EINVAL) {
fprintf(stderr,
"FAIL [basedir=%-12s]: rejected but errno=%d (%s), expected EINVAL\n",
basedir, saved_errno, strerror(saved_errno));
errs++;
return;
}
fprintf(stderr, "OK [basedir=%-12s]: rejected with EINVAL\n", basedir);
}
int main(int argc, char **argv)
{
if (argc != 2) {
fprintf(stderr, "usage: %s <test-dir>\n", argv[0]);
return 2;
}
if (chdir(argv[1]) < 0) {
perror("chdir");
return 2;
}
/* secure_relative_open's daemon-only confinement protections only
* fire when am_daemon && !am_chrooted (the threat model is the
* daemon-no-chroot deployment), but the front-door input
* validation runs unconditionally. We set am_daemon anyway so the
* helper exercises the same code shape the receiver does. */
am_daemon = 1;
am_chrooted = 0;
mkdir("subdir", 0755);
/* Each of these relpaths must be rejected with EINVAL at the
* secure_relative_open() front door. ".." is the actual one-level
* escape; the others ("subdir/..", "subdir/../subdir") resolve
* back to the start dir on systems that allow them, but we still
* reject them as defence-in-depth: a path containing a ".." token
* is suspicious and the caller should normalise before passing
* it in. The "../foo" / "foo/../bar" / "/foo" / "/" cases are
* regression checks for the existing checks. */
check_relpath("..");
check_relpath("../foo");
check_relpath("subdir/..");
check_relpath("subdir/../subdir");
check_relpath("foo/../bar");
check_relpath("/foo");
check_relpath("/");
/* Same checks against basedir (which the codex Finding 2 fix
* routes through the same RESOLVE_BENEATH-equivalent). Absolute
* basedirs are operator-trusted and intentionally not validated
* here. */
check_basedir("..");
check_basedir("../subdir");
check_basedir("subdir/..");
check_basedir("foo/../bar");
if (errs)
fprintf(stderr, "\n%d failure(s)\n", errs);
return errs ? 1 : 0;
}