feat(FileDownlink): sandboxed reads via Os::SandboxedFile#5404
feat(FileDownlink): sandboxed reads via Os::SandboxedFile#5404Abhishek21g wants to merge 3 commits into
Conversation
Mirror FileUplink write-side confinement for commanded downlink paths. Adds configure(directory), SourceOutOfSandbox event, and unit coverage. Fixes nasa#5398
| //! The underlying OS file | ||
| Os::File m_osFile; | ||
| //! The underlying OS file (sandboxed to restrict read locations) | ||
| Os::SandboxedFile m_osFile; |
There was a problem hiding this comment.
[Security] must fix Sandbox validation happens after an unrestricted file-size query.
FileDownlink::File::open() calls Os::FileSystem::getFileSize(sourceFileName, ...) before m_osFile.open(...) performs the sandbox check. A ground-controlled source path can therefore probe metadata for arbitrary paths outside the configured directory, bypassing the new read boundary. Validate the path through the sandbox before querying its size, or add a sandboxed size/stat operation.
There was a problem hiding this comment.
Addressed in 453c44a: getFileSize removed. open() now opens via Os::SandboxedFile first, then queries size with m_osFile.size() after sandbox validation.
Avoid unrestricted Os::FileSystem::getFileSize on commanded paths before the SandboxedFile open check. Open first, then use SandboxedFile::size(). Addresses security review on nasa#5404.
| char cwd[Os::FilePathUtils::MAX_PATH_LENGTH]; | ||
| FW_ASSERT(getcwd(cwd, sizeof(cwd)) != nullptr); |
There was a problem hiding this comment.
[C++ Design] must fix CPP-29: FW_ASSERT predicate performs the getcwd write.
FW_ASSERT may compile out, so disabling assertions leaves cwd uninitialized before strlen(cwd) and can cause undefined behavior. Evaluate getcwd before the assertion and initialize the local explicitly.
| char cwd[Os::FilePathUtils::MAX_PATH_LENGTH]; | |
| FW_ASSERT(getcwd(cwd, sizeof(cwd)) != nullptr); | |
| char cwd[Os::FilePathUtils::MAX_PATH_LENGTH] = {}; | |
| const char* cwdResult = getcwd(cwd, sizeof(cwd)); | |
| FW_ASSERT(cwdResult != nullptr); |
There was a problem hiding this comment.
Addressed in 7e8c24b: cwd is zero-initialized and getcwd runs outside FW_ASSERT; the assert only checks the result pointer.
| command and port. | ||
|
|
||
| 4. File access may optionally be sandboxed to a configured directory via `configure(directory)`. | ||
| When configured, all commanded source paths are validated against the sandbox directory before reading. |
There was a problem hiding this comment.
[Documentation] must fix The SDD does not describe the new sandbox rejection contract.
CPP behavior applies the sandbox to both commanded and SendFile port requests and emits SourceOutOfSandbox when a source is rejected, but this text only says “commanded” paths and omits the operator-visible warning event. Keep the component SDD aligned with the new FPP behavior.
| When configured, all commanded source paths are validated against the sandbox directory before reading. | |
| When configured, all source paths supplied through `SendFile`/`SendPartial` commands or the `SendFile` port are validated against the sandbox directory before reading; rejected paths emit `SourceOutOfSandbox`. |
There was a problem hiding this comment.
Addressed in 7e8c24b: SDD now documents sandbox configure(directory), SendFile/command coverage, and SourceOutOfSandbox.
| //! The underlying OS file | ||
| Os::File m_osFile; | ||
| //! The underlying OS file (sandboxed to restrict read locations) | ||
| Os::SandboxedFile m_osFile; |
There was a problem hiding this comment.
[Design] Human design adjudication required. This change crosses the Svc::FileDownlink and Os::SandboxedFile layer boundary, so the design owner should confirm the intended confinement contract before deeper review proceeds.
The linked issue proposes symmetry with FileUplink, while this PR adds a new component-level configuration path and a new operator-visible event; please confirm this is the approved integration boundary and lifecycle.
cc @LeStarch @thomas-bc — design needs human adjudication before deeper review.
| //! The underlying OS file | ||
| Os::File m_osFile; | ||
| //! The underlying OS file (sandboxed to restrict read locations) | ||
| Os::SandboxedFile m_osFile; |
There was a problem hiding this comment.
[Design] must fix The implementation does not fully match the sandboxed-read design.
FileDownlink::File::open() still calls unrestricted Os::FileSystem::getFileSize() before m_osFile.open() performs sandbox validation, so the new boundary is not applied to the complete source-access operation. Use a sandbox-aware size query or validate before the metadata lookup.
lestarch-autobot
left a comment
There was a problem hiding this comment.
Automated review summary (run 1)
Per-agent results
| Agent | must fix | suggestion | could fix | future work | outstanding | Verdict |
|---|---|---|---|---|---|---|
| Security Vulnerabilities | 1 | 0 | 0 | 0 | 1 | No-Go |
| Supply Chain / Runner Safety | 0 | 0 | 0 | 0 | 0 | Go |
| F Prime C/C++ Design | 1 | 0 | 0 | 0 | 1 | No-Go |
| Documentation Currency | 1 | 0 | 0 | 0 | 1 | No-Go |
| Design | 2 | 0 | 0 | 0 | 2 | No-Go |
| Architecture | 0 | 0 | 0 | 0 | 0 | Go |
| Test Quality | 0 | 0 | 0 | 0 | 0 | Go |
| CI safety | — | — | — | — | — | Go |
| Totals | 5 | 0 | 0 | 0 | 5 | No-Go |
Supply-chain surfaces
| Surface | Outstanding |
|---|---|
| Dependencies | clean |
| Vendored / submodule | clean |
| Build / test infrastructure | clean |
| Workflows / actions / scripts | clean |
| Generator output | clean |
| Prompt-injection | clean |
| Review-system integrity | clean |
Outstanding must-fix items (5)
Security Vulnerabilities
- Unrestricted
getFileSizeruns before sandbox validation, allowing metadata access outside the configured directory. — finding
F Prime C/C++ Design
getcwdis executed inside an assertion predicate, leavingcwduninitialized when assertions are compiled out. — finding
Documentation Currency
- The SDD omits sandbox behavior for the
SendFileport and theSourceOutOfSandboxevent. — finding
Design
Merge readiness
Merge readiness: No-Go — five outstanding must-fix findings remain across security, C/C++ correctness, documentation, and design review.
The implementation is cleared for CI-safety concerns, but merge should wait for the outstanding findings and design-owner adjudication.
The review constellation has mapped the hazards; resolve them before launch.
- CPP-29: initialize cwd buffer before FW_ASSERT(getcwd) - Document SourceOutOfSandbox and port/command sandbox contract in SDD - Apply clang-format
Coverage report — base
|
| Module | Line | Δ | Function | Δ | Branch | Δ |
|---|---|---|---|---|---|---|
Os/Posix |
62.00 | -0.40 | 84.21 | +0.00 | 44.10 | +0.00 |
Os/Generic |
89.03 | -0.13 | 88.16 | +0.00 | 72.86 | -0.25 |
Fw/DataStructures |
98.48 | +0.27 | 97.14 | +0.00 | 83.21 | +0.37 |
Os/Generic/Types |
92.39 | +0.36 | 92.86 | +0.00 | 75.24 | +2.86 |
Svc/FileDownlink |
84.57 | +0.42 | 91.49 | +0.58 | 72.13 | +0.23 |
Modules without UTs
CFDP/Checksum/GTest, Drv/ByteStreamDriverModel, Drv/Interfaces, Drv/LinuxGpioDriver, Drv/LinuxI2cDriver, Drv/LinuxSpiDriver, Drv/LinuxUartDriver, Drv/Ports, Drv/Ports/DataTypes, FppTestProject/FppTest/interfaces, FppTestProject/FppTest/topology/async, FppTestProject/FppTest/topology/components/Comp, FppTestProject/FppTest/topology/components/Framework, FppTestProject/FppTest/topology/components/Receiver, FppTestProject/FppTest/topology/components/Sender, FppTestProject/FppTest/topology/guarded, FppTestProject/FppTest/topology/ports, FppTestProject/FppTest/topology/sync, FppTestProject/FppTest/topology/top_ports, FppTestProject/FppTest/topology/types, Fw/Cmd, Fw/Com, Fw/Comp, Fw/FilePacket/GTest, Fw/Fpy, Fw/Interfaces, Fw/Obj, Fw/Port, Fw/Ports/CompletionStatus, Fw/Ports/Ready, Fw/Ports/Signal, Fw/Ports/SuccessCondition, Fw/Prm, Fw/SerializableFile/test/TestSerializable, Fw/Sm, Fw/Test, Fw/Types/GTest, Os/Models, Svc/Cycle, Svc/DpPorts, Svc/Fatal, Svc/FatalHandler, Svc/FileDownlinkPorts, Svc/FprimeProtocol, Svc/Interfaces, Svc/PassiveConsoleTextLogger, Svc/Ping, Svc/PolyIf, Svc/Ports/CommsPorts, Svc/Ports/FilePorts, Svc/Ports/OsTimeEpoch, Svc/Ports/TlmPacketizerPorts, Svc/Ports/VersionPorts, Svc/Sched, Svc/Seq, Svc/Subtopologies/CdhCore, Svc/Subtopologies/ComCcsds, Svc/Subtopologies/ComFprime, Svc/Subtopologies/ComLoggerTee, Svc/Subtopologies/DataProducts, Svc/Subtopologies/DpCompression, Svc/Subtopologies/FileHandling, Svc/Types/TlmPacketizerTypes, Svc/WatchDog, TestDeploymentsProject/Ref/PingReceiver, TestDeploymentsProject/Ref/RecvBuffApp, TestDeploymentsProject/Ref/SendBuffApp, TestDeploymentsProject/Ref/Top, TestDeploymentsProject/Ref/TypeDemo, cmake/test/data/TestDeployment/TestBuildAutocoder, cmake/test/data/TestDeployment/TestChainedAutocoder, cmake/test/data/TestDeployment/TestHeaderAutocoder, cmake/test/data/TestDeployment/TestTargetAutocoder, cmake/test/data/test-fprime-library/TestLibrary/TestComponent, cmake/test/data/test-fprime-library2/TestLibrary2/TestComponent
|
Follow-ups for the automated review findings:
CI workflows on this fork PR currently show no checks pending maintainer approval — happy to wait on a re-run / approve workflows when convenient. |
|
CCB approved |
Summary
Svc::FileUplinkwrite-side sandboxing on the read path forSvc::FileDownlinkconfigure(const char* directory)overload,SourceOutOfSandboxevent, and unit test coverageFixes #5398. Complements #5369 FileDownlink cleanup work.
Test plan
Svc/FileDownlink/test/ut— newSourceOutOfSandboxtest passes