Merge fix/security-hardening: cache path traversal, firewall shell injection fixes

SnakePlushkin · SnakePlushkin · commit e35b2f90de1f · 2026-03-30T14:10:22.000-07:00
- Cache: sanitize name/version/hash to prevent path traversal; atomic write-then-rename
- Firewall: eliminate shell injection in container mode by passing cp args directly
- Process firewall: use UUID temp filenames and explicit error handling
- Remove unused DEEP_SKIP_DIRS constant and dead component_type field
diff --git a/src/cache/mod.rs b/src/cache/mod.rs
@@ -31,8 +31,15 @@ impl CspCache {
     }
 
     fn cache_path(&self, name: &str, version: &str, content_hash: &str) -> PathBuf {
-        self.dir
-            .join(format!("{name}@{version}-{content_hash}.json"))
+        // Sanitize components to prevent path traversal. Replace any character
+        // that could escape the cache directory (path separators, `..`) with `_`.
+        let safe = |s: &str| s.replace(['/', '\\'], "_").replace("..", "_");
+        self.dir.join(format!(
+            "{}-{}-{}.json",
+            safe(name),
+            safe(version),
+            safe(content_hash)
+        ))
     }
 
     pub fn get(&self, name: &str, version: &str, content_hash: &str) -> Option<CspSpec> {
@@ -51,7 +58,11 @@ impl CspCache {
         std::fs::create_dir_all(&self.dir)?;
         let path = self.cache_path(name, version, content_hash);
         let json = serde_json::to_string_pretty(csp)?;
-        std::fs::write(path, json)?;
+        // Write atomically: write to a temp file then rename into place so
+        // concurrent readers never see a partial write.
+        let tmp_path = path.with_extension("tmp");
+        std::fs::write(&tmp_path, json)?;
+        std::fs::rename(&tmp_path, &path)?;
         Ok(())
     }
 }
diff --git a/src/firewall/mod.rs b/src/firewall/mod.rs
@@ -65,25 +65,43 @@ fn cross_firewall_context(csp: CspSpec) -> (CspSpec, AuditEvent) {
 async fn cross_firewall_process(csp: CspSpec) -> (CspSpec, AuditEvent) {
     let temp_dir = std::env::temp_dir().join("phalus-firewall");
     let _ = tokio::fs::create_dir_all(&temp_dir).await;
-    let safe_name = csp
-        .package_name
-        .replace(['/', '\\'], "_")
-        .replace("..", "_");
-    let safe_version = csp
-        .package_version
-        .replace(['/', '\\'], "_")
-        .replace("..", "_");
-    let temp_path = temp_dir.join(format!("csp-{}-{}.json", safe_name, safe_version));
+    let run_id = uuid::Uuid::new_v4();
+    let temp_path = temp_dir.join(format!("csp-{}.json", run_id));
 
     // Serialize to disk
-    let serialized = serde_json::to_string_pretty(&csp).unwrap_or_default();
-    let _ = tokio::fs::write(&temp_path, &serialized).await;
+    let serialized = match serde_json::to_string_pretty(&csp) {
+        Ok(s) => s,
+        Err(e) => {
+            tracing::error!("process firewall: failed to serialize CSP: {}", e);
+            let _ = tokio::fs::remove_file(&temp_path).await;
+            return cross_firewall_context(csp);
+        }
+    };
+    if let Err(e) = tokio::fs::write(&temp_path, &serialized).await {
+        tracing::error!("process firewall: failed to write temp file: {}", e);
+        return cross_firewall_context(csp);
+    }
 
     // Read back from disk (proving serialization boundary)
-    let read_back = tokio::fs::read_to_string(&temp_path)
-        .await
-        .unwrap_or(serialized);
-    let deserialized: CspSpec = serde_json::from_str(&read_back).unwrap_or(csp);
+    let read_back = match tokio::fs::read_to_string(&temp_path).await {
+        Ok(s) => s,
+        Err(e) => {
+            tracing::error!("process firewall: failed to read temp file: {}", e);
+            let _ = tokio::fs::remove_file(&temp_path).await;
+            return cross_firewall_context(csp);
+        }
+    };
+    let deserialized: CspSpec = match serde_json::from_str(&read_back) {
+        Ok(c) => c,
+        Err(e) => {
+            tracing::error!(
+                "process firewall: failed to deserialize CSP from disk: {}",
+                e
+            );
+            let _ = tokio::fs::remove_file(&temp_path).await;
+            return cross_firewall_context(csp);
+        }
+    };
 
     // Clean up temp file
     let _ = tokio::fs::remove_file(&temp_path).await;
@@ -202,10 +220,10 @@ async fn cross_firewall_container(csp: CspSpec, cfg: &ContainerConfig) -> (CspSp
     let input_mount = format!("{}:/input:ro", input_abs.display());
     let output_mount = format!("{}:/output:rw", output_abs.display());
     // Copy exactly the CSP file across the Docker boundary.
-    let container_cmd = format!(
-        "cp /input/{csp_filename} /output/{csp_filename}",
-        csp_filename = csp_filename
-    );
+    // Pass cp arguments directly (no shell) to prevent shell injection via
+    // package name or version containing metacharacters like $(), backticks, etc.
+    let input_file = format!("/input/{}", csp_filename);
+    let output_file = format!("/output/{}", csp_filename);
 
     tracing::info!(
         "container firewall: starting container for {}@{} (image={}, network={}, memory={}, cpus={})",
@@ -236,9 +254,9 @@ async fn cross_firewall_container(csp: CspSpec, cfg: &ContainerConfig) -> (CspSp
             "--stop-timeout",
             &cfg.timeout_secs.to_string(),
             &cfg.image,
-            "sh",
-            "-c",
-            &container_cmd,
+            "cp",
+            &input_file,
+            &output_file,
         ])
         .stdout(std::process::Stdio::null())
         .stderr(std::process::Stdio::piped())
diff --git a/src/sbom/mod.rs b/src/sbom/mod.rs
@@ -1,5 +1,5 @@
-use crate::license;
 /// SBOM ingestion: parse CycloneDX BOM JSON and SPDX JSON into `ScannedPackage` lists.
+use crate::license;
 use crate::{Ecosystem, ScannedPackage};
 use serde::Deserialize;
 use thiserror::Error;
@@ -25,9 +25,6 @@ struct CycloneDxBom {
 #[derive(Debug, Deserialize)]
 #[serde(rename_all = "camelCase")]
 struct CycloneDxComponent {
-    #[serde(rename = "type")]
-    #[allow(dead_code)]
-    component_type: Option<String>,
     name: String,
     version: Option<String>,
     purl: Option<String>,
diff --git a/src/scan/mod.rs b/src/scan/mod.rs
@@ -137,16 +137,13 @@ fn collect_files(
         }
 
         if path.is_dir() {
-            // Recurse, but only one level for common vendor/dependency dirs
-            if !DEEP_SKIP_DIRS.contains(&file_name) {
-                collect_files(
-                    &path,
-                    manifest_files,
-                    sbom_files,
-                    package_refs,
-                    sbom_packages,
-                )?;
-            }
+            collect_files(
+                &path,
+                manifest_files,
+                sbom_files,
+                package_refs,
+                sbom_packages,
+            )?;
             continue;
         }
 
@@ -219,10 +216,6 @@ const SKIP_DIRS: &[&str] = &[
     "env",
 ];
 
-/// Directories we recurse into but don't look for manifests at deeper levels
-/// (prevents picking up nested test-fixture package.json etc.).
-const DEEP_SKIP_DIRS: &[&str] = &[];
-
 // ---------------------------------------------------------------------------
 // Registry license resolution
 // ---------------------------------------------------------------------------
