Skip to content

join: loosen cleanliness requirements for SecureJoin root#47

Merged
cyphar merged 1 commit intomainfrom
unclean-root-dotdot
Jan 24, 2025
Merged

join: loosen cleanliness requirements for SecureJoin root#47
cyphar merged 1 commit intomainfrom
unclean-root-dotdot

Conversation

@cyphar
Copy link
Owner

@cyphar cyphar commented Jan 22, 2025

It turns out that some users do provide unclean paths like "foo/bar/"
and as a result the new behaviour in commit bc750ad ("join: return
an error if root is unclean path") was far too aggressive and lead to
regressions.

The more gentle solution is to only error out if the path contains a
".." component (which is the only component type we are really worried
about here because it's the only one that can turn a safe
root-joined-path into an unsafe one due to how symlinks are resolved on
Linux).

Fixes: bc750ad ("join: return an error if root is unclean path")
Fixes #46
Signed-off-by: Aleksa Sarai cyphar@cyphar.com

@cyphar
Copy link
Owner Author

cyphar commented Jan 22, 2025

@kolyshkin WDYT?

kolyshkin
kolyshkin reviewed Jan 22, 2025
View reviewed changes
kolyshkin
kolyshkin reviewed Jan 22, 2025
View reviewed changes
kolyshkin
kolyshkin approved these changes Jan 22, 2025
View reviewed changes
Copy link
Contributor

@kolyshkin kolyshkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left some notes but LGTM

@cyphar cyphar force-pushed the unclean-root-dotdot branch 3 times, most recently from a8c834f to 85ed0ef Compare January 22, 2025 04:07
@cyphar cyphar mentioned this pull request Jan 22, 2025
Closed
@cyphar cyphar force-pushed the unclean-root-dotdot branch from 85ed0ef to fe5f60f Compare January 24, 2025 16:17
@cyphar
join: loosen cleanliness requirements for SecureJoin root
fbaef26 
It turns out that some users do provide unclean paths like "foo/bar/"
and as a result the new behaviour in commit bc750ad ("join: return
an error if root is unclean path") was far too aggressive and lead to
regressions.

The more gentle solution is to only error out if the path contains a
".." component (which is the only component type we are really worried
about here because it's the only one that can turn a safe
root-joined-path into an unsafe one due to how symlinks are resolved on
Linux).

Fixes: bc750ad ("join: return an error if root is unclean path")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
@cyphar cyphar force-pushed the unclean-root-dotdot branch from fe5f60f to fbaef26 Compare January 24, 2025 16:20
@cyphar cyphar merged commit 509a359 into main Jan 24, 2025
This was referenced Jan 28, 2025
Merged
Closed
@cyphar cyphar deleted the unclean-root-dotdot branch September 25, 2025 16:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@kolyshkin kolyshkin kolyshkin approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[regression] hardening against bad root paths in 0.4.0 is too agressive

2 participants

@cyphar @kolyshkin