tests: Add a test case for path traversal in a dirtree

I was reading about a recent security issue with both EMC and VMWare:
https://arstechnica.com/information-technology/2018/01/emc-vmware-security-bugs-throw-gasoline-on-cloud-security-fire/

It's a classic path traversal problem, and that made me think more about our
handling of this in libostree.  Fortunately of course, not being new to
this rodeo, long ago I *did* consider path traversal.  Inside the pull
code, we call `ot_util_filename_validate()`.  Also, `fsck` does this too.

I have further followups here, but let's add some test cases for this. I crafted
a repository with a `../` in a dirtree object by patching libostree to inject
it, and that's included as a tarball.

This patch covers the two cases where we do already have checks; pulling
via HTTP, and in `fsck`.

Closes: #1412
Approved by: jlebon
This commit is contained in:
Colin Walters 2018-01-12 09:01:52 -05:00 committed by Atomic Bot
parent 854a823e05
commit 2b78df25f4
5 changed files with 29 additions and 3 deletions

View File

@ -178,6 +178,7 @@ dist_installed_test_data = tests/archive-test.sh \
tests/pre-endian-deltas-repo-little.tar.xz \ tests/pre-endian-deltas-repo-little.tar.xz \
tests/fah-deltadata-old.tar.xz \ tests/fah-deltadata-old.tar.xz \
tests/fah-deltadata-new.tar.xz \ tests/fah-deltadata-new.tar.xz \
tests/ostree-path-traverse.tar.gz \
tests/libtest-core.sh \ tests/libtest-core.sh \
$(NULL) $(NULL)

2
cfg.mk
View File

@ -39,4 +39,4 @@ sc_glnx_no_fd_close:
show-vc-list-except: show-vc-list-except:
@$(VC_LIST_EXCEPT) @$(VC_LIST_EXCEPT)
VC_LIST_ALWAYS_EXCLUDE_REGEX = ^ABOUT-NLS|cfg.mk|maint.mk|*.gpg|*.sig|.xz$$ VC_LIST_ALWAYS_EXCLUDE_REGEX = ^ABOUT-NLS|cfg.mk|maint.mk|*.gpg|*.sig|.xz|.gz$$

Binary file not shown.

View File

@ -52,7 +52,7 @@ function verify_initial_contents() {
assert_file_has_content baz/cow '^moo$' assert_file_has_content baz/cow '^moo$'
} }
echo "1..33" echo "1..34"
# Try both syntaxes # Try both syntaxes
repo_init --no-gpg-verify repo_init --no-gpg-verify
@ -217,6 +217,21 @@ else
echo "ok corruption (skipped)" echo "ok corruption (skipped)"
fi fi
cd ${test_tmpdir}/ostree-srv
tar xf ${test_srcdir}/ostree-path-traverse.tar.gz
cd ${test_tmpdir}
rm corruptrepo -rf
ostree_repo_init corruptrepo --mode=archive
${CMD_PREFIX} ostree --repo=corruptrepo remote add --set=gpg-verify=false pathtraverse $(cat httpd-address)/ostree/ostree-path-traverse/repo
if ${CMD_PREFIX} ostree --repo=corruptrepo pull pathtraverse pathtraverse-test 2>err.txt; then
fatal "Pulled a repo with path traversal in dirtree"
fi
assert_file_has_content_literal err.txt 'Invalid / in filename ../afile'
rm corruptrepo -rf
echo "ok path traversal checked on pull"
cd ${test_tmpdir} cd ${test_tmpdir}
rm mirrorrepo/refs/remotes/* -rf rm mirrorrepo/refs/remotes/* -rf
${CMD_PREFIX} ostree --repo=mirrorrepo prune --refs-only ${CMD_PREFIX} ostree --repo=mirrorrepo prune --refs-only

View File

@ -19,7 +19,7 @@
set -euo pipefail set -euo pipefail
echo "1..4" echo "1..5"
. $(dirname $0)/libtest.sh . $(dirname $0)/libtest.sh
@ -72,3 +72,13 @@ fi
assert_file_has_content_literal err.txt "Loading commit for ref test2: No such metadata object" assert_file_has_content_literal err.txt "Loading commit for ref test2: No such metadata object"
echo "ok missing commit" echo "ok missing commit"
cd ${test_tmpdir}
tar xf ${test_srcdir}/ostree-path-traverse.tar.gz
if ${CMD_PREFIX} ostree --repo=ostree-path-traverse/repo fsck -q 2>err.txt; then
fatal "fsck unexpectedly succeeded"
fi
assert_file_has_content_literal err.txt '.dirtree: Invalid / in filename ../afile'
echo "ok path traverse"