Issue 4248041: code review 4248041: goinstall: protect against malicious filenames. (Closed)
|
Created:
14 years ago by rog Modified:
14 years ago Reviewers:
CC:
rsc, niemeyer, golang-dev Visibility:
Public. |
Descriptiongoinstall: protect against malicious filenames.
It was possible to make package run arbitrary
commands when installing if its filenames contained
make metacharacters.
Patch Set 1 #Patch Set 2 : diff -r 8e157f1abc87 https://go.googlecode.com/hg/ #Patch Set 3 : diff -r 8e157f1abc87 https://go.googlecode.com/hg/ #
Total comments: 2
Patch Set 4 : diff -r d9ff478c4ed3 https://go.googlecode.com/hg/ #Patch Set 5 : diff -r d9ff478c4ed3 https://go.googlecode.com/hg/ #Patch Set 6 : diff -r d9ff478c4ed3 https://go.googlecode.com/hg/ #Patch Set 7 : diff -r d9ff478c4ed3 https://go.googlecode.com/hg/ #Patch Set 8 : diff -r d9ff478c4ed3 https://go.googlecode.com/hg/ #Patch Set 9 : diff -r d9ff478c4ed3 https://go.googlecode.com/hg/ #Patch Set 10 : diff -r d9ff478c4ed3 https://go.googlecode.com/hg/ #MessagesTotal messages: 23
Hello rsc (cc: golang-dev@googlegroups.com), I'd like you to review this change to https://go.googlecode.com/hg/
Sign in to reply to this message.
LGTM http://codereview.appspot.com/4248041/diff/3001/src/cmd/goinstall/parse.go File src/cmd/goinstall/parse.go (right): http://codereview.appspot.com/4248041/diff/3001/src/cmd/goinstall/parse.go#ne... src/cmd/goinstall/parse.go:58: if strings.IndexAny(d.Name, "$\n\r") >= 0 { Backquotes should be included in that list.
Sign in to reply to this message.
http://codereview.appspot.com/4248041/diff/3001/src/cmd/goinstall/parse.go File src/cmd/goinstall/parse.go (right): http://codereview.appspot.com/4248041/diff/3001/src/cmd/goinstall/parse.go#ne... src/cmd/goinstall/parse.go:58: if strings.IndexAny(d.Name, "$\n\r") >= 0 { On 2011/02/25 13:29:26, niemeyer wrote: > Backquotes should be included in that list. ok, but i didn't think backquotes were special to make (i tried them and they weren't interpreted)
Sign in to reply to this message.
> ok, but i didn't think backquotes were special to make
Try this:
FOO=`echo Hi`
all:
6g $(FOO)
Sign in to reply to this message.
interesting. but they don't work in prerequisite lists, which is where the filenames end up. try this: all: \ `echo Hi'` echo $< i could add it anyway, just for good measure. On 25 February 2011 14:27, <n13m3y3r@gmail.com> wrote: >> ok, but i didn't think backquotes were special to make > > Try this: > > FOO=`echo Hi` > all: > 6g $(FOO) > > http://codereview.appspot.com/4248041/ >
Sign in to reply to this message.
> interesting. but they don't work in prerequisite lists, which > is where the filenames end up. goinstall github.com/niemeyer/shutdown
Sign in to reply to this message.
ah, of course, it's not just make metacharacters but also sh metacharacters because the filename ends up being passed to the shell. are there any more potentially dodgy bash metacharacters? i'm not that familiar with bash. On 25 February 2011 15:02, <n13m3y3r@gmail.com> wrote: >> interesting. but they don't work in prerequisite lists, which >> is where the filenames end up. > > goinstall github.com/niemeyer/shutdown > > > http://codereview.appspot.com/4248041/ >
Sign in to reply to this message.
Hello rsc, niemeyer (cc: golang-dev@googlegroups.com), Please take another look.
Sign in to reply to this message.
> are there any more potentially dodgy bash metacharacters? > i'm not that familiar with bash. Just reminded of another one: ; These work with pretty much any shell.
Sign in to reply to this message.
> Just reminded of another one: ;
And: [({|&<>!*
What a can of worms. I suggest reversing the approach and
whitelisting what is allowed instead. Reasonable filenames
aren't hard to describe.
Sign in to reply to this message.
Isn't this problem with make, not the rest of goinstall? If so, shoudn't the fix be in writeMakefile? Russ
Sign in to reply to this message.
the question is where to stop the rot. i see three possibilities: 1) a template formatter that flags an error on invalid names (awkward because of the way that templates work - it's difficult to pass a one-time value through to the formatter) 2) check when we add the names in makeMakefile; that's conceptually nicest, but we'll have to do the check three times. 3) check when the directory is scanned. least code, but it's second-guessing the makefile writer. i'm not sure about whitelisting - i think it's easier to blacklist but YMMV.
Sign in to reply to this message.
PTAL On 25 February 2011 15:49, roger peppe <rogpeppe@gmail.com> wrote: > the question is where to stop the rot. > > i see three possibilities: > > 1) a template formatter that flags an error on invalid names (awkward > because of the way that templates work - it's difficult to pass a > one-time value through to the formatter) > > 2) check when we add the names in makeMakefile; that's > conceptually nicest, but we'll have to do the check three times. > > 3) check when the directory is scanned. least code, but > it's second-guessing the makefile writer. > > i'm not sure about whitelisting - i think it's easier to blacklist > but YMMV. >
Sign in to reply to this message.
> i'm not sure about whitelisting - i think it's easier to blacklist > but YMMV. What do you mean by easier? This whole thread is based on the fact you are blacklisting and have no idea about what to blacklist.
Sign in to reply to this message.
On 25 February 2011 16:16, <n13m3y3r@gmail.com> wrote: >> i'm not sure about whitelisting - i think it's easier to blacklist >> but YMMV. > > What do you mean by easier? This whole thread is based on the fact > you are blacklisting and have no idea about what to blacklist. i agree, but perhaps a list of shell and make metacharacters (a known quantity, even if i don't know it) is easier to manage than a list of all possible valid pathname characters. for example, do you accept all unicode characters, or provide a list of acceptable unicode ranges?
Sign in to reply to this message.
> for example, do you accept all unicode characters, or provide a list
> of acceptable unicode ranges?
How about this:
func goodName(filename string) bool {
for _, c := range filename {
if !unicode.IsLetter(c) && c != '.' && c != '_' && c != '-' {
return false
}
}
return true
}
Sign in to reply to this message.
Sorry, digits are obviously missing, but you get the idea.
Sign in to reply to this message.
On 25 February 2011 17:09, <n13m3y3r@gmail.com> wrote: >> for example, do you accept all unicode characters, or provide a list >> of acceptable unicode ranges? > > How about this: > > func goodName(filename string) bool { > for _, c := range filename { > if !unicode.IsLetter(c) && c != '.' && c != '_' && c != '-' { > return false > } > } > return true > } that's pretty restrictive and would amount to a language change. you'd need to allow '/' too (the whole package path needs to be checked). digits would be ok too. if we're going to do this, it should be documented.
Sign in to reply to this message.
> that's pretty restrictive and would amount to a language change. Yes, it is pretty restrictive to reasonable filenames. But no, it's not a language change at all. > if we're going to do this, it should be documented. Sounds good.
Sign in to reply to this message.
we seem to be falling into lots of bikeshed discussions recently.
to end this one, here is the function to use:
var safeBytes =
"+-./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz"
func safeName(b []byte) bool {
for _, c := range b {
if c < 0x80 && strings.IndexByte(safeBytes, c) < 0 {
return false
}
}
return true
}
Sign in to reply to this message.
PTAL On 2011/02/25 17:26:25, rsc wrote: > "+-./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz" i might be inclined to add ':', '@' and ',' to that list.
Sign in to reply to this message.
*** Submitted as c4a961e2e4bc *** goinstall: protect against malicious filenames. It was possible to make package run arbitrary commands when installing if its filenames contained make metacharacters. R=rsc, niemeyer CC=golang-dev http://codereview.appspot.com/4248041 Committer: Russ Cox <rsc@golang.org>
Sign in to reply to this message.
|
