File exclude-the-full-path-of-a-download-url-to-prev... of Package salt.21409

Overview Repositories Revisions Requests Users Attributes Meta

File exclude-the-full-path-of-a-download-url-to-prevent-i.patch of Package salt.21409

From 0bc9a7153f7b43cf3a672eafca28294143f77827 Mon Sep 17 00:00:00 2001
From: Joe Eacott <jeacott@vmware.com>
Date: Mon, 28 Jun 2021 16:46:35 -0600
Subject: [PATCH] Exclude the full path of a download URL to prevent
 injection of malicious code (bsc#1190265) (CVE-2021-21996)

---
 salt/fileclient.py            |  7 +++++++
 tests/unit/test_fileclient.py | 18 ++++++++++++++++++
 2 files changed, 25 insertions(+)

diff --git a/salt/fileclient.py b/salt/fileclient.py
index f154e4fd43..388746a8f9 100644
--- a/salt/fileclient.py
+++ b/salt/fileclient.py
@@ -34,6 +34,7 @@ import salt.utils.platform
 import salt.utils.stringutils
 import salt.utils.templates
 import salt.utils.url
+import salt.utils.verify
 import salt.utils.versions
 from salt.utils.openstack.swift import SaltSwift
 
@@ -793,6 +794,12 @@ class Client(object):
         else:
             file_name = url_data.path
 
+        # clean_path returns an empty string if the check fails
+        root_path = salt.utils.path.join(cachedir, "extrn_files", saltenv, netloc)
+        new_path = os.path.sep.join([root_path, file_name])
+        if not salt.utils.verify.clean_path(root_path, new_path, subdir=True):
+            return "Invalid path"
+
         if len(file_name) > MAX_FILENAME_LENGTH:
             file_name = salt.utils.hashutils.sha256_digest(file_name)
 
diff --git a/tests/unit/test_fileclient.py b/tests/unit/test_fileclient.py
index ecc9ed40f1..cd18f6c65d 100644
--- a/tests/unit/test_fileclient.py
+++ b/tests/unit/test_fileclient.py
@@ -59,6 +59,24 @@ class FileclientTestCase(TestCase):
                     with fileclient.Client(self.opts)._cache_loc('testfile') as c_ref_itr:
                         assert c_ref_itr == '/__test__/files/base/testfile'
 
+    def test_cache_extrn_path_valid(self):
+        """
+        Tests for extrn_filepath for a given url
+        """
+        file_name = "http://localhost:8000/test/location/src/dev/usr/file"
+
+        ret = fileclient.Client(self.opts)._extrn_path(file_name, "base")
+        assert ret == os.path.join("__test__", "extrn_files", "base", ret)
+
+    def test_cache_extrn_path_invalid(self):
+        """
+        Tests for extrn_filepath for a given url
+        """
+        file_name = "http://localhost:8000/../../../../../usr/bin/bad"
+
+        ret = fileclient.Client(self.opts)._extrn_path(file_name, "base")
+        assert ret == "Invalid path"
+
     def test_extrn_path_with_long_filename(self):
         safe_file_name = os.path.split(fileclient.Client(self.opts)._extrn_path('https://test.com/' + ('A' * 254), 'base'))[-1]
         assert safe_file_name == 'A' * 254
-- 
2.33.0

Places

File exclude-the-full-path-of-a-download-url-to-prevent-i.patch of Package salt.21409

Places