Disallow .. and /mnt/.ephemeral as per review comments

bottlerocket-os · Dec 17, 2024 · af1b7ec · af1b7ec
1 parent c4b3c81
commit af1b7ec
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 9 deletions.
diff --git a/sources/api/apiserver/src/server/ephemeral_storage.rs b/sources/api/apiserver/src/server/ephemeral_storage.rs
@@ -114,13 +114,17 @@ pub fn bind(variant: &str, dirs: Vec<String>) -> Result<()> {
 
     let mount_point = format!("/mnt/{}", EPHEMERAL_MNT);
     let mount_point = Path::new(&mount_point);
-    let (allowed_exact, allowed_prefixes) = allowed_bind_dirs(variant);
+    let (allowed_exact, allowed_prefixes, disallowed_contains) = allowed_bind_dirs(variant);
     for dir in &dirs {
+        let exact_match = allowed_exact.contains(dir.as_str());
+        let prefix_match = allowed_prefixes
+            .iter()
+            .any(|prefix| dir.starts_with(prefix));
+        let disallowed_match = disallowed_contains
+            .iter()
+            .any(|contains| dir.contains(contains));
         ensure!(
-            allowed_exact.contains(dir.as_str())
-                || allowed_prefixes
-                    .iter()
-                    .any(|prefix| dir.starts_with(prefix)),
+            (exact_match || prefix_match) && !disallowed_match,
             error::InvalidParameterSnafu {
                 parameter: dir,
                 reason: "specified bind directory not in allow list",
@@ -272,8 +276,15 @@ pub fn ephemeral_devices() -> Result<Vec<String>> {
 }
 
 /// allowed_bind_dirs returns a set of the directories that can be bound to ephemeral storage, which
-/// varies based on the variant and a set of the prefixes of directories that are allowed to be bound.
-pub fn allowed_bind_dirs(variant: &str) -> (HashSet<&'static str>, &'static [&'static str]) {
+/// varies based on the variant, a set of the prefixes of directories that are allowed to be bound.
+/// and a set of substrings that are disallowed in the directory name.
+pub fn allowed_bind_dirs(
+    variant: &str,
+) -> (
+    HashSet<&'static str>,
+    &'static [&'static str],
+    &'static [&'static str],
+) {
     let mut allowed_exact = HashSet::from(["/var/lib/containerd", "/var/lib/host-containerd"]);
     if variant.contains("k8s") {
         allowed_exact.insert("/var/lib/kubelet");
@@ -284,7 +295,8 @@ pub fn allowed_bind_dirs(variant: &str) -> (HashSet<&'static str>, &'static [&'s
         allowed_exact.insert("/var/log/ecs");
     }
     let allowed_prefixes: &'static [&'static str] = &["/mnt/"];
-    (allowed_exact, allowed_prefixes)
+    let disallowed_contains: &'static [&'static str] = &["..", "/mnt/.ephemeral"];
+    (allowed_exact, allowed_prefixes, disallowed_contains)
 }
 
 /// scans the raid array to identify if it has been created already

diff --git a/sources/api/apiserver/src/server/mod.rs b/sources/api/apiserver/src/server/mod.rs
@@ -703,7 +703,7 @@ async fn list_ephemeral_storage_dirs(
 ) -> Result<HttpResponse> {
     let os_info = controller::get_os_info()?;
 
-    let (allowed_exact, _allowed_prefixes) =
+    let (allowed_exact, _allowed_prefixes, _disallowed_contains) =
         ephemeral_storage::allowed_bind_dirs(&os_info.variant_id);
     let mut text_response = String::new();
     for dir in &allowed_exact {