Prevent escaping from /proc via symlinks

This maybe could be more robustly solved via chroot
hfinucane · Jul 12, 2015 · 1fee38c · 1fee38c
1 parent f210d62
commit 1fee38c
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 1 deletion.
diff --git a/main.go b/main.go
@@ -74,7 +74,18 @@ func vetPath(path string) (string, error) {
 	if strings.Contains(path, "..") {
 		return "", errors.New("directory traversal attempt detected")
 	}
-	return filepath.Join("/proc", path), nil
+
+	finalPath := filepath.Join("/proc", path)
+	cleanedFinalPath, err := filepath.EvalSymlinks(finalPath)
+	if err != nil {
+		return "", err
+	}
+
+	if cleanedFinalPath == "/proc" || strings.HasPrefix(cleanedFinalPath, "/proc/") {
+		return cleanedFinalPath, nil
+	}
+
+	return "", errors.New(fmt.Sprintf("Symlink traversal attempt detected from ", cleanedFinalPath))
 }
 
 func readProcPath(path string) (rval *ProcResult) {

diff --git a/main_test.go b/main_test.go
@@ -1,6 +1,8 @@
 package main
 
 import (
+	"fmt"
+	"os"
 	"testing"
 )
 
@@ -56,3 +58,14 @@ func TestNoTraversal(t *testing.T) {
 		t.Errorf("Expected no contents, got %v", proc_result)
 	}
 }
+
+func TestNoSymlinkTraversal(t *testing.T) {
+	proc_result := readProcPath(fmt.Sprintf("/self/%d/tasks/cwd/main_test.go", os.Getpid()))
+
+	if proc_result.Err == "" {
+		t.Errorf("Expected an error, got %v", proc_result)
+	}
+	if proc_result.Contents != nil {
+		t.Errorf("Expected no contents, got %v", proc_result)
+	}
+}