Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: enforce path validation for push/attach and improve path traversal failure message for pull #988

Merged
merged 15 commits into from
Jun 28, 2023
Merged

fix: enforce path validation for push/attach and improve path traversal failure message for pull #988

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
755a83c
Add changes for fixing the absolute path behaviour in oras push and a…
suganyas Jun 26, 2023
caec5ff
Update cmd/oras/internal/option/packer.go
suganyas Jun 27, 2023
007b2d9
Update cmd/oras/internal/option/packer.go
suganyas Jun 27, 2023
8f447bd
Update cmd/oras/root/pull.go
suganyas Jun 27, 2023
de4bdb7
Address review comments from Billy and tested code
suganyas Jun 27, 2023
351a110
Update cmd/oras/internal/option/packer.go
suganyas Jun 27, 2023
e03dec7
Update cmd/oras/internal/option/packer.go
suganyas Jun 27, 2023
8f03f50
Update cmd/oras/internal/option/packer.go
suganyas Jun 27, 2023
af7c0ea
Update cmd/oras/root/pull.go
suganyas Jun 27, 2023
2609e2f
Update cmd/oras/internal/option/packer.go
suganyas Jun 27, 2023
d1dd526
Update cmd/oras/internal/option/packer.go
suganyas Jun 27, 2023
0c656ee
Fix the build for compilation error
suganyas Jun 27, 2023
8420368
Update cmd/oras/internal/option/packer.go
suganyas Jun 28, 2023
f3549cd
Update cmd/oras/root/pull.go
suganyas Jun 28, 2023
ae964ec
Update cmd/oras/internal/option/packer.go
suganyas Jun 28, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 22 additions & 0 deletions cmd/oras/internal/option/packer.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,11 +21,13 @@ import (
"errors"
"fmt"
"os"
"path/filepath"
"strings"

ocispec "github.com/opencontainers/image-spec/specs-go/v1"
"github.com/spf13/pflag"
"oras.land/oras-go/v2/content"
"oras.land/oras/cmd/oras/internal/fileref"
)

// Pre-defined annotation keys for annotation file
Expand All @@ -38,6 +40,7 @@ var (
errAnnotationConflict = errors.New("`--annotation` and `--annotation-file` cannot be both specified")
errAnnotationFormat = errors.New("missing key in `--annotation` flag")
errAnnotationDuplication = errors.New("duplicate annotation key")
errPathValidation = errors.New("absolute file path detected. If it's intentional, use --disable-path-validation flag to skip this check")
)

// Packer option struct.
Expand Down Expand Up @@ -69,6 +72,25 @@ func (opts *Packer) ExportManifest(ctx context.Context, fetcher content.Fetcher,
}
return os.WriteFile(opts.ManifestExportPath, manifestBytes, 0666)
}
func (opts *Packer) Parse() error {
if !opts.PathValidationDisabled {
var failedPaths []string
for _, path := range opts.FileRefs {
// Remove the type if specified in the path <file>[:<type>] format
path, _, err := fileref.Parse(path, "")
if err != nil {
return err
}
if filepath.IsAbs(path) {
failedPaths = append(failedPaths, path)
}
}
if len(failedPaths) > 0 {
return fmt.Errorf("%w: %v", errPathValidation, strings.Join(failedPaths, ", "))
}
}
return nil
}

// LoadManifestAnnotations loads the manifest annotation map.
func (opts *Packer) LoadManifestAnnotations() (annotations map[string]map[string]string, err error) {
Expand Down
1 change: 0 additions & 1 deletion cmd/oras/root/attach.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,6 @@ func runAttach(ctx context.Context, opts attachOptions) error {
return err
}
defer store.Close()
store.AllowPathTraversalOnWrite = opts.PathValidationDisabled

dst, err := opts.NewTarget(opts.Common)
if err != nil {
Expand Down
4 changes: 4 additions & 0 deletions cmd/oras/root/pull.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ package root

import (
"context"
"errors"
"fmt"
"io"
"sync"
Expand Down Expand Up @@ -237,6 +238,9 @@ func runPull(ctx context.Context, opts pullOptions) error {
// Copy
desc, err := oras.Copy(ctx, src, opts.Reference, dst, opts.Reference, copyOptions)
if err != nil {
if errors.Is(err, file.ErrPathTraversalDisallowed) {
err = fmt.Errorf("%s: %w", "use flag --allow-path-traversal to allow insecurely pulling files outside of working directory", err)
}
return err
}
if pulledEmpty {
Expand Down
1 change: 0 additions & 1 deletion cmd/oras/root/push.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -139,7 +139,6 @@ func runPush(ctx context.Context, opts pushOptions) error {
return err
}
defer store.Close()
store.AllowPathTraversalOnWrite = opts.PathValidationDisabled
if opts.manifestConfigRef != "" {
path, cfgMediaType, err := fileref.Parse(opts.manifestConfigRef, oras.MediaTypeUnknownConfig)
if err != nil {
Expand Down