fix: enforce path validation for push/attach and improve path travers…

…al failure message for pull (oras-project#988) Signed-off-by: suganyas <ssuganyatce@gmail.com> Co-authored-by: Billy Zha <qweeah@gmail.com> Co-authored-by: Shiwei Zhang <shizh@microsoft.com>
shizhMSFT · Aug 3, 2023 · 59f2682 · 59f2682
1 parent 51ac344
commit 59f2682
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 2 deletions.
diff --git a/cmd/oras/internal/option/packer.go b/cmd/oras/internal/option/packer.go
@@ -21,11 +21,13 @@ import (
 	"errors"
 	"fmt"
 	"os"
+	"path/filepath"
 	"strings"
 
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/spf13/pflag"
 	"oras.land/oras-go/v2/content"
+	"oras.land/oras/cmd/oras/internal/fileref"
 )
 
 // Pre-defined annotation keys for annotation file
@@ -38,6 +40,7 @@ var (
 	errAnnotationConflict    = errors.New("`--annotation` and `--annotation-file` cannot be both specified")
 	errAnnotationFormat      = errors.New("missing key in `--annotation` flag")
 	errAnnotationDuplication = errors.New("duplicate annotation key")
+	errPathValidation        = errors.New("absolute file path detected. If it's intentional, use --disable-path-validation flag to skip this check")
 )
 
 // Packer option struct.
@@ -69,6 +72,25 @@ func (opts *Packer) ExportManifest(ctx context.Context, fetcher content.Fetcher,
 	}
 	return os.WriteFile(opts.ManifestExportPath, manifestBytes, 0666)
 }
+func (opts *Packer) Parse() error {
+	if !opts.PathValidationDisabled {
+		var failedPaths []string
+		for _, path := range opts.FileRefs {
+			// Remove the type if specified in the path <file>[:<type>] format
+			path, _, err := fileref.Parse(path, "")
+			if err != nil {
+				return err
+			}
+			if filepath.IsAbs(path) {
+				failedPaths = append(failedPaths, path)
+			}
+		}
+		if len(failedPaths) > 0 {
+			return fmt.Errorf("%w: %v", errPathValidation, strings.Join(failedPaths, ", "))
+		}
+	}
+	return nil
+}
 
 // LoadManifestAnnotations loads the manifest annotation map.
 func (opts *Packer) LoadManifestAnnotations() (annotations map[string]map[string]string, err error) {

diff --git a/cmd/oras/root/attach.go b/cmd/oras/root/attach.go
@@ -113,7 +113,6 @@ func runAttach(ctx context.Context, opts attachOptions) error {
 		return err
 	}
 	defer store.Close()
-	store.AllowPathTraversalOnWrite = opts.PathValidationDisabled
 
 	dst, err := opts.NewTarget(opts.Common)
 	if err != nil {

diff --git a/cmd/oras/root/pull.go b/cmd/oras/root/pull.go
@@ -17,6 +17,7 @@ package root
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"io"
 	"sync"
@@ -237,6 +238,9 @@ func runPull(ctx context.Context, opts pullOptions) error {
 	// Copy
 	desc, err := oras.Copy(ctx, src, opts.Reference, dst, opts.Reference, copyOptions)
 	if err != nil {
+		if errors.Is(err, file.ErrPathTraversalDisallowed) {
+			err = fmt.Errorf("%s: %w", "use flag --allow-path-traversal to allow insecurely pulling files outside of working directory", err)
+		}
 		return err
 	}
 	if pulledEmpty {

diff --git a/cmd/oras/root/push.go b/cmd/oras/root/push.go
@@ -139,7 +139,6 @@ func runPush(ctx context.Context, opts pushOptions) error {
 		return err
 	}
 	defer store.Close()
-	store.AllowPathTraversalOnWrite = opts.PathValidationDisabled
 	if opts.manifestConfigRef != "" {
 		path, cfgMediaType, err := fileref.Parse(opts.manifestConfigRef, oras.MediaTypeUnknownConfig)
 		if err != nil {