[WIP/DNM] CVE: Fix Receiver malicious tenant

If running as root or with enough privileges, receiver can create a directory outside of the configured TenantHeader. This commit fixes it up by sanitizing the user input and explicity not allowing such behavior. Signed-off-by: Daniel Mellado <dmellado@redhat.com>
thanos-io · Dec 19, 2022 · 4ab0ca9 · 4ab0ca9
1 parent a89dd0c
commit 4ab0ca9
Showing 1 changed file with 13 additions and 2 deletions.
diff --git a/pkg/receive/handler.go b/pkg/receive/handler.go
@@ -12,18 +12,20 @@ import (
  stdlog "log"
  "net"
  "net/http"
+ "path"
  "sort"
  "strconv"
  "sync"
  "time"
 
+ "github.com/mwitkow/go-conntrack"
+ "github.com/opentracing/opentracing-go"
+
  "github.com/go-kit/log"
  "github.com/go-kit/log/level"
  "github.com/gogo/protobuf/proto"
  "github.com/jpillora/backoff"
  "github.com/klauspost/compress/s2"
- "github.com/mwitkow/go-conntrack"
- "github.com/opentracing/opentracing-go"
  "github.com/pkg/errors"
  "github.com/prometheus/client_golang/prometheus"
  "github.com/prometheus/client_golang/prometheus/promauto"
@@ -403,6 +405,13 @@ func (h *Handler) handleRequest(ctx context.Context, rep uint64, tenant string,
  return h.forward(ctx, tenant, r, wreq)
 }
 
+func (h *Handler) isTenantValid(tenant string, err error, w http.ResponseWriter) {
+ if tenant != path.Base(tenant) {
+ http.Error(w, err.Error(), http.StatusInternalServerError)
+ return
+ }
+}
+
 func (h *Handler) receiveHTTP(w http.ResponseWriter, r *http.Request) {
  var err error
  span, ctx := tracing.StartSpan(r.Context(), "receive_http")
@@ -422,6 +431,8 @@ func (h *Handler) receiveHTTP(w http.ResponseWriter, r *http.Request) {
  }
  }
 
+ h.isTenantValid(tenant, err, w)
+
  tLogger := log.With(h.logger, "tenant", tenant)
 
  writeGate := h.Limiter.WriteGate()