CVE: Fix Receiver malicious tenant

If running as root or with enough privileges, receiver can create a directory outside of the configured TenantHeader. This commit fixes it up by sanitizing the user input and explicity not allowing such behavior. Signed-off-by: Daniel Mellado <dmellado@redhat.com>
thanos-io · Jan 29, 2023 · 96bb424 · 96bb424
1 parent 1b12ab9
commit 96bb424
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 0 deletions.
diff --git a/pkg/receive/handler.go b/pkg/receive/handler.go
@@ -12,6 +12,7 @@ import (
  stdlog "log"
  "net"
  "net/http"
+ "path"
  "sort"
  "strconv"
  "sync"
@@ -403,6 +404,13 @@ func (h *Handler) handleRequest(ctx context.Context, rep uint64, tenant string,
  return h.forward(ctx, tenant, r, wreq)
 }
 
+func (h *Handler) isTenantValid(tenant string) error {
+ if tenant != path.Base(tenant) {
+ return errors.New("Tenant name not valid")
+ }
+ return nil
+}
+
 func (h *Handler) receiveHTTP(w http.ResponseWriter, r *http.Request) {
  var err error
  span, ctx := tracing.StartSpan(r.Context(), "receive_http")
@@ -424,6 +432,13 @@ func (h *Handler) receiveHTTP(w http.ResponseWriter, r *http.Request) {
 
  tLogger := log.With(h.logger, "tenant", tenant)
 
+ err = h.isTenantValid(tenant)
+ if err != nil {
+ level.Error(tLogger).Log("err", err, "msg", "tenant name not allowed")
+ http.Error(w, err.Error(), http.StatusBadRequest)
+ return
+ }
+
  writeGate := h.Limiter.WriteGate()
  tracing.DoInSpan(r.Context(), "receive_write_gate_ismyturn", func(ctx context.Context) {
  err = writeGate.Start(r.Context())

diff --git a/pkg/receive/handler_test.go b/pkg/receive/handler_test.go
@@ -1090,6 +1090,41 @@ func Heap(dir string) (err error) {
  return pprof.WriteHeapProfile(f)
 }
 
+func TestIsTenantValid(t *testing.T) {
+ for _, tcase := range []struct {
+ name string
+ tenant string
+
+ expectedErr error
+ }{
+ {
+ name: "test malicious tenant",
+ tenant: "/etc/foo",
+ expectedErr: errors.New("Tenant name not valid"),
+ },
+ {
+ name: "test malicious tenant going out of receiver directory",
+ tenant: "./../../hacker_dir",
+ expectedErr: errors.New("Tenant name not valid"),
+ },
+ {
+ name: "test valid tenant",
+ tenant: "foo",
+ },
+ } {
+ t.Run(tcase.name, func(t *testing.T) {
+ h := NewHandler(nil, &Options{})
+ err := h.isTenantValid(tcase.tenant)
+ if tcase.expectedErr != nil {
+ testutil.NotOk(t, err)
+ testutil.Equals(t, tcase.expectedErr.Error(), err.Error())
+ return
+ }
+ testutil.Ok(t, err)
+ })
+ }
+}
+
 func TestRelabel(t *testing.T) {
  for _, tcase := range []struct {
  name string