Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support SafeJoinPath and SafeJoinFilepath #23441

Closed
wants to merge 8 commits into from
Closed

Support SafeJoinPath and SafeJoinFilepath #23441

wants to merge 8 commits into from

Conversation

wolfogre
Copy link
Member

Follow #23371.

Introduce SafeJoinPath to replace CleanPath.

CleanPath could be misused as CleanPath(path.Join("/tmp", "../etc/passwd")), and the result will be "/etc/passwd", when the right way is path.Join("/tmp", CleanPath("../etc/passwd")).

However, it will be annoying if there are many paths like path.Join("/tmp", CleanPath(input1), CleanPath(input2), CleanPath(input3)). So SafeJoinPath could do it more simply: SafeJoinPath("/tmp", input1, input2, input3).

If we really want something like CleanPath, we can just use SafeJoinPath: CleanPath(p) == SafeJoinPath(p).

Also introduce SafeJoinFilepath for filepath.Join

@wolfogre wolfogre added type/refactoring Existing code has been cleaned up. There should be no new functionality. outdated/backport/v1.19 This PR should be backported to Gitea 1.19 labels Mar 13, 2023
@wolfogre wolfogre added this to the 1.20.0 milestone Mar 13, 2023
wxiaoguang
wxiaoguang reviewed Mar 13, 2023
View reviewed changes
modules/util/path.go Outdated
Comment on lines 263 to 265
if len(elem) > 0 && !strings.HasPrefix(elem[0], separator) {
return filepath.Join(elems...)[1:]
}
Copy link
Contributor

@wxiaoguang wxiaoguang Mar 13, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For windows: C:\foo => :\foo ?

I do not think Gitea has Windows servers to run tests .... so the test code for Windows never runs?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My bad, I thought the CI would run tests on Windows ...

I will fix it and run the tests on Windows to ensure it works.

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Mar 13, 2023
@wolfogre wolfogre added the pr/wip This PR is not ready for review label Mar 13, 2023
@zeripath
Copy link
Contributor

I don't think this is as helpful as you think it will be or as safe as you think it will be.

a) Do we really have that many places where we join multiple user provided paths?
b) This doesn't prevent an initial "/". So you still always have to join the path with a base path.
c) There are times when user provided ".." are appropriate or joining ".." from within code is appropriate. This will likely prevent that.

Given that #23371 is IMO unsafe I think this needs more thought.

@wolfogre wolfogre removed the pr/wip This PR is not ready for review label Mar 13, 2023
@wxiaoguang
Copy link
Contributor

I don't think this is as helpful as you think it will be or as safe as you think it will be ....

Although #23371 doesn't look good, I think we need some util functions for paths.

  • There was incorrect fs.Open(path.Clean(file)) , luckily it doesn't cause security problems.
  • Since action is merged, Gitea needs to operate filesystems/stroages more and more, there are already many path-related security problems during review.

So, IMO:

  • We need to clearly define every path usage, absolute or relative.
  • Introduce some stable and clear path util functions.

@wxiaoguang wxiaoguang mentioned this pull request Mar 13, 2023
Merged
@wolfogre wolfogre added the pr/wip This PR is not ready for review label Mar 14, 2023
@wolfogre
Copy link
Member Author

Relaced by #23495

@wolfogre wolfogre closed this Mar 16, 2023
@lunny lunny removed this from the 1.20.0 milestone Mar 16, 2023
@delvh delvh removed the outdated/backport/v1.19 This PR should be backported to Gitea 1.19 label Mar 16, 2023
@go-gitea go-gitea locked and limited conversation to collaborators May 3, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@wxiaoguang wxiaoguang wxiaoguang left review comments

Assignees
No one assigned
Labels
lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. pr/wip This PR is not ready for review type/refactoring Existing code has been cleaned up. There should be no new functionality.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@wolfogre @zeripath @wxiaoguang @lunny @GiteaBot @delvh @Zettat123