Backport of Fix for arbitrary file reads vulnerabilities into release/1.22.x

[hc-github-team-consul-core]

Backport

This PR is auto-generated from #23249 to be assessed for backporting due to the inclusion of the label backport/1.22.

🚨

Warning automatic cherry-pick of commits failed. If the first commit failed,
you will see a blank no-op commit below. If at least one commit succeeded, you
will see the cherry-picked commits up to, not including, the commit where
the merge conflict occurred.

The person who merged in the original PR is:
@santoshpulluri
This person should resolve the merge-conflict(s) by either:

• Manually completing the cherry picks into this branch
• Creating a new branch and manually cherry-picking all commits being backported

merge conflict error: POST https://api.github.com/repos/hashicorp/consul/merges: 409 Merge conflict []

The below text is copied from the body of the original PR.

---

Description

This PR fixes a security vulnerability in the Vault CA provider's authentication methods (Kubernetes, JWT, and AppRole) that allowed arbitrary file reads through path traversal attacks.

Root Cause:

The auth providers used os.ReadFile() directly on user-supplied file paths without proper validation, allowing attackers to read any file on the system by manipulating configuration parameters:

Solution

Implemented OS-level path traversal protection using Go's os.OpenRoot() function, which creates a chroot-like restriction preventing access outside designated directories.

Security Measures:

Whitelist Validation: Only allow file reads from pre-defined standard directories
OS-Level Enforcement: Use os.OpenRoot() to prevent path traversal and symlink escapes at the kernel level
Defense in Depth: Multiple layers of validation ensure security even if one layer has bugs

Allowed Directories:

1. Kubernetes Auth

   • /var/run/secrets/kubernetes.io/serviceaccount
   • /run/secrets/kubernetes.io/serviceaccount

2. JWT Auth

   • /var/run/secrets/kubernetes.io/serviceaccount
   • /run/secrets/kubernetes.io/serviceaccount
   • /var/run/secrets
   • /run/secrets

3. AppRole Auth:

   • /var/run/secrets/vault
   • /run/secrets/vault
   • /var/run/secrets
   • /run/secrets

Testing:

Tests use symbolic links from allowed directories to temporary test directories, respecting the security boundaries while enabling test execution.

---

Overview of commits

• 7054efd

[github-team-consul-core-pr-approver]

Auto approved Consul Bot automated PR

[hashicorp-cla-app]

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes

---

temp seems not to be a GitHub user.
You need a GitHub account to be able to sign the CLA.
If you have already a GitHub account, please add the email address used for this commit to your account.

_{Have you signed the CLA already but the status is still pending? Recheck it.}

[hashicorp-cla-app]

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes

---

temp seems not to be a GitHub user.
You need a GitHub account to be able to sign the CLA.
If you have already a GitHub account, please add the email address used for this commit to your account.

_{Have you signed the CLA already but the status is still pending? Recheck it.}