Backport of Fix for arbitrary file reads vulnerabilities into release/1.22.x

[hc-github-team-consul-core]

Backport

This PR is auto-generated from #23249 to be assessed for backporting due to the inclusion of the label backport/1.22.

The below text is copied from the body of the original PR.

---

Description

This PR fixes a security vulnerability in the Vault CA provider's authentication methods (Kubernetes, JWT, and AppRole) that allowed arbitrary file reads through path traversal attacks.

Root Cause:

The auth providers used os.ReadFile() directly on user-supplied file paths without proper validation, allowing attackers to read any file on the system by manipulating configuration parameters:

Solution

Implemented OS-level path traversal protection using Go's os.OpenRoot() function, which creates a chroot-like restriction preventing access outside designated directories.

Security Measures:

Whitelist Validation: Only allow file reads from pre-defined standard directories
OS-Level Enforcement: Use os.OpenRoot() to prevent path traversal and symlink escapes at the kernel level
Defense in Depth: Multiple layers of validation ensure security even if one layer has bugs

Allowed Directories:

1. Kubernetes Auth

   • /var/run/secrets/kubernetes.io/serviceaccount
   • /run/secrets/kubernetes.io/serviceaccount

2. JWT Auth

   • /var/run/secrets/kubernetes.io/serviceaccount
   • /run/secrets/kubernetes.io/serviceaccount
   • /var/run/secrets
   • /run/secrets

3. AppRole Auth:

   • /var/run/secrets/vault
   • /run/secrets/vault
   • /var/run/secrets
   • /run/secrets

Testing:

Tests use symbolic links from allowed directories to temporary test directories, respecting the security boundaries while enabling test execution.

---

Overview of commits

• 7054efd

[github-team-consul-core-pr-approver]

Auto approved Consul Bot automated PR