Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

VAULT-32330: fix sanitize path function to account for backslashes #28878

Merged
merged 8 commits into from
Nov 13, 2024

Conversation

aslamovamir
Copy link
Contributor

@aslamovamir aslamovamir commented Nov 11, 2024

Description

What does this PR do?
Fixes a backslash check in logical_system.go by expanding the check to also include filtering for double forward and back slashes.

TODO only if you're a HashiCorp employee

  • Backport Labels: If this PR is in the ENT repo and needs to be backported, backport
    to N, N-1, and N-2, using the backport/ent/x.x.x+ent labels. If this PR is in the CE repo, you should only backport to N, using the backport/x.x.x label, not the enterprise labels.
    • If this fixes a critical security vulnerability or severity 1 bug, it will also need to be backported to the current LTS versions of Vault. To ensure this, use all available enterprise labels.
  • ENT Breakage: If this PR either 1) removes a public function OR 2) changes the signature
    of a public function, even if that change is in a CE file, double check that
    applying the patch for this PR to the ENT repo and running tests doesn't
    break any tests. Sometimes ENT only tests rely on public functions in CE
    files.
  • Jira: If this change has an associated Jira, it's referenced either
    in the PR description, commit message, or branch name.
  • RFC: If this change has an associated RFC, please link it in the description.
  • ENT PR: If this change has an associated ENT PR, please link it in the
    description. Also, make sure the changelog is in this PR, not in your ENT PR.

@aslamovamir aslamovamir requested a review from divyaac November 11, 2024 22:49
@github-actions github-actions bot added the hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed label Nov 11, 2024
Copy link

github-actions bot commented Nov 11, 2024

CI Results:
All Go tests succeeded! ✅

Copy link

github-actions bot commented Nov 11, 2024

Build Results:
All builds succeeded! ✅

@aslamovamir aslamovamir added backport/ent/1.16.x+ent Changes are backported to 1.16.x+ent pr/no-changelog and removed backport/ent/1.16.x+ent Changes are backported to 1.16.x+ent labels Nov 12, 2024
@aslamovamir aslamovamir added this to the 1.16.0 milestone Nov 12, 2024
Copy link
Contributor

@VioletHynes VioletHynes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A little comment so far. Remember also to add a title to the PR to briefly describe what it does, and a changelog will also need to be added to this PR.

I think the milestone is incorrect, as 1.16.0 has already released. My recommendation for a PR like this would be to use the pr/no-milestone tag for this PR as it shouldn't block any release. I would recommend only using milestones when this PR must be in an upcoming release.

path = path[1:]
}
// Remove all leading forward slashes and backslashes
path = strings.TrimLeft(path, "/\\")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This might not be the correct based on my reading of the finding, i.e.
has a leading slash, but not that it does not have '/' or '\' in its second position.

For example, I think this would modify \string to string, but that it shouldn't. Based on my reading, I think this should only trim /, //, or /\.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I might be misunderstanding - the way I understood this was that we not only have to check for a leading "/" but also a "//" and "/". Is this what you're saying as well Violet?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My reading is that it needs to check for /, //, and /\ -- it shouldn't modify a path that starts with \

Copy link
Contributor Author

@aslamovamir aslamovamir Nov 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the exact error from the security check: A redirect check that checks for a leading slash but not two leading slashes or a leading slash followed by a backslash is incomplete.

Copy link
Contributor

@divyaac divyaac Nov 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Violet's comment is the way I understand it too. But since it's trimming the leading slash after it checks it, it looks there is some modification that needs to be done?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right, so we don't want to modify strings that start with a backslash -- which TrimLeft will do

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For clarity here, the behavior we want is:

//my_string ==> my_string
/my_string ==> my_string
/\my_string ==> my_string
/my_string ==> /my_string
\\//my_string ==> \\//my_string

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pushed a commit to address the concerns, please do let me know if it looks better now, many thanks!

@aslamovamir aslamovamir removed this from the 1.16.0 milestone Nov 12, 2024
@aslamovamir
Copy link
Contributor Author

A little comment so far. Remember also to add a title to the PR to briefly describe what it does, and a changelog will also need to be added to this PR.

I think the milestone is incorrect, as 1.16.0 has already released. My recommendation for a PR like this would be to use the pr/no-milestone tag for this PR as it shouldn't block any release. I would recommend only using milestones when this PR must be in an upcoming release.

Ahh nice notes, thanks Violet!
I will add the changelog, does it make sense to label it as security type in the changelog?
Ahh I see your point about the milestone. The ticket mentions the fix to be backported to all relevant versions (1.18, 1.17, 1.16). How do we add correct labels to backport again?

@VioletHynes
Copy link
Contributor

I would label this as an improvement or bug -- you can look around for examples to base yours off!

For backporting, just search backport/ in labels and add all three of them. Though you don't need to do that yet, you can wait until the PR is merged and it will work then too.

@aslamovamir aslamovamir added pr/no-milestone backport/ent/1.16.x+ent Changes are backported to 1.16.x+ent backport/1.18.x backport/ent/1.17.x+ent Changes are backported to 1.17.x+ent and removed pr/no-changelog labels Nov 12, 2024
@aslamovamir aslamovamir changed the title VAULT-32330 VAULT-32330: fix sanitize path function to account for backslashes Nov 12, 2024
vault/logical_system.go Dismissed Show dismissed Hide dismissed
vault/logical_system.go Dismissed Show dismissed Hide dismissed
for strings.HasPrefix(path, "/") {
path = path[1:]
// Check for the specified prefixes and trim them if present
for strings.HasPrefix(path, "/") || strings.HasPrefix(path, "/\\") {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems to satisfy the requirements, it may be worth double checking with Mickael or somebody to make sure this is accurate, since the code scanner seems to still be complaining. I'll hook you two up :)

Copy link
Contributor

@VioletHynes VioletHynes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved on my end, but we should double check before merging in case the scanner warning is legit.

Copy link
Contributor

@mickael-hc mickael-hc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After reviewing the changes, the finding is a false positive and we can dismiss it

@aslamovamir aslamovamir merged commit bf13271 into main Nov 13, 2024
91 checks passed
@aslamovamir aslamovamir deleted the aslamovamir-vault-32330 branch November 13, 2024 15:56
@aslamovamir aslamovamir added backport/ent/1.17.x+ent Changes are backported to 1.17.x+ent and removed backport/ent/1.17.x+ent Changes are backported to 1.17.x+ent labels Nov 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport/ent/1.16.x+ent Changes are backported to 1.16.x+ent backport/ent/1.17.x+ent Changes are backported to 1.17.x+ent backport/1.18.x hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed pr/no-milestone
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants