Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

VAULT-32330: fix sanitize path function to account for backslashes #28878

Merged
merged 8 commits into from
Nov 13, 2024
Prev Previous commit
Next Next commit
improve the logic to be more concise
  • Loading branch information
aslamovamir committed Nov 12, 2024
commit 2a78b5433956364da9548ad90323eb90048cdc3c
12 changes: 2 additions & 10 deletions vault/logical_system.go
Original file line number Diff line number Diff line change
Expand Up @@ -6168,16 +6168,8 @@ func sanitizePath(path string) string {
path += "/"
}

// Remove any leading slashes, double slashes, or slash-backslash combinations
for len(path) > 0 && (strings.HasPrefix(path, "/") || strings.HasPrefix(path, "//") || strings.HasPrefix(path, "/\\")) {
if strings.HasPrefix(path, "//") {
path = path[2:]
} else if strings.HasPrefix(path, "/\\") {
path = path[2:]
} else {
path = path[1:]
}
}
// Remove all leading forward slashes and backslashes
path = strings.TrimLeft(path, "/\\")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This might not be the correct based on my reading of the finding, i.e.
has a leading slash, but not that it does not have '/' or '\' in its second position.

For example, I think this would modify \string to string, but that it shouldn't. Based on my reading, I think this should only trim /, //, or /\.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I might be misunderstanding - the way I understood this was that we not only have to check for a leading "/" but also a "//" and "/". Is this what you're saying as well Violet?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My reading is that it needs to check for /, //, and /\ -- it shouldn't modify a path that starts with \

Copy link
Contributor Author

@aslamovamir aslamovamir Nov 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the exact error from the security check: A redirect check that checks for a leading slash but not two leading slashes or a leading slash followed by a backslash is incomplete.

Copy link
Contributor

@divyaac divyaac Nov 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Violet's comment is the way I understand it too. But since it's trimming the leading slash after it checks it, it looks there is some modification that needs to be done?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right, so we don't want to modify strings that start with a backslash -- which TrimLeft will do

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For clarity here, the behavior we want is:

//my_string ==> my_string
/my_string ==> my_string
/\my_string ==> my_string
/my_string ==> /my_string
\\//my_string ==> \\//my_string

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pushed a commit to address the concerns, please do let me know if it looks better now, many thanks!


return path
}
Expand Down
Loading