5af0dfb7fe
OBS-URL: https://build.opensuse.org/package/show/systemsmanagement:saltstack/salt?expand=0&rev=189
70 lines
2.5 KiB
Diff
70 lines
2.5 KiB
Diff
From 57ed9c41a177f57e3d56465662750617ac36cc95 Mon Sep 17 00:00:00 2001
|
|
From: Joe Eacott <jeacott@vmware.com>
|
|
Date: Mon, 28 Jun 2021 16:46:35 -0600
|
|
Subject: [PATCH] Exclude the full path of a download URL to prevent
|
|
injection of malicious code (bsc#1190265) (CVE-2021-21996)
|
|
|
|
---
|
|
salt/fileclient.py | 7 +++++++
|
|
tests/unit/test_fileclient.py | 18 ++++++++++++++++++
|
|
2 files changed, 25 insertions(+)
|
|
|
|
diff --git a/salt/fileclient.py b/salt/fileclient.py
|
|
index 88dcf1668d..bdf450ffe6 100644
|
|
--- a/salt/fileclient.py
|
|
+++ b/salt/fileclient.py
|
|
@@ -28,6 +28,7 @@ import salt.utils.platform
|
|
import salt.utils.stringutils
|
|
import salt.utils.templates
|
|
import salt.utils.url
|
|
+import salt.utils.verify
|
|
import salt.utils.versions
|
|
from salt.exceptions import CommandExecutionError, MinionError
|
|
|
|
@@ -858,6 +859,12 @@ class Client:
|
|
else:
|
|
file_name = url_data.path
|
|
|
|
+ # clean_path returns an empty string if the check fails
|
|
+ root_path = salt.utils.path.join(cachedir, "extrn_files", saltenv, netloc)
|
|
+ new_path = os.path.sep.join([root_path, file_name])
|
|
+ if not salt.utils.verify.clean_path(root_path, new_path, subdir=True):
|
|
+ return "Invalid path"
|
|
+
|
|
if len(file_name) > MAX_FILENAME_LENGTH:
|
|
file_name = salt.utils.hashutils.sha256_digest(file_name)
|
|
|
|
diff --git a/tests/unit/test_fileclient.py b/tests/unit/test_fileclient.py
|
|
index 3aa7b7cf84..b6cc84a871 100644
|
|
--- a/tests/unit/test_fileclient.py
|
|
+++ b/tests/unit/test_fileclient.py
|
|
@@ -63,6 +63,24 @@ class FileclientTestCase(TestCase):
|
|
) as c_ref_itr:
|
|
assert c_ref_itr == "/__test__/files/base/testfile"
|
|
|
|
+ def test_cache_extrn_path_valid(self):
|
|
+ """
|
|
+ Tests for extrn_filepath for a given url
|
|
+ """
|
|
+ file_name = "http://localhost:8000/test/location/src/dev/usr/file"
|
|
+
|
|
+ ret = fileclient.Client(self.opts)._extrn_path(file_name, "base")
|
|
+ assert ret == os.path.join("__test__", "extrn_files", "base", ret)
|
|
+
|
|
+ def test_cache_extrn_path_invalid(self):
|
|
+ """
|
|
+ Tests for extrn_filepath for a given url
|
|
+ """
|
|
+ file_name = "http://localhost:8000/../../../../../usr/bin/bad"
|
|
+
|
|
+ ret = fileclient.Client(self.opts)._extrn_path(file_name, "base")
|
|
+ assert ret == "Invalid path"
|
|
+
|
|
def test_extrn_path_with_long_filename(self):
|
|
safe_file_name = os.path.split(
|
|
fileclient.Client(self.opts)._extrn_path(
|
|
--
|
|
2.33.0
|
|
|
|
|