securejoin

package module
v0.4.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 28, 2025 License: BSD-3-Clause Imports: 12 Imported by: 628

README

filepath-securejoin

Go Documentation Build Status

Old API

This library was originally just an implementation of SecureJoin which was intended to be included in the Go standard library as a safer filepath.Join that would restrict the path lookup to be inside a root directory.

The implementation was based on code that existed in several container runtimes. Unfortunately, this API is fundamentally unsafe against attackers that can modify path components after SecureJoin returns and before the caller uses the path, allowing for some fairly trivial TOCTOU attacks.

SecureJoin (and SecureJoinVFS) are still provided by this library to support legacy users, but new users are strongly suggested to avoid using SecureJoin and instead use the new api or switch to libpathrs.

With the above limitations in mind, this library guarantees the following:

  • If no error is set, the resulting string must be a child path of root and will not contain any symlink path components (they will all be expanded).

  • When expanding symlinks, all symlink path components must be resolved relative to the provided root. In particular, this can be considered a userspace implementation of how chroot(2) operates on file paths. Note that these symlinks will not be expanded lexically (filepath.Clean is not called on the input before processing).

  • Non-existent path components are unaffected by SecureJoin (similar to filepath.EvalSymlinks's semantics).

  • The returned path will always be filepath.Cleaned and thus not contain any .. components.

A (trivial) implementation of this function on GNU/Linux systems could be done with the following (note that this requires root privileges and is far more opaque than the implementation in this library, and also requires that readlink is inside the root path and is trustworthy):

package securejoin

import (
	"os/exec"
	"path/filepath"
)

func SecureJoin(root, unsafePath string) (string, error) {
	unsafePath = string(filepath.Separator) + unsafePath
	cmd := exec.Command("chroot", root,
		"readlink", "--canonicalize-missing", "--no-newline", unsafePath)
	output, err := cmd.CombinedOutput()
	if err != nil {
		return "", err
	}
	expanded := string(output)
	return filepath.Join(root, expanded), nil
}

New API

While we recommend users switch to libpathrs as soon as it has a stable release, some methods implemented by libpathrs have been ported to this library to ease the transition. These APIs are only supported on Linux.

These APIs are implemented such that filepath-securejoin will opportunistically use certain newer kernel APIs that make these operations far more secure. In particular:

  • All of the lookup operations will use openat2 on new enough kernels (Linux 5.6 or later) to restrict lookups through magic-links and bind-mounts (for certain operations) and to make use of RESOLVE_IN_ROOT to efficiently resolve symlinks within a rootfs.

  • The APIs provide hardening against a malicious /proc mount to either detect or avoid being tricked by a /proc that is not legitimate. This is done using openat2 for all users, and privileged users will also be further protected by using fsopen and open_tree (Linux 5.2 or later).

OpenInRoot
func OpenInRoot(root, unsafePath string) (*os.File, error)
func OpenatInRoot(root *os.File, unsafePath string) (*os.File, error)
func Reopen(handle *os.File, flags int) (*os.File, error)

OpenInRoot is a much safer version of

path, err := securejoin.SecureJoin(root, unsafePath)
file, err := os.OpenFile(path, unix.O_PATH|unix.O_CLOEXEC)

that protects against various race attacks that could lead to serious security issues, depending on the application. Note that the returned *os.File is an O_PATH file descriptor, which is quite restricted. Callers will probably need to use Reopen to get a more usable handle (this split is done to provide useful features like PTY spawning and to avoid users accidentally opening bad inodes that could cause a DoS).

Callers need to be careful in how they use the returned *os.File. Usually it is only safe to operate on the handle directly, and it is very easy to create a security issue. libpathrs provides far more helpers to make using these handles safer -- there is currently no plan to port them to filepath-securejoin.

OpenatInRoot is like OpenInRoot except that the root is provided using an *os.File. This allows you to ensure that multiple OpenatInRoot (or MkdirAllHandle) calls are operating on the same rootfs.

NOTE: Unlike SecureJoin, OpenInRoot will error out as soon as it hits a dangling symlink or non-existent path. This is in contrast to SecureJoin which treated non-existent components as though they were real directories, and would allow for partial resolution of dangling symlinks. These behaviours are at odds with how Linux treats non-existent paths and dangling symlinks, and so these are no longer allowed.

MkdirAll
func MkdirAll(root, unsafePath string, mode int) error
func MkdirAllHandle(root *os.File, unsafePath string, mode int) (*os.File, error)

MkdirAll is a much safer version of

path, err := securejoin.SecureJoin(root, unsafePath)
err = os.MkdirAll(path, mode)

that protects against the same kinds of races that OpenInRoot protects against.

MkdirAllHandle is like MkdirAll except that the root is provided using an *os.File (the reason for this is the same as with OpenatInRoot) and an *os.File of the final created directory is returned (this directory is guaranteed to be effectively identical to the directory created by MkdirAllHandle, which is not possible to ensure by just using OpenatInRoot after MkdirAll).

NOTE: Unlike SecureJoin, MkdirAll will error out as soon as it hits a dangling symlink or non-existent path. This is in contrast to SecureJoin which treated non-existent components as though they were real directories, and would allow for partial resolution of dangling symlinks. These behaviours are at odds with how Linux treats non-existent paths and dangling symlinks, and so these are no longer allowed. This means that MkdirAll will not create non-existent directories referenced by a dangling symlink.

License

The license of this project is the same as Go, which is a BSD 3-clause license available in the LICENSE file.

Documentation

Overview

Package securejoin implements a set of helpers to make it easier to write Go code that is safe against symlink-related escape attacks. The primary idea is to let you resolve a path within a rootfs directory as if the rootfs was a chroot.

securejoin has two APIs, a "legacy" API and a "modern" API.

The legacy API is SecureJoin and SecureJoinVFS. These methods are **not** safe against race conditions where an attacker changes the filesystem after (or during) the SecureJoin operation.

The new API is made up of OpenInRoot and MkdirAll (and derived functions). These are safe against racing attackers and have several other protections that are not provided by the legacy API. There are many more operations that most programs expect to be able to do safely, but we do not provide explicit support for them because we want to encourage users to switch to [libpathrs](https://github.com/openSUSE/libpathrs) which is a cross-language next-generation library that is entirely designed around operating on paths safely.

securejoin has been used by several container runtimes (Docker, runc, Kubernetes, etc) for quite a few years as a de-facto standard for operating on container filesystem paths "safely". However, most users still use the legacy API which is unsafe against various attacks (there is a fairly long history of CVEs in dependent as a result). Users should switch to the modern API as soon as possible (or even better, switch to libpathrs).

This project was initially intended to be included in the Go standard library, but [it was rejected](https://go.dev/issue/20126). There is now a [new Go proposal](https://go.dev/issue/67002) for a safe path resolution API that shares some of the goals of filepath-securejoin. However, that design is intended to work like `openat2(RESOLVE_BENEATH)` which does not fit the usecase of container runtimes and most system tools.

Index

Constants

View Source 
const STATX_MNT_ID_UNIQUE = 0x4000

STATX_MNT_ID_UNIQUE is provided in golang.org/x/[email protected], but in order to avoid bumping the requirement for a single constant we can just define it ourselves.

Variables

This section is empty.

Functions

func IsNotExist added in v0.2.1 

func IsNotExist(err error) bool

IsNotExist tells you if err is an error that implies that either the path accessed does not exist (or path components don't exist). This is effectively a more broad version of os.IsNotExist.

func MkdirAll added in v0.3.0 

func MkdirAll(root, unsafePath string, mode os.FileMode) error

MkdirAll is a race-safe alternative to the os.MkdirAll function, where the new directory is guaranteed to be within the root directory (if an attacker can move directories from inside the root to outside the root, the created directory tree might be outside of the root but the key constraint is that at no point will we walk outside of the directory tree we are creating).

Effectively, MkdirAll(root, unsafePath, mode) is equivalent to 

path, _ := securejoin.SecureJoin(root, unsafePath)
err := os.MkdirAll(path, mode)

But is much safer. The above implementation is unsafe because if an attacker can modify the filesystem tree between SecureJoin and os.MkdirAll, it is possible for MkdirAll to resolve unsafe symlink components and create directories outside of the root.

If you plan to open the directory after you have created it or want to use an open directory handle as the root, you should use MkdirAllHandle instead. This function is a wrapper around MkdirAllHandle.

func MkdirAllHandle added in v0.3.0 

func MkdirAllHandle(root *os.File, unsafePath string, mode os.FileMode) (_ *os.File, Err error)

MkdirAllHandle is equivalent to MkdirAll, except that it is safer to use in two respects:

  • The caller provides the root directory as an *os.File (preferably O_PATH) handle. This means that the caller can be sure which root directory is being used. Note that this can be emulated by using /proc/self/fd/... as the root path with os.MkdirAll.

  • Once all of the directories have been created, an *os.File O_PATH handle to the directory at unsafePath is returned to the caller. This is done in an effectively-race-free way (an attacker would only be able to swap the final directory component), which is not possible to emulate with MkdirAll.

In addition, the returned handle is obtained far more efficiently than doing a brand new lookup of unsafePath (such as with SecureJoin or openat2) after doing MkdirAll. If you intend to open the directory after creating it, you should use MkdirAllHandle.

func OpenInRoot added in v0.3.0 

func OpenInRoot(root, unsafePath string) (*os.File, error)

OpenInRoot safely opens the provided unsafePath within the root. Effectively, OpenInRoot(root, unsafePath) is equivalent to 

path, _ := securejoin.SecureJoin(root, unsafePath)
handle, err := os.OpenFile(path, unix.O_PATH|unix.O_CLOEXEC)

But is much safer. The above implementation is unsafe because if an attacker can modify the filesystem tree between SecureJoin and os.OpenFile, it is possible for the returned file to be outside of the root.

Note that the returned handle is an O_PATH handle, meaning that only a very limited set of operations will work on the handle. This is done to avoid accidentally opening an untrusted file that could cause issues (such as a disconnected TTY that could cause a DoS, or some other issue). In order to use the returned handle, you can "upgrade" it to a proper handle using Reopen.

func OpenatInRoot added in v0.3.0 

func OpenatInRoot(root *os.File, unsafePath string) (*os.File, error)

OpenatInRoot is equivalent to OpenInRoot, except that the root is provided using an *os.File handle, to ensure that the correct root directory is used.

func Reopen added in v0.3.0 

func Reopen(handle *os.File, flags int) (*os.File, error)

Reopen takes an *os.File handle and re-opens it through /proc/self/fd. Reopen(file, flags) is effectively equivalent to 

fdPath := fmt.Sprintf("/proc/self/fd/%d", file.Fd())
os.OpenFile(fdPath, flags|unix.O_CLOEXEC)

But with some extra hardenings to ensure that we are not tricked by a maliciously-configured /proc mount. While this attack scenario is not common, in container runtimes it is possible for higher-level runtimes to be tricked into configuring an unsafe /proc that can be used to attack file operations. See CVE-2019-19921 for more details.

func SecureJoin 

func SecureJoin(root, unsafePath string) (string, error)

SecureJoin is a wrapper around SecureJoinVFS that just uses the os.* library of functions as the VFS. If in doubt, use this function over SecureJoinVFS.

func SecureJoinVFS added in v0.2.0 

func SecureJoinVFS(root, unsafePath string, vfs VFS) (string, error)

SecureJoinVFS joins the two given path components (similar to filepath.Join) except that the returned path is guaranteed to be scoped inside the provided root path (when evaluated). Any symbolic links in the path are evaluated with the given root treated as the root of the filesystem, similar to a chroot. The filesystem state is evaluated through the given VFS interface (if nil, the standard os.* family of functions are used).

Note that the guarantees provided by this function only apply if the path components in the returned string are not modified (in other words are not replaced with symlinks on the filesystem) after this function has returned. Such a symlink race is necessarily out-of-scope of SecureJoinVFS.

NOTE: Due to the above limitation, Linux users are strongly encouraged to use OpenInRoot instead, which does safely protect against these kinds of attacks. There is no way to solve this problem with SecureJoinVFS because the API is fundamentally wrong (you cannot return a "safe" path string and guarantee it won't be modified afterwards).

Volume names in unsafePath are always discarded, regardless if they are provided via direct input or when evaluating symlinks. Therefore:

"C:\Temp" + "D:\path\to\file.txt" results in "C:\Temp\path\to\file.txt"

If the provided root is not filepath.Clean then an error will be returned, as such root paths are bordering on somewhat unsafe and using such paths is not best practice. We also strongly suggest that any root path is first fully resolved using filepath.EvalSymlinks or otherwise constructed to avoid containing symlink components. Of course, the root also *must not* be attacker-controlled.

Types

type VFS added in v0.2.0 

type VFS interface {
	// Lstat returns an [os.FileInfo] describing the named file. If the
	// file is a symbolic link, the returned [os.FileInfo] describes the
	// symbolic link. Lstat makes no attempt to follow the link.
	// The semantics are identical to [os.Lstat].
	Lstat(name string) (os.FileInfo, error)

	// Readlink returns the destination of the named symbolic link.
	// The semantics are identical to [os.Readlink].
	Readlink(name string) (string, error)
}

VFS is the minimal interface necessary to use SecureJoinVFS. A nil VFS is equivalent to using the standard os.* family of functions. This is mainly used for the purposes of mock testing, but also can be used to otherwise use SecureJoinVFS with VFS-like system.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.