PosixSourceAccessor: Don't follow any symlinks

All path components must not be symlinks now (so the user needs to
call `resolveSymlinks()` when needed).
This commit is contained in:
Eelco Dolstra 2023-12-05 23:02:59 +01:00
parent 345f79d016
commit 83c067c0fa
7 changed files with 58 additions and 30 deletions

View file

@ -692,16 +692,17 @@ SourcePath resolveExprPath(SourcePath path)
/* If `path' is a symlink, follow it. This is so that relative /* If `path' is a symlink, follow it. This is so that relative
path references work. */ path references work. */
while (true) { while (!path.path.isRoot()) {
// Basic cycle/depth limit to avoid infinite loops. // Basic cycle/depth limit to avoid infinite loops.
if (++followCount >= maxFollow) if (++followCount >= maxFollow)
throw Error("too many symbolic links encountered while traversing the path '%s'", path); throw Error("too many symbolic links encountered while traversing the path '%s'", path);
if (path.lstat().type != InputAccessor::tSymlink) break; auto p = path.parent().resolveSymlinks() + path.baseName();
path = {path.accessor, CanonPath(path.readLink(), path.path.parent().value_or(CanonPath::root))}; if (p.lstat().type != InputAccessor::tSymlink) break;
path = {path.accessor, CanonPath(p.readLink(), path.path.parent().value_or(CanonPath::root))};
} }
/* If `path' refers to a directory, append `/default.nix'. */ /* If `path' refers to a directory, append `/default.nix'. */
if (path.lstat().type == InputAccessor::tDirectory) if (path.resolveSymlinks().lstat().type == InputAccessor::tDirectory)
return path + "default.nix"; return path + "default.nix";
return path; return path;
@ -716,7 +717,7 @@ Expr * EvalState::parseExprFromFile(const SourcePath & path)
Expr * EvalState::parseExprFromFile(const SourcePath & path, std::shared_ptr<StaticEnv> & staticEnv) Expr * EvalState::parseExprFromFile(const SourcePath & path, std::shared_ptr<StaticEnv> & staticEnv)
{ {
auto buffer = path.readFile(); auto buffer = path.resolveSymlinks().readFile();
// readFile hopefully have left some extra space for terminators // readFile hopefully have left some extra space for terminators
buffer.append("\0\0", 2); buffer.append("\0\0", 2);
return parse(buffer.data(), buffer.size(), Pos::Origin(path), path.parent(), staticEnv); return parse(buffer.data(), buffer.size(), Pos::Origin(path), path.parent(), staticEnv);

View file

@ -110,7 +110,7 @@ StringMap EvalState::realiseContext(const NixStringContext & context)
return res; return res;
} }
static SourcePath realisePath(EvalState & state, const PosIdx pos, Value & v) static SourcePath realisePath(EvalState & state, const PosIdx pos, Value & v, bool resolveSymlinks = true)
{ {
NixStringContext context; NixStringContext context;
@ -120,9 +120,9 @@ static SourcePath realisePath(EvalState & state, const PosIdx pos, Value & v)
if (!context.empty() && path.accessor == state.rootFS) { if (!context.empty() && path.accessor == state.rootFS) {
auto rewrites = state.realiseContext(context); auto rewrites = state.realiseContext(context);
auto realPath = state.toRealPath(rewriteStrings(path.path.abs(), rewrites), context); auto realPath = state.toRealPath(rewriteStrings(path.path.abs(), rewrites), context);
return {path.accessor, CanonPath(realPath)}; path = {path.accessor, CanonPath(realPath)};
} else }
return path; return resolveSymlinks ? path.resolveSymlinks() : path;
} catch (Error & e) { } catch (Error & e) {
e.addTrace(state.positions[pos], "while realising the context of path '%s'", path); e.addTrace(state.positions[pos], "while realising the context of path '%s'", path);
throw; throw;
@ -162,7 +162,7 @@ static void mkOutputString(
argument. */ argument. */
static void import(EvalState & state, const PosIdx pos, Value & vPath, Value * vScope, Value & v) static void import(EvalState & state, const PosIdx pos, Value & vPath, Value * vScope, Value & v)
{ {
auto path = realisePath(state, pos, vPath); auto path = realisePath(state, pos, vPath, false);
auto path2 = path.path.abs(); auto path2 = path.path.abs();
// FIXME // FIXME
@ -1525,6 +1525,7 @@ static RegisterPrimOp primop_storePath({
static void prim_pathExists(EvalState & state, const PosIdx pos, Value * * args, Value & v) static void prim_pathExists(EvalState & state, const PosIdx pos, Value * * args, Value & v)
{ {
try {
auto & arg = *args[0]; auto & arg = *args[0];
auto path = realisePath(state, pos, arg); auto path = realisePath(state, pos, arg);
@ -1534,7 +1535,6 @@ static void prim_pathExists(EvalState & state, const PosIdx pos, Value * * args,
&& (arg.string_view().ends_with("/") && (arg.string_view().ends_with("/")
|| arg.string_view().ends_with("/.")); || arg.string_view().ends_with("/."));
try {
auto st = path.maybeLstat(); auto st = path.maybeLstat();
auto exists = st && (!mustBeDir || st->type == SourceAccessor::tDirectory); auto exists = st && (!mustBeDir || st->type == SourceAccessor::tDirectory);
v.mkBool(exists); v.mkBool(exists);
@ -1771,7 +1771,7 @@ static std::string_view fileTypeToString(InputAccessor::Type type)
static void prim_readFileType(EvalState & state, const PosIdx pos, Value * * args, Value & v) static void prim_readFileType(EvalState & state, const PosIdx pos, Value * * args, Value & v)
{ {
auto path = realisePath(state, pos, *args[0]); auto path = realisePath(state, pos, *args[0], false);
/* Retrieve the directory entry type and stringize it. */ /* Retrieve the directory entry type and stringize it. */
v.mkString(fileTypeToString(path.lstat().type)); v.mkString(fileTypeToString(path.lstat().type));
} }

View file

@ -8,9 +8,9 @@ void PosixSourceAccessor::readFile(
Sink & sink, Sink & sink,
std::function<void(uint64_t)> sizeCallback) std::function<void(uint64_t)> sizeCallback)
{ {
// FIXME: add O_NOFOLLOW since symlinks should be resolved by the assertNoSymlinks(path);
// caller?
AutoCloseFD fd = open(path.c_str(), O_RDONLY | O_CLOEXEC); AutoCloseFD fd = open(path.c_str(), O_RDONLY | O_CLOEXEC | O_NOFOLLOW);
if (!fd) if (!fd)
throw SysError("opening file '%1%'", path); throw SysError("opening file '%1%'", path);
@ -42,14 +42,16 @@ void PosixSourceAccessor::readFile(
bool PosixSourceAccessor::pathExists(const CanonPath & path) bool PosixSourceAccessor::pathExists(const CanonPath & path)
{ {
if (auto parent = path.parent()) assertNoSymlinks(*parent);
return nix::pathExists(path.abs()); return nix::pathExists(path.abs());
} }
std::optional<SourceAccessor::Stat> PosixSourceAccessor::maybeLstat(const CanonPath & path) std::optional<SourceAccessor::Stat> PosixSourceAccessor::maybeLstat(const CanonPath & path)
{ {
if (auto parent = path.parent()) assertNoSymlinks(*parent);
struct stat st; struct stat st;
if (::lstat(path.c_str(), &st)) { if (::lstat(path.c_str(), &st)) {
if (errno == ENOENT) return std::nullopt; if (errno == ENOENT || errno == ENOTDIR) return std::nullopt;
throw SysError("getting status of '%s'", showPath(path)); throw SysError("getting status of '%s'", showPath(path));
} }
mtime = std::max(mtime, st.st_mtime); mtime = std::max(mtime, st.st_mtime);
@ -66,6 +68,7 @@ std::optional<SourceAccessor::Stat> PosixSourceAccessor::maybeLstat(const CanonP
SourceAccessor::DirEntries PosixSourceAccessor::readDirectory(const CanonPath & path) SourceAccessor::DirEntries PosixSourceAccessor::readDirectory(const CanonPath & path)
{ {
assertNoSymlinks(path);
DirEntries res; DirEntries res;
for (auto & entry : nix::readDirectory(path.abs())) { for (auto & entry : nix::readDirectory(path.abs())) {
std::optional<Type> type; std::optional<Type> type;
@ -81,6 +84,7 @@ SourceAccessor::DirEntries PosixSourceAccessor::readDirectory(const CanonPath &
std::string PosixSourceAccessor::readLink(const CanonPath & path) std::string PosixSourceAccessor::readLink(const CanonPath & path)
{ {
if (auto parent = path.parent()) assertNoSymlinks(*parent);
return nix::readLink(path.abs()); return nix::readLink(path.abs());
} }
@ -89,4 +93,19 @@ std::optional<CanonPath> PosixSourceAccessor::getPhysicalPath(const CanonPath &
return path; return path;
} }
void PosixSourceAccessor::assertNoSymlinks(CanonPath path)
{
// FIXME: cache this since it potentially causes a lot of lstat calls.
while (!path.isRoot()) {
struct stat st;
if (::lstat(path.c_str(), &st)) {
if (errno != ENOENT)
throw SysError("getting status of '%s'", showPath(path));
}
if (S_ISLNK(st.st_mode))
throw Error("path '%s' is a symlink", showPath(path));
path.pop();
}
}
} }

View file

@ -29,6 +29,11 @@ struct PosixSourceAccessor : virtual SourceAccessor
std::string readLink(const CanonPath & path) override; std::string readLink(const CanonPath & path) override;
std::optional<CanonPath> getPhysicalPath(const CanonPath & path) override; std::optional<CanonPath> getPhysicalPath(const CanonPath & path) override;
/**
* Throw an error if `path` or any of its ancestors are symlinks.
*/
void assertNoSymlinks(CanonPath path);
}; };
} }

View file

@ -97,7 +97,7 @@ static bool isNixExpr(const SourcePath & path, struct InputAccessor::Stat & st)
{ {
return return
st.type == InputAccessor::tRegular st.type == InputAccessor::tRegular
|| (st.type == InputAccessor::tDirectory && (path + "default.nix").pathExists()); || (st.type == InputAccessor::tDirectory && (path + "default.nix").resolveSymlinks().pathExists());
} }
@ -116,11 +116,11 @@ static void getAllExprs(EvalState & state,
are implemented using profiles). */ are implemented using profiles). */
if (i == "manifest.nix") continue; if (i == "manifest.nix") continue;
SourcePath path2 = path + i; auto path2 = (path + i).resolveSymlinks();
InputAccessor::Stat st; InputAccessor::Stat st;
try { try {
st = path2.resolveSymlinks().lstat(); st = path2.lstat();
} catch (Error &) { } catch (Error &) {
continue; // ignore dangling symlinks in ~/.nix-defexpr continue; // ignore dangling symlinks in ~/.nix-defexpr
} }

View file

@ -21,7 +21,7 @@ DrvInfos queryInstalled(EvalState & state, const Path & userEnv)
auto manifestFile = userEnv + "/manifest.nix"; auto manifestFile = userEnv + "/manifest.nix";
if (pathExists(manifestFile)) { if (pathExists(manifestFile)) {
Value v; Value v;
state.evalFile(state.rootPath(CanonPath(manifestFile)), v); state.evalFile(state.rootPath(CanonPath(manifestFile)).resolveSymlinks(), v);
Bindings & bindings(*state.allocBindings(0)); Bindings & bindings(*state.allocBindings(0));
getDerivations(state, v, "", bindings, elems, false); getDerivations(state, v, "", bindings, elems, false);
} }

View file

@ -40,13 +40,16 @@ nix-instantiate --eval --restrict-eval $TEST_ROOT/restricted.nix -I $TEST_ROOT -
[[ $(nix eval --raw --impure --restrict-eval -I . --expr 'builtins.readFile "${import ./simple.nix}/hello"') == 'Hello World!' ]] [[ $(nix eval --raw --impure --restrict-eval -I . --expr 'builtins.readFile "${import ./simple.nix}/hello"') == 'Hello World!' ]]
# Check that we can't follow a symlink outside of the allowed paths. # Check that we can't follow a symlink outside of the allowed paths.
mkdir -p $TEST_ROOT/tunnel.d mkdir -p $TEST_ROOT/tunnel.d $TEST_ROOT/foo2
ln -sfn .. $TEST_ROOT/tunnel.d/tunnel ln -sfn .. $TEST_ROOT/tunnel.d/tunnel
echo foo > $TEST_ROOT/bar echo foo > $TEST_ROOT/bar
expectStderr 1 nix-instantiate --restrict-eval --eval -E "let __nixPath = [ { prefix = \"foo\"; path = $TEST_ROOT/tunnel.d; } ]; in builtins.readFile <foo/tunnel/bar>" -I $TEST_ROOT/tunnel.d | grepQuiet "forbidden in restricted mode" expectStderr 1 nix-instantiate --restrict-eval --eval -E "let __nixPath = [ { prefix = \"foo\"; path = $TEST_ROOT/tunnel.d; } ]; in builtins.readFile <foo/tunnel/bar>" -I $TEST_ROOT/tunnel.d | grepQuiet "forbidden in restricted mode"
expectStderr 1 nix-instantiate --restrict-eval --eval -E "let __nixPath = [ { prefix = \"foo\"; path = $TEST_ROOT/tunnel.d; } ]; in builtins.readDir <foo/tunnel>" -I $TEST_ROOT/tunnel.d | grepQuiet "forbidden in restricted mode" expectStderr 1 nix-instantiate --restrict-eval --eval -E "let __nixPath = [ { prefix = \"foo\"; path = $TEST_ROOT/tunnel.d; } ]; in builtins.readDir <foo/tunnel/foo2>" -I $TEST_ROOT/tunnel.d | grepQuiet "forbidden in restricted mode"
# Reading the parents of allowed paths should show only the ancestors of the allowed paths.
[[ $(nix-instantiate --restrict-eval --eval -E "let __nixPath = [ { prefix = \"foo\"; path = $TEST_ROOT/tunnel.d; } ]; in builtins.readDir <foo/tunnel>" -I $TEST_ROOT/tunnel.d) == '{ "tunnel.d" = "directory"; }' ]]
# Check whether we can leak symlink information through directory traversal. # Check whether we can leak symlink information through directory traversal.
traverseDir="$(pwd)/restricted-traverse-me" traverseDir="$(pwd)/restricted-traverse-me"