Skip to content

Releases: cyphar/filepath-securejoin

v0.3.4

09 Oct 04:08
v0.3.4
fd16ade
Compare
Choose a tag to compare

This release primarily includes a fix that blocked using
filepath-securejoin in Kubernetes.

  • Previously, some testing mocks we had resulted in us doing import "testing"
    in non-_test.go code, which made some downstreams like Kubernetes unhappy.
    This has been fixed. (#32)

Thanks to all of the contributors who made this release possible:

Signed-off-by: Aleksa Sarai cyphar@cyphar.com

v0.3.3

30 Sep 14:23
v0.3.3
93cff46
Compare
Choose a tag to compare

This release primarily includes fixes for spurious errors we hit when
checking that directories created by MkdirAll "look right". Upon further
consideration, these checks were fundamentally buggy and didn't offer
any practical protection anyway.

  • The mode and owner verification logic in MkdirAll has been removed. This
    was originally intended to protect against some theoretical attacks but upon
    further consideration these protections don't actually buy us anything and
    they were causing spurious errors with more complicated filesystem setups.
  • The "is the created directory empty" logic in MkdirAll has also been
    removed. This was not causing us issues yet, but some pseudofilesystems (such
    as cgroup) create non-empty directories and so this logic would've been
    wrong for such cases.

Thanks to all of the contributors who made this release possible:

Signed-off-by: Aleksa Sarai cyphar@cyphar.com

v0.3.2

13 Sep 10:49
v0.3.2
e408943
Compare
Choose a tag to compare

This release includes a few fixes for MkdirAll when dealing with S_ISUID
and S_ISGID, to solve a regression runc hit when switching to MkdirAll.

  • Passing the S_ISUID or S_ISGID modes to MkdirAllInRoot will now return
    an explicit error saying that those bits are ignored by mkdirat(2). In
    the past a different error was returned, but since the silent ignoring
    behaviour is codified in the man pages a more explicit error seems
    apt. While silently ignoring these bits would be the most compatible
    option, it could lead to users thinking their code sets these bits
    when it doesn't. Programs that need to deal with compatibility can
    mask the bits themselves. (#23, #25)

  • If a directory has S_ISGID set, then all child directories will have
    S_ISGID set when created and a different gid will be used for any
    inode created under the directory. Previously, the "expected owner and
    mode" validation in securejoin.MkdirAll did not correctly handle this.
    We now correctly handle this case. (#24, #25)

Signed-off-by: Aleksa Sarai cyphar@cyphar.com

v0.3.1

23 Jul 11:07
v0.3.1
ce7b28a
Compare
Choose a tag to compare
  • By allowing Open(at)InRoot to opt-out of the extra work done by MkdirAll
    to do the necessary "partial lookups", Open(at)InRoot now does less work
    for both implementations (resulting in a many-fold decrease in the number of
    operations for openat2, and a modest improvement for non-openat2) and is
    far more guaranteed to match the correct openat2(RESOLVE_IN_ROOT)
    behaviour.

  • We now use readlinkat(fd, "") where possible. For Open(at)InRoot this
    effectively just means that we no longer risk getting spurious errors during
    rename races. However, for our hardened procfs handler, this in theory should
    prevent mount attacks from tricking us when doing magic-link readlinks (even
    when using the unsafe host /proc handle). Unfortunately Reopen is still
    potentially vulnerable to those kinds of somewhat-esoteric attacks.

    Technically this will only work on post-2.6.39 kernels
    but it seems incredibly unlikely anyone is using filepath-securejoin on a
    pre-2011 kernel.

  • Several improvements were made to the errors returned by Open(at)InRoot and
    MkdirAll when dealing with invalid paths under the emulated (ie.
    non-openat2) implementation. Previously, some paths would return the wrong
    error (ENOENT when the last component was a non-directory), and other paths
    would be returned as though they were acceptable (trailing-slash components
    after a non-directory would be ignored by Open(at)InRoot).

    These changes were done to match openat2's behaviour and purely is a
    consistency fix (most users are going to be using openat2 anyway).

Signed-off-by: Aleksa Sarai cyphar@cyphar.com

v0.3.0

11 Jul 14:09
v0.3.0
b984b9c
Compare
Choose a tag to compare

This release contains no changes to SecureJoin.

However, it does introduce a new *os.File-based API which is much safer
to use for most usecases. These are adapted from libpathrs and are
the bare minimum to be able to operate more safely on an untrusted
rootfs where an attacker has write access (something that SecureJoin
cannot protect against). The new APIs are:

  • OpenInRoot, which resolves a path inside a rootfs and returns an
    *os.File handle to the path. Note that the file handle returned by
    OpenInRoot is an O_PATH handle, which cannot be used for reading or
    writing (as well as some other operations -- see open(2) for more
    details
    ).

  • Reopen, which takes an O_PATH file handle and safely re-opens it to
    "upgrade" it to a regular handle.

  • MkdirAll, which is a safe implementation of os.MkdirAll that can be
    used to create directory trees inside a rootfs.

As these are new APIs, it is possible they may change in the future.
However, they should be safe to start migrating to as we have extensive
tests ensuring they behave correctly and are safe against various races
and other attacks.

Signed-off-by: Aleksa Sarai cyphar@cyphar.com

v0.2.5

03 May 07:24
v0.2.5
d861a11
Compare
Choose a tag to compare

This release makes some minor improvements to SecureJoin:

  • Some changes were made to how lexical components are handled during
    resolution. There is no change in behaviour, and both implementations
    are safe, however the newer implementation is much easier to reason
    about.

  • The error returned when a symlink loop has been detected will now
    reference the correct path. #10

Signed-off-by: Aleksa Sarai cyphar@cyphar.com

v0.2.4

06 Sep 05:20
v0.2.4
2710d06
Compare
Choose a tag to compare

This release fixes a potential security issue in filepath-securejoin
when used on Windows (GHSA-6xv5-86q9-7xr8, which could be used to
generate paths outside of the provided rootfs in certain cases), as well
as improving the overall behaviour of filepath-securejoin when dealing
with Windows paths that contain volume names. Thanks to Paulo Gomes for
discovering and fixing these issues.

In addition, we've switched (at long last) to GitHub Actions and have
continuous integration testing on Linux, MacOS, and Windows.

Thanks to the following contributors for making this release possible:

Signed-off-by: Aleksa Sarai cyphar@cyphar.com

v0.2.3

04 Jul 11:20
v0.2.3
8f267f5
Compare
Choose a tag to compare

This release removes the dependency on github.com/pkg/errors in favour
of Go's built-in %w error wrapping support (available since Go 1.13).
Thanks to the following contributors for making this release possible:

Signed-off-by: Aleksa Sarai cyphar@cyphar.com

v0.2.2

05 Sep 11:09
v0.2.2
a261ee3
Compare
Choose a tag to compare

This release just has a minor change to how symlink loops are indicated
to users (as a wrapped syscall.ELOOP rather than our own special error
message) so that users can just use errors.Cause and not care about our
error variable.

Signed-off-by: Aleksa Sarai asarai@suse.de

v0.2.1

04 Sep 16:58
v0.2.1
06bda83
Compare
Choose a tag to compare

This version adds our own IsNotExist implementation, which is necessary
for handling ENOTDIR properly with SecureJoin.

Signed-off-by: Aleksa Sarai asarai@suse.de