xCAT/confluent
2
0
Fork 0
mirror of https://github.com/xcat2/confluent.git synced 2026-04-11 03:11:32 +00:00
Code Issues Projects Releases Wiki Activity

More tightly constrain node profile requests

Browse Source 
Normalize paths using abspath and validate the result is within the expected path.
This commit is contained in:
Jarrod Johnson
2026-04-06 15:12:44 -04:00
parent 69d984b9dc
commit 3ce2a5bc26
1 changed files with 11 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
confluent_server/confluent/selfservice.py
View File

@@ -578,8 +578,13 @@ def handle_request(env, start_response):
yield 'No profile'
return
fname = '/var/lib/confluent/private/os/{}/{}'.format(profile, fname)
fullpath = os.path.abspath(fname)
if not fullpath.startswith('/var/lib/confluent/private/os/{}/'.format(profile)):
start_response('400 Bad Request', ())
yield 'Bad Request'
return
try:
with open(fname, 'rb') as privdata:
with open(fullpath, 'rb') as privdata:
start_response('200 OK', ())
yield privdata.read()
return
@@ -623,6 +628,11 @@ def get_scriptlist(scriptcat, cfg, nodename, pathtemplate):
'deployment.profile', {}).get('value', '')
slist = []
target = pathtemplate.format(profile, scriptcat)
target = os.path.abspath(target)
allowedbase = os.path.abspath(pathtemplate.format(profile, '').rstrip('/'))
allowedbaseprefix = os.path.join(allowedbase, '')
if not target.startswith(allowedbaseprefix):
return None, None
if not os.path.isdir(target) and os.path.isdir(target + '.d'):
target = target + '.d'
try: