Skip to content

fix(generate): First pass at fixing path traversal vuln#3195

Merged
kyleconroy merged 2 commits intomainfrom
kyle/fix-output-path-traversal
Feb 14, 2024
Merged

fix(generate): First pass at fixing path traversal vuln#3195
kyleconroy merged 2 commits intomainfrom
kyle/fix-output-path-traversal

Conversation

@kyleconroy
Copy link
Collaborator

@kyleconroy kyleconroy commented Feb 12, 2024
edited
Loading

Verify that output file locations resolve to a path contained in the output directory.

Fixes #3194

@kyleconroy kyleconroy mentioned this pull request Feb 12, 2024
Closed
@cbiffle
Copy link

cbiffle commented Feb 12, 2024
edited
Loading

This is slightly overly conservative, technically speaking, in that it will prevent the creation of filenames like out/foobar..txt. I'm not terribly concerned about that, personally. However, I think you could fix it by testing to see if the path starts with .. -- any path returned from Clean (and thus Join) should only contain .. iff it starts with ... (Edit: Because of how Clean is defined you'd probably also want to check for leading slash.)

This still permits following symlinks in the out directory to arbitrary locations, if such symlinks exist. It looks like Go has a standard library routine for this in EvalSymlinks if you're concerned; you could apply it to the result of your Join. Given that WASM plugins have no way to create such a symlink atm, this is probably not a serious issue.

cbiffle
cbiffle reviewed Feb 12, 2024
View reviewed changes
internal/cmd/generate.go
return fmt.Errorf("invalid file output path: %s", filename)
}
// The output file must be contained inside the output directory
if !strings.HasPrefix(filename, absout) {
Copy link

@cbiffle cbiffle Feb 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Has absout also been run through Clean? If so, there's a possibility that absout != filepath.Clean(absout) which would cause this to fail.

Copy link
Collaborator Author

@kyleconroy kyleconroy Feb 13, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It has, since the result of Join is cleaned.

Copy link

@cbiffle cbiffle Feb 13, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, so it has. Thanks!

@kyleconroy kyleconroy marked this pull request as ready for review February 14, 2024 16:45
@kyleconroy kyleconroy merged commit 4314824 into main Feb 14, 2024
@kyleconroy kyleconroy deleted the kyle/fix-output-path-traversal branch February 14, 2024 19:40
lisitsky pushed a commit to lisitsky/sqlc that referenced this pull request Jun 21, 2024
@kyleconroy @lisitsky
fix(generate): Ensure files are created instead output directory (sql…
a8f9dbf 
…c-dev#3195)

* fix(generate): First pass at fixing path traversal vuln

* Add test
alfonsodev pushed a commit to ExponentiaTeam/sqlc that referenced this pull request Oct 13, 2025
@kyleconroy
fix(generate): Ensure files are created instead output directory (sql…
9fe16be 
…c-dev#3195)

* fix(generate): First pass at fixing path traversal vuln

* Add test
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@cbiffle cbiffle cbiffle left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Preventing path traversal by plugins?

2 participants

@kyleconroy @cbiffle