Commit 435752b
committed
fix: symlink-based path traversal in file_manager (CWE-61/CWE-22) (#9902)
CWE-61 / CWE-22 in file_manager: check_access_permission used
os.path.abspath, which resolves '..' but not symbolic links, while
the subsequent kernel write follows symlinks. An authenticated user
could plant a symlink inside their storage area pointing outside it
and write to any path the pgAdmin process could reach.
Fix: switch to os.path.realpath for both orig_path and in_dir, and
add a new _open_upload_target helper that opens with O_NOFOLLOW
(and mode 0o600) to close the leaf-component TOCTOU between the
access check and the open. Drops the redundant post-write
check_access_permission call in add().
Mode change for uploaded files (0o644 -> 0o600) is intentional
hardening; release notes will call this out.
Tests: 16 file-manager security tests covering realpath enforcement
on all five access-check consumers and O_NOFOLLOW leaf-symlink
rejection.
The shared design proposal lives in docs/proposals/ and was added
in the preceding pickle-RCE commit.
Reported-by: Fernando Bortotti <fernando.bortotti@bsd.com.br>1 parent 30a8903 commit 435752b
3 files changed
Lines changed: 427 additions & 12 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
48 | 48 | | |
49 | 49 | | |
50 | 50 | | |
| 51 | + | |
| 52 | + | |
| 53 | + | |
| 54 | + | |
| 55 | + | |
| 56 | + | |
| 57 | + | |
| 58 | + | |
| 59 | + | |
| 60 | + | |
| 61 | + | |
| 62 | + | |
| 63 | + | |
| 64 | + | |
| 65 | + | |
| 66 | + | |
| 67 | + | |
| 68 | + | |
| 69 | + | |
51 | 70 | | |
52 | 71 | | |
53 | 72 | | |
| |||
898 | 917 | | |
899 | 918 | | |
900 | 919 | | |
901 | | - | |
902 | | - | |
903 | | - | |
| 920 | + | |
| 921 | + | |
| 922 | + | |
| 923 | + | |
| 924 | + | |
904 | 925 | | |
905 | 926 | | |
906 | 927 | | |
| |||
909 | 930 | | |
910 | 931 | | |
911 | 932 | | |
| 933 | + | |
| 934 | + | |
| 935 | + | |
| 936 | + | |
912 | 937 | | |
913 | 938 | | |
914 | 939 | | |
| |||
1080 | 1105 | | |
1081 | 1106 | | |
1082 | 1107 | | |
1083 | | - | |
| 1108 | + | |
| 1109 | + | |
| 1110 | + | |
1084 | 1111 | | |
1085 | | - | |
1086 | | - | |
1087 | | - | |
1088 | | - | |
1089 | | - | |
| 1112 | + | |
| 1113 | + | |
| 1114 | + | |
| 1115 | + | |
1090 | 1116 | | |
1091 | 1117 | | |
1092 | 1118 | | |
1093 | | - | |
| 1119 | + | |
1094 | 1120 | | |
1095 | 1121 | | |
1096 | 1122 | | |
| |||
1101 | 1127 | | |
1102 | 1128 | | |
1103 | 1129 | | |
1104 | | - | |
1105 | | - | |
1106 | 1130 | | |
1107 | 1131 | | |
1108 | 1132 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
0 commit comments