diff options
| author | Bjørn Erik Pedersen <[email protected]> | 2019-07-25 00:12:40 +0200 |
|---|---|---|
| committer | Bjørn Erik Pedersen <[email protected]> | 2019-07-25 11:27:25 +0200 |
| commit | e5f229974166402f51e4ee0695ffb4d1e09fa174 (patch) | |
| tree | 44dc7adc4fd02cb563583afaff6ddaa781821e2f /hugofs | |
| parent | 87a07282a2f01779e098cde0aaee1bae34dc32e6 (diff) | |
| download | hugo-e5f229974166402f51e4ee0695ffb4d1e09fa174.tar.gz hugo-e5f229974166402f51e4ee0695ffb4d1e09fa174.zip | |
Block symlink dir traversal for /static
This is in line with how it behaved before, but it was lifted a little for the project mount for Hugo Modules,
but that could create hard-to-detect loops.
Diffstat (limited to 'hugofs')
| -rw-r--r-- | hugofs/decorators.go | 25 | ||||
| -rw-r--r-- | hugofs/fileinfo.go | 19 | ||||
| -rw-r--r-- | hugofs/nosymlink_fs.go | 89 | ||||
| -rw-r--r-- | hugofs/nosymlink_test.go | 159 | ||||
| -rw-r--r-- | hugofs/rootmapping_fs.go | 6 | ||||
| -rw-r--r-- | hugofs/walk.go | 23 |
6 files changed, 239 insertions, 82 deletions
diff --git a/hugofs/decorators.go b/hugofs/decorators.go index 0a2b39712..e93f53aab 100644 --- a/hugofs/decorators.go +++ b/hugofs/decorators.go @@ -90,19 +90,14 @@ func NewBaseFileDecorator(fs afero.Fs) afero.Fs { isSymlink := isSymlink(fi) if isSymlink { meta[metaKeyOriginalFilename] = filename - link, err := filepath.EvalSymlinks(filename) + var link string + var err error + link, fi, err = evalSymlinks(fs, filename) if err != nil { return nil, err } - - fi, err = fs.Stat(link) - if err != nil { - return nil, err - } - filename = link meta[metaKeyIsSymlink] = true - } opener := func() (afero.File, error) { @@ -117,6 +112,20 @@ func NewBaseFileDecorator(fs afero.Fs) afero.Fs { return ffs } +func evalSymlinks(fs afero.Fs, filename string) (string, os.FileInfo, error) { + link, err := filepath.EvalSymlinks(filename) + if err != nil { + return "", nil, err + } + + fi, err := fs.Stat(link) + if err != nil { + return "", nil, err + } + + return link, fi, nil +} + type baseFileDecoratorFs struct { afero.Fs decorate func(fi os.FileInfo, filename string) (os.FileInfo, error) diff --git a/hugofs/fileinfo.go b/hugofs/fileinfo.go index a2f12c429..5a0fc2363 100644 --- a/hugofs/fileinfo.go +++ b/hugofs/fileinfo.go @@ -180,9 +180,20 @@ type FileMetaInfo interface { type fileInfoMeta struct { os.FileInfo + m FileMeta } +// Name returns the file's name. Note that we follow symlinks, +// if supported by the file system, and the Name given here will be the +// name of the symlink, which is what Hugo needs in all situations. +func (fi *fileInfoMeta) Name() string { + if name := fi.m.Name(); name != "" { + return name + } + return fi.FileInfo.Name() +} + func (fi *fileInfoMeta) Meta() FileMeta { return fi.m } @@ -295,3 +306,11 @@ func normalizeFilename(filename string) string { } return filename } + +func fileInfosToNames(fis []os.FileInfo) []string { + names := make([]string, len(fis)) + for i, d := range fis { + names[i] = d.Name() + } + return names +} diff --git a/hugofs/nosymlink_fs.go b/hugofs/nosymlink_fs.go index 42ab94b5c..409b6f03d 100644 --- a/hugofs/nosymlink_fs.go +++ b/hugofs/nosymlink_fs.go @@ -16,6 +16,9 @@ package hugofs import ( "errors" "os" + "path/filepath" + + "github.com/gohugoio/hugo/common/loggers" "github.com/spf13/afero" ) @@ -24,15 +27,48 @@ var ( ErrPermissionSymlink = errors.New("symlinks not allowed in this filesystem") ) -func NewNoSymlinkFs(fs afero.Fs) afero.Fs { - return &noSymlinkFs{Fs: fs} +// NewNoSymlinkFs creates a new filesystem that prevents symlinks. +func NewNoSymlinkFs(fs afero.Fs, logger *loggers.Logger, allowFiles bool) afero.Fs { + return &noSymlinkFs{Fs: fs, logger: logger, allowFiles: allowFiles} } // noSymlinkFs is a filesystem that prevents symlinking. type noSymlinkFs struct { + allowFiles bool // block dirs only + logger *loggers.Logger afero.Fs } +type noSymlinkFile struct { + fs *noSymlinkFs + afero.File +} + +func (f *noSymlinkFile) Readdir(count int) ([]os.FileInfo, error) { + fis, err := f.File.Readdir(count) + + filtered := fis[:0] + for _, x := range fis { + filename := filepath.Join(f.Name(), x.Name()) + if _, err := f.fs.checkSymlinkStatus(filename, x); err != nil { + // Log a warning and drop the file from the list + logUnsupportedSymlink(filename, f.fs.logger) + } else { + filtered = append(filtered, x) + } + } + + return filtered, err +} + +func (f *noSymlinkFile) Readdirnames(count int) ([]string, error) { + dirs, err := f.Readdir(count) + if err != nil { + return nil, err + } + return fileInfosToNames(dirs), nil +} + func (fs *noSymlinkFs) LstatIfPossible(name string) (os.FileInfo, bool, error) { return fs.stat(name) } @@ -53,33 +89,68 @@ func (fs *noSymlinkFs) stat(name string) (os.FileInfo, bool, error) { if lstater, ok := fs.Fs.(afero.Lstater); ok { fi, wasLstat, err = lstater.LstatIfPossible(name) } else { - fi, err = fs.Fs.Stat(name) } + if err != nil { + return nil, false, err + } + + fi, err = fs.checkSymlinkStatus(name, fi) + + return fi, wasLstat, err +} + +func (fs *noSymlinkFs) checkSymlinkStatus(name string, fi os.FileInfo) (os.FileInfo, error) { var metaIsSymlink bool if fim, ok := fi.(FileMetaInfo); ok { - metaIsSymlink = fim.Meta().IsSymlink() + meta := fim.Meta() + metaIsSymlink = meta.IsSymlink() } - if metaIsSymlink || isSymlink(fi) { - return nil, wasLstat, ErrPermissionSymlink + if metaIsSymlink { + if fs.allowFiles && !fi.IsDir() { + return fi, nil + } + return nil, ErrPermissionSymlink } - return fi, wasLstat, err + // Also support non-decorated filesystems, e.g. the Os fs. + if isSymlink(fi) { + // Need to determine if this is a directory or not. + _, sfi, err := evalSymlinks(fs.Fs, name) + if err != nil { + return nil, err + } + if fs.allowFiles && !sfi.IsDir() { + // Return the original FileInfo to get the expected Name. + return fi, nil + } + return nil, ErrPermissionSymlink + } + + return fi, nil } func (fs *noSymlinkFs) Open(name string) (afero.File, error) { if _, _, err := fs.stat(name); err != nil { return nil, err } - return fs.Fs.Open(name) + return fs.wrapFile(fs.Fs.Open(name)) } func (fs *noSymlinkFs) OpenFile(name string, flag int, perm os.FileMode) (afero.File, error) { if _, _, err := fs.stat(name); err != nil { return nil, err } - return fs.Fs.OpenFile(name, flag, perm) + return fs.wrapFile(fs.Fs.OpenFile(name, flag, perm)) +} + +func (fs *noSymlinkFs) wrapFile(f afero.File, err error) (afero.File, error) { + if err != nil { + return nil, err + } + + return &noSymlinkFile{File: f, fs: fs}, nil } diff --git a/hugofs/nosymlink_test.go b/hugofs/nosymlink_test.go index 6d0b99dcc..5e1964419 100644 --- a/hugofs/nosymlink_test.go +++ b/hugofs/nosymlink_test.go @@ -18,6 +18,8 @@ import ( "path/filepath" "testing" + "github.com/gohugoio/hugo/common/loggers" + "github.com/gohugoio/hugo/htesting" "github.com/spf13/afero" @@ -25,73 +27,120 @@ import ( "github.com/stretchr/testify/require" ) -func TestNoSymlinkFs(t *testing.T) { - if skipSymlink() { - t.Skip("Skip; os.Symlink needs administrator rights on Windows") - } +func prepareSymlinks(t *testing.T) (string, func()) { assert := require.New(t) - workDir, clean, err := htesting.CreateTempDir(Os, "hugo-nosymlink") + + workDir, clean, err := htesting.CreateTempDir(Os, "hugo-symlink-test") assert.NoError(err) - defer clean() wd, _ := os.Getwd() - defer func() { - os.Chdir(wd) - }() blogDir := filepath.Join(workDir, "blog") - blogFile := filepath.Join(blogDir, "a.txt") - assert.NoError(os.MkdirAll(blogDir, 0777)) - afero.WriteFile(Os, filepath.Join(blogFile), []byte("content"), 0777) + blogSubDir := filepath.Join(blogDir, "sub") + assert.NoError(os.MkdirAll(blogSubDir, 0777)) + blogFile1 := filepath.Join(blogDir, "a.txt") + blogFile2 := filepath.Join(blogSubDir, "b.txt") + afero.WriteFile(Os, filepath.Join(blogFile1), []byte("content1"), 0777) + afero.WriteFile(Os, filepath.Join(blogFile2), []byte("content2"), 0777) os.Chdir(workDir) assert.NoError(os.Symlink("blog", "symlinkdedir")) os.Chdir(blogDir) + assert.NoError(os.Symlink("sub", "symsub")) assert.NoError(os.Symlink("a.txt", "symlinkdedfile.txt")) - fs := NewNoSymlinkFs(Os) - ls := fs.(afero.Lstater) - symlinkedDir := filepath.Join(workDir, "symlinkdedir") - symlinkedFile := filepath.Join(blogDir, "symlinkdedfile.txt") - - // Check Stat and Lstat - for _, stat := range []func(name string) (os.FileInfo, error){ - func(name string) (os.FileInfo, error) { - return fs.Stat(name) - }, - func(name string) (os.FileInfo, error) { - fi, _, err := ls.LstatIfPossible(name) - return fi, err - }, - } { - _, err = stat(symlinkedDir) - assert.Equal(ErrPermissionSymlink, err) - _, err = stat(symlinkedFile) - assert.Equal(ErrPermissionSymlink, err) - - fi, err := stat(filepath.Join(workDir, "blog")) - assert.NoError(err) - assert.NotNil(fi) - - fi, err = stat(blogFile) - assert.NoError(err) - assert.NotNil(fi) + return workDir, func() { + clean() + os.Chdir(wd) } +} - // Check Open - _, err = fs.Open(symlinkedDir) - assert.Equal(ErrPermissionSymlink, err) - _, err = fs.OpenFile(symlinkedDir, os.O_RDWR|os.O_APPEND|os.O_CREATE, 0666) - assert.Equal(ErrPermissionSymlink, err) - _, err = fs.OpenFile(symlinkedFile, os.O_RDWR|os.O_APPEND|os.O_CREATE, 0666) - assert.Equal(ErrPermissionSymlink, err) - _, err = fs.Open(symlinkedFile) - assert.Equal(ErrPermissionSymlink, err) - f, err := fs.Open(blogDir) - assert.NoError(err) - f.Close() - f, err = fs.Open(blogFile) - assert.NoError(err) - f.Close() +func TestNoSymlinkFs(t *testing.T) { + if skipSymlink() { + t.Skip("Skip; os.Symlink needs administrator rights on Windows") + } + assert := require.New(t) + workDir, clean := prepareSymlinks(t) + defer clean() + + blogDir := filepath.Join(workDir, "blog") + blogFile1 := filepath.Join(blogDir, "a.txt") + + logger := loggers.NewWarningLogger() + + for _, bfs := range []afero.Fs{NewBaseFileDecorator(Os), Os} { + for _, allowFiles := range []bool{false, true} { + logger.WarnCounter.Reset() + fs := NewNoSymlinkFs(bfs, logger, allowFiles) + ls := fs.(afero.Lstater) + symlinkedDir := filepath.Join(workDir, "symlinkdedir") + symlinkedFilename := "symlinkdedfile.txt" + symlinkedFile := filepath.Join(blogDir, symlinkedFilename) + + assertFileErr := func(err error) { + if allowFiles { + assert.NoError(err) + } else { + assert.Equal(ErrPermissionSymlink, err) + } + } - // os.OpenFile(logFile, os.O_RDWR|os.O_APPEND|os.O_CREATE, 0666) + assertFileStat := func(name string, fi os.FileInfo, err error) { + t.Helper() + assertFileErr(err) + if err == nil { + assert.NotNil(fi) + assert.Equal(name, fi.Name()) + } + } + + // Check Stat and Lstat + for _, stat := range []func(name string) (os.FileInfo, error){ + func(name string) (os.FileInfo, error) { + return fs.Stat(name) + }, + func(name string) (os.FileInfo, error) { + fi, _, err := ls.LstatIfPossible(name) + return fi, err + }, + } { + fi, err := stat(symlinkedDir) + assert.Equal(ErrPermissionSymlink, err) + fi, err = stat(symlinkedFile) + assertFileStat(symlinkedFilename, fi, err) + + fi, err = stat(filepath.Join(workDir, "blog")) + assert.NoError(err) + assert.NotNil(fi) + + fi, err = stat(blogFile1) + assert.NoError(err) + assert.NotNil(fi) + } + + // Check Open + _, err := fs.Open(symlinkedDir) + assert.Equal(ErrPermissionSymlink, err) + _, err = fs.OpenFile(symlinkedDir, os.O_RDWR|os.O_APPEND|os.O_CREATE, 0666) + assert.Equal(ErrPermissionSymlink, err) + _, err = fs.OpenFile(symlinkedFile, os.O_RDWR|os.O_APPEND|os.O_CREATE, 0666) + assertFileErr(err) + _, err = fs.Open(symlinkedFile) + assertFileErr(err) + f, err := fs.Open(blogDir) + assert.NoError(err) + f.Close() + f, err = fs.Open(blogFile1) + assert.NoError(err) + f.Close() + + // Check readdir + f, err = fs.Open(workDir) + assert.NoError(err) + // There is at least one unsported symlink inside workDir + _, err = f.Readdir(-1) + f.Close() + assert.Equal(uint64(1), logger.WarnCounter.Count()) + + } + } } diff --git a/hugofs/rootmapping_fs.go b/hugofs/rootmapping_fs.go index a1214a02c..31d78219d 100644 --- a/hugofs/rootmapping_fs.go +++ b/hugofs/rootmapping_fs.go @@ -459,9 +459,5 @@ func (f *rootMappingFile) Readdirnames(count int) ([]string, error) { if err != nil { return nil, err } - dirss := make([]string, len(dirs)) - for i, d := range dirs { - dirss[i] = d.Name() - } - return dirss, nil + return fileInfosToNames(dirs), nil } diff --git a/hugofs/walk.go b/hugofs/walk.go index eca746737..6947660c8 100644 --- a/hugofs/walk.go +++ b/hugofs/walk.go @@ -121,8 +121,7 @@ func (w *Walkway) Walk() error { return nil } - if err == ErrPermissionSymlink { - w.logger.WARN.Printf("Unsupported symlink found in %q, skipping.", w.root) + if w.checkErr(w.root, err) { return nil } @@ -149,6 +148,19 @@ func lstatIfPossible(fs afero.Fs, path string) (os.FileInfo, bool, error) { return fi, false, err } +// checkErr returns true if the error is handled. +func (w *Walkway) checkErr(filename string, err error) bool { + if err == ErrPermissionSymlink { + logUnsupportedSymlink(filename, w.logger) + return true + } + return false +} + +func logUnsupportedSymlink(filename string, logger *loggers.Logger) { + logger.WARN.Printf("Unsupported symlink found in %q, skipping.", filename) +} + // walk recursively descends path, calling walkFn. // It follow symlinks if supported by the filesystem, but only the same path once. func (w *Walkway) walk(path string, info FileMetaInfo, dirEntries []FileMetaInfo, walkFn WalkFunc) error { @@ -168,16 +180,17 @@ func (w *Walkway) walk(path string, info FileMetaInfo, dirEntries []FileMetaInfo if dirEntries == nil { f, err := w.fs.Open(path) - if err != nil { + if w.checkErr(path, err) { + return nil + } return walkFn(path, info, errors.Wrapf(err, "walk: open %q (%q)", path, w.root)) } fis, err := f.Readdir(-1) f.Close() if err != nil { - if err == ErrPermissionSymlink { - w.logger.WARN.Printf("Unsupported symlink found in %q, skipping.", filename) + if w.checkErr(filename, err) { return nil } return walkFn(path, info, errors.Wrap(err, "walk: Readdir")) |