-
Notifications
You must be signed in to change notification settings - Fork 141
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SNOW-1156046] fix toctou vulnerability in EasyLogginConfig #925
base: master
Are you sure you want to change the base?
[SNOW-1156046] fix toctou vulnerability in EasyLogginConfig #925
Conversation
fa7df40
to
cc5e12c
Compare
{ | ||
using (StreamReader reader = new StreamReader(fileStream)) | ||
{ | ||
CheckIfValidPermissions(filePath); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unfortunately, it's still prone to race condition because the filepath is used. First, you open the FileStream and then (milliseconds later) you make the check calling _unixOperations.CheckFileHasAnyOfPermissions that opens the file again. It is possible that between these two opens the file under the path is changed: imagine the path to check is ./my.conf, which initially is a symbolic link to /tmp/bad.conf, and milliseconds later it is repointed to /home/user/valid.conf by the bad actor to make the check pass.
One way to do this securely is to open the file once and from this moment operate only on its handle. You can obtain the handle to the file using FileStream.SafeFileHandle and pass it to File.GetUnixFileMode(SafeFileHandle) to obtain permissions, and check them in a way that is not prone to race conditions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @sfc-gh-kkatowiczkowalewski I made the change to use the SafeFileHandle but it only works on net8.0 so I make some conditional compilation to work around that.
I'm still working on the updating the failing test
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We will proceed this way: https://github.com/snowflakedb/SecureUnixLibrary/blob/main/UnixMonoPOC/SecureUnix.cs
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #925 +/- ##
==========================================
- Coverage 85.55% 85.13% -0.42%
==========================================
Files 106 106
Lines 10777 10782 +5
Branches 1032 1033 +1
==========================================
- Hits 9220 9179 -41
- Misses 1307 1352 +45
- Partials 250 251 +1 ☔ View full report in Codecov by Sentry. |
076b56c
to
4b15d4d
Compare
I have read the CLA Document and I hereby sign the CLA |
} | ||
|
||
#if NET8_0_OR_GREATER | ||
var unixFileMode = File.GetUnixFileMode(fileStream.SafeFileHandle); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we exclude Mono.Unix from dependencies for .NET 8? @sfc-gh-knozderko wdyt?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
var hasPermissions = !(((UnixFileMode.GroupWrite | UnixFileMode.OtherWrite) & unixFileMode) != 0); | ||
#else | ||
var entitlements = FileAccessPermissions.GroupWrite | FileAccessPermissions.OtherWrite; | ||
var hasPermissions = !_unixOperations.CheckFileHasAnyOfPermissions(filePath, entitlements); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
'hasPermissions' name suggests that the file has permissions specified. Maybe remove negations and if hasPermissions then throw an exception.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I changed the variable from 'haspermission' to a more clear 'hasGroupOrOtherWritePermissions' and inverted the if statement to throw the exception if true.
this was done in 9a2925b
9a2925b
to
29fa29f
Compare
Description
Invert the order, first read the file and then check the permissions.
Checklist
dotnet test
)