Overview

File exclude-the-full-path-of-a-download-url-to-prevent-i.patch of Package salt.21412

From 57ed9c41a177f57e3d56465662750617ac36cc95 Mon Sep 17 00:00:00 2001
From: Joe Eacott <jeacott@vmware.com>
Date: Mon, 28 Jun 2021 16:46:35 -0600
Subject: [PATCH] Exclude the full path of a download URL to prevent
 injection of malicious code (bsc#1190265) (CVE-2021-21996)

---
 salt/fileclient.py            |  7 +++++++
 tests/unit/test_fileclient.py | 18 ++++++++++++++++++
 2 files changed, 25 insertions(+)

diff --git a/salt/fileclient.py b/salt/fileclient.py
index 88dcf1668d..bdf450ffe6 100644
--- a/salt/fileclient.py
+++ b/salt/fileclient.py
@@ -28,6 +28,7 @@ import salt.utils.platform
 import salt.utils.stringutils
 import salt.utils.templates
 import salt.utils.url
+import salt.utils.verify
 import salt.utils.versions
 from salt.exceptions import CommandExecutionError, MinionError
 
@@ -858,6 +859,12 @@ class Client:
         else:
             file_name = url_data.path
 
+        # clean_path returns an empty string if the check fails
+        root_path = salt.utils.path.join(cachedir, "extrn_files", saltenv, netloc)
+        new_path = os.path.sep.join([root_path, file_name])
+        if not salt.utils.verify.clean_path(root_path, new_path, subdir=True):
+            return "Invalid path"
+
         if len(file_name) > MAX_FILENAME_LENGTH:
             file_name = salt.utils.hashutils.sha256_digest(file_name)
 
diff --git a/tests/unit/test_fileclient.py b/tests/unit/test_fileclient.py
index 3aa7b7cf84..b6cc84a871 100644
--- a/tests/unit/test_fileclient.py
+++ b/tests/unit/test_fileclient.py
@@ -63,6 +63,24 @@ class FileclientTestCase(TestCase):
                     ) as c_ref_itr:
                         assert c_ref_itr == "/__test__/files/base/testfile"
 
+    def test_cache_extrn_path_valid(self):
+        """
+        Tests for extrn_filepath for a given url
+        """
+        file_name = "http://localhost:8000/test/location/src/dev/usr/file"
+
+        ret = fileclient.Client(self.opts)._extrn_path(file_name, "base")
+        assert ret == os.path.join("__test__", "extrn_files", "base", ret)
+
+    def test_cache_extrn_path_invalid(self):
+        """
+        Tests for extrn_filepath for a given url
+        """
+        file_name = "http://localhost:8000/../../../../../usr/bin/bad"
+
+        ret = fileclient.Client(self.opts)._extrn_path(file_name, "base")
+        assert ret == "Invalid path"
+
     def test_extrn_path_with_long_filename(self):
         safe_file_name = os.path.split(
             fileclient.Client(self.opts)._extrn_path(
-- 
2.33.0
openSUSE Build Service is sponsored by
Places