From 5e53ed259fda01683c815fbb22d1ab430fedf2ae Mon Sep 17 00:00:00 2001 From: Ben Grande Date: Tue, 21 Nov 2023 14:57:47 +0000 Subject: [PATCH] fix: unstrusted input marking and sanitization --- salt/sys-git/files/server/rpc/qusal.GitInit | 58 +++++++++++-------- .../files/server/rpc/qusal.SshAgent | 22 ++++++- .../files/server/rpc/qusal.Syncthing | 2 + 3 files changed, 54 insertions(+), 28 deletions(-) diff --git a/salt/sys-git/files/server/rpc/qusal.GitInit b/salt/sys-git/files/server/rpc/qusal.GitInit index 4a1bb82f..3b6d0168 100644 --- a/salt/sys-git/files/server/rpc/qusal.GitInit +++ b/salt/sys-git/files/server/rpc/qusal.GitInit @@ -6,53 +6,61 @@ set -eu -base_path="$HOME/src" -repo="$QREXEC_SERVICE_ARGUMENT" -#origin="$QREXEC_REMOTE_DOMAIN" - die(){ - echo "error: $1" >&2 + echo "error: ${1}" >&2 exit 1 } -fail_invalid_name(){ - if ! (echo "$repo" | grep -q "^[A-Za-z0-9][A-Za-z0-9_.-]\+$"); then - die "Invalid repository. Allowed chars: letters, numbers, hyphen, underscore and dot. It cannot begin with hyphen, underscore or dot." - fi -} - if ! command -v git >/dev/null; then die "Command not found: git" fi -fail_invalid_name -case "$repo" in +untrusted_repo="${QREXEC_SERVICE_ARGUMENT}" + +if test -z "${untrusted_repo}"; then + die "Repository name is empty" +fi + +if ! (echo "${untrusted_repo}" | grep -q "^[A-Za-z0-9][A-Za-z0-9_.-]\+$") +then + die "Forbidden characters in repository name. Allowed chars: letters, numbers, hyphen, underscore and dot. It cannot begin with hyphen, underscore or dot" +fi + +## Length arbitrarily set. +if test "${#untrusted_repo}" -gt 128; then + die "Repository name is too long: ${#untrusted_repo}" +fi + +base_path="$HOME/src" +repo="${untrusted_repo}" + +case "${repo}" in *".git") ;; - *) repo="$repo.git";; + *) repo="${repo}.git";; esac -path="$base_path/$repo" +path="${base_path}/${repo}" action="${0##*.Git}" -case "$action" in +case "${action}" in Fetch) service=git-upload-pack;; Push) service=git-receive-pack;; Init) service="git init --bare";; *) die "Invalid RPC name: ${0##*/}";; esac -if test "$action" != "Init"; then - test -d "$path" || die "Directory doesn't exist: $repo" - git -C "$path" rev-parse >/dev/null 2>&1 || die "Not a git repository: $repo" - is_bare="$(git -C "$path" rev-parse --is-bare-repository)" - test "${is_bare}" = "true" || die "Not a bare repository: $repo" +if test "${action}" != "Init"; then + test -d "${path}" || die "Directory doesn't exist: ${repo}" + git -C "${path}" rev-parse >/dev/null 2>&1 || die "Not a git repository: ${repo}" + is_bare="$(git -C "${path}" rev-parse --is-bare-repository)" + test "${is_bare}" = "true" || die "Not a bare repository: ${repo}" fi -if ! test -d "$base_path"; then +if ! test -d "${base_path}"; then # shellcheck disable=SC2174 - mkdir -m 0700 -p "$base_path" >/dev/null 2>&1 || - die "Cannot create directory: $base_path" + mkdir -m 0700 -p "${base_path}" >/dev/null 2>&1 || + die "Cannot create directory: ${base_path}" fi # shellcheck disable=SC2086 -exec $service -- "$path" +exec ${service} -- "${path}" diff --git a/salt/sys-ssh-agent/files/server/rpc/qusal.SshAgent b/salt/sys-ssh-agent/files/server/rpc/qusal.SshAgent index 32193484..48438db2 100644 --- a/salt/sys-ssh-agent/files/server/rpc/qusal.SshAgent +++ b/salt/sys-ssh-agent/files/server/rpc/qusal.SshAgent @@ -6,9 +6,25 @@ set -eu -#origin="$QREXEC_REMOTE_DOMAIN" -agent="$QREXEC_SERVICE_ARGUMENT" +untrusted_agent="$QREXEC_SERVICE_ARGUMENT" + +if test -z "${untrusted_agent}"; then + echo "Agent name is empty" >&2 + exit 1 +fi + +if ! (echo "${untrusted_agent}" | grep -q "^[A-Za-z0-9][A-Za-z0-9_.-]\+$") +then + die "Forbidden characters in agent name. Allowed chars: letters, numbers, hyphen, underscore and dot. It cannot begin with hyphen, underscore or dot" +fi + +## Length arbitrarily set. +if test "${#untrusted_agent}" -gt 128; then + die "Repository name is too long: ${#untrusted_agent}" +fi + +agent="${untrusted_agent}" socket="/tmp/qubes-ssh-agent/${agent}.sock" qvm-ssh-agent add "${agent}" >/dev/null -exec socat STDIO UNIX-CLIENT:"$socket" +exec socat STDIO UNIX-CLIENT:"${socket}" diff --git a/salt/sys-syncthing/files/server/rpc/qusal.Syncthing b/salt/sys-syncthing/files/server/rpc/qusal.Syncthing index 5b459c3a..605a0f1e 100644 --- a/salt/sys-syncthing/files/server/rpc/qusal.Syncthing +++ b/salt/sys-syncthing/files/server/rpc/qusal.Syncthing @@ -4,4 +4,6 @@ # # SPDX-License-Identifier: AGPL-3.0-or-later +set -eu + exec socat STDIO TCP:localhost:22000