Skip to content

Commit

Permalink
api: Add validator
Browse files Browse the repository at this point in the history
Signed-off-by: Max Asnaashari <[email protected]>
  • Loading branch information
masnax committed Sep 4, 2024
1 parent 6ce25b0 commit 3f6fed5
Showing 1 changed file with 26 additions and 0 deletions.
26 changes: 26 additions & 0 deletions api/services_tokens.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,13 @@ package api

import (
"encoding/json"
"errors"
"fmt"
"net/http"
"net/url"
"os"
"path/filepath"
"strings"

"github.com/canonical/lxd/lxd/response"
"github.com/canonical/microcluster/rest"
Expand All @@ -27,6 +30,24 @@ var ServiceTokensCmd = func(sh *service.Handler) rest.Endpoint {
}
}

func IsSafeVarPath(path string) error {
absPath, err := filepath.Abs(path)
if err != nil {
return err
}

varDir := os.Getenv("LXD_DIR")
if varDir == "" {
varDir = "/var/lib/lxd"
}

if !strings.HasPrefix(absPath, varDir) {
return errors.New("Absolute path is outside the default LXD path")
}

return nil
}

// serviceTokensPost issues a token for service using the MicroCloud proxy.
// Normally a token request to a service would be restricted to trusted systems,
// so this endpoint validates the mDNS auth token and then proxies the request to the local unix socket of the remote system.
Expand All @@ -44,6 +65,11 @@ func serviceTokensPost(s *state.State, r *http.Request) response.Response {
return response.BadRequest(err)
}

err = IsSafeVarPath(req.JoinerName)
if err != nil {
return response.SmartError(err)
}

_ = os.MkdirAll(req.JoinerName, 0700)

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression High

This path depends on a
user-provided value
.

sh, err := service.NewHandler(s.Name(), req.ClusterAddress, s.OS.StateDir, false, false, types.ServiceType(serviceType))
Expand Down

0 comments on commit 3f6fed5

Please sign in to comment.