[SNOW-1156046] fix toctou vulnerability in EasyLogginConfig #925
Conversation
sfc-gh-erojaslizano
force-pushed
the
SNOW-1156046-Fix-Toctou-race-condition
branch
from
fa7df40 to
cc5e12c
Compare
| { | ||
| using (StreamReader reader = new StreamReader(fileStream)) | ||
| { | ||
| CheckIfValidPermissions(filePath); |
There was a problem hiding this comment.
Unfortunately, it's still prone to race condition because the filepath is used. First, you open the FileStream and then (milliseconds later) you make the check calling _unixOperations.CheckFileHasAnyOfPermissions that opens the file again. It is possible that between these two opens the file under the path is changed: imagine the path to check is ./my.conf, which initially is a symbolic link to /tmp/bad.conf, and milliseconds later it is repointed to /home/user/valid.conf by the bad actor to make the check pass.
One way to do this securely is to open the file once and from this moment operate only on its handle. You can obtain the handle to the file using FileStream.SafeFileHandle and pass it to File.GetUnixFileMode(SafeFileHandle) to obtain permissions, and check them in a way that is not prone to race conditions.
There was a problem hiding this comment.
Hi @sfc-gh-kkatowiczkowalewski I made the change to use the SafeFileHandle but it only works on net8.0 so I make some conditional compilation to work around that.
I'm still working on the updating the failing test
There was a problem hiding this comment.
We will proceed this way: https://github.com/snowflakedb/SecureUnixLibrary/blob/main/UnixMonoPOC/SecureUnix.cs
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #925 +/- ##
==========================================
- Coverage 85.55% 85.13% -0.42%
==========================================
Files 106 106
Lines 10777 10782 +5
Branches 1032 1033 +1
==========================================
- Hits 9220 9179 -41
- Misses 1307 1352 +45
- Partials 250 251 +1 ☔ View full report in Codecov by Sentry. |
sfc-gh-erojaslizano
force-pushed
the
SNOW-1156046-Fix-Toctou-race-condition
branch
from
076b56c to
4b15d4d
Compare
|
I have read the CLA Document and I hereby sign the CLA |
| } | ||
|
|
||
| #if NET8_0_OR_GREATER | ||
| var unixFileMode = File.GetUnixFileMode(fileStream.SafeFileHandle); |
There was a problem hiding this comment.
Can we exclude Mono.Unix from dependencies for .NET 8? @sfc-gh-knozderko wdyt?
There was a problem hiding this comment.
I tried but there are many other places that uses de Mono.Unix. If this change is needed I prefer to do it in a a new task instead
| var hasPermissions = !(((UnixFileMode.GroupWrite | UnixFileMode.OtherWrite) & unixFileMode) != 0); | ||
| #else | ||
| var entitlements = FileAccessPermissions.GroupWrite | FileAccessPermissions.OtherWrite; | ||
| var hasPermissions = !_unixOperations.CheckFileHasAnyOfPermissions(filePath, entitlements); |
There was a problem hiding this comment.
'hasPermissions' name suggests that the file has permissions specified. Maybe remove negations and if hasPermissions then throw an exception.
There was a problem hiding this comment.
I changed the variable from 'haspermission' to a more clear 'hasGroupOrOtherWritePermissions' and inverted the if statement to throw the exception if true.
this was done in 9a2925b
sfc-gh-erojaslizano
force-pushed
the
SNOW-1156046-Fix-Toctou-race-condition
branch
from
9a2925b to
29fa29f
Compare
Description
Invert the order, first read the file and then check the permissions.
Checklist
dotnet test)