improved path traversal protection

Currently relative paths are validated against path traversals although in an incomplete manner. While relative paths with traversals do not cause problems for Gitaly in itself, we need be sure that every path accessed lies within the storage directories to ensure RPC callers can't access arbitrary paths. This commit replaces the path traversal checks by checking that the relative paths refer to paths within the root of the storage or the storage root itself.
author: Sami Hiltunen <shiltunen@gitlab.com> 2020-04-30 18:36:18 +0300
committer: Sami Hiltunen <shiltunen@gitlab.com> 2020-04-30 19:07:50 +0300
commit: f89b33baaa4b34db9444d92466921c1e4a0a66f5 (patch)
tree: d88c70165f0caec583463014f1791f8ea75824c0 /internal/cache
parent: 9bfdd53b6b9beca5f88500c8dd12d031d0fb6bc9 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/internal/cache/keyer.go b/internal/cache/keyer.go
index 2deea4d36..223511d76 100644
--- a/internal/cache/keyer.go
+++ b/internal/cache/keyer.go
@@ -249,8 +249,8 @@ func getRepoStatePath(repo *gitalypb.Repository) (string, error) {
 		return "", fmt.Errorf("getRepoStatePath: relative path missing from %+v", repo)
 	}
 
-	if helper.ContainsPathTraversal(relativePath) {
-		return "", fmt.Errorf("getRepoStatePath: relative path can't contain directory traversal")
+	if _, err := helper.ValidateRelativePath(storage.Path, relativePath); err != nil {
+		return "", fmt.Errorf("getRepoStatePath: %s", err)
 	}
 
 	return filepath.Join(stateDir, relativePath), nil
author	Sami Hiltunen <shiltunen@gitlab.com>	2020-04-30 18:36:18 +0300
committer	Sami Hiltunen <shiltunen@gitlab.com>	2020-04-30 19:07:50 +0300
commit	f89b33baaa4b34db9444d92466921c1e4a0a66f5 (patch)
tree	d88c70165f0caec583463014f1791f8ea75824c0 /internal/cache
parent	9bfdd53b6b9beca5f88500c8dd12d031d0fb6bc9 (diff)