fix(#141): harden docmap file path — confine to repo-root, reject symlinks, cap size
PR Ready Gate / clear-labels (pull_request) Successful in 1s
CI / test (pull_request) Successful in 17s
CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 39s
CI / review (gpt-5, security, ., rodin/security-patterns, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 1m22s
CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 1m46s
PR Ready Gate / clear-labels (pull_request) Successful in 1s
CI / test (pull_request) Successful in 17s
CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 39s
CI / review (gpt-5, security, ., rodin/security-patterns, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 1m22s
CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 1m46s
Address security-review-bot REQUEST_CHANGES findings on PR #142: MAJOR (Finding #1): Docmap file path was read directly without validating it is within --repo-root or checking for symlinks. A malicious PR could create .review-bot/doc-map.yml as a symlink to /dev/zero (resource exhaustion) or an arbitrary host file (information disclosure). Fix: Add validateDocmapPath() called before ParseDocMapConfig(). It: - Resolves --repo-root first (filepath.Abs + EvalSymlinks), moved up before docmap parsing so both checks share the same resolved root - Uses os.Lstat to detect symlinks and rejects them outright - Confirms the docmap path is within resolvedRoot via filepath.Rel - Checks file size against maxDocmapBytes (10 MB) before reading MINOR (Finding #2): No upper bound on docmap YAML size. Fix: os.Lstat size check enforces maxDocmapBytes cap before os.ReadFile. Tests: - TestValidateDocmapPath_Symlink: docmap is a symlink → exit 2 - TestValidateDocmapPath_OutsideRepoRoot: docmap outside repo-root → exit 2 - TestValidateDocmapPath_SizeLimit: docmap exceeds 10 MB cap → exit 2 - Updated all existing tests to use makeDocmapInDir() so the docmap lives inside the repo-root, satisfying the new confinement check
This commit is contained in:
Rodin
@@ -12,7 +12,59 @@ import (
|
||||
"gitea.weiker.me/rodin/review-bot/review"
|
||||
)
|
||||
|
||||
// runValidateDocmap implements the `review-bot validate-docmap` subcommand.
|
||||
// maxDocmapBytes is the maximum size of the doc-map YAML file that will be
|
||||
// read. Files larger than this are rejected before reading to prevent memory
|
||||
// exhaustion from an oversized PR-controlled file.
|
||||
const maxDocmapBytes int64 = 10 * 1024 * 1024 // 10 MB
|
||||
|
||||
// validateDocmapPath checks that localPath is safe to read as the doc-map
|
||||
// file. It enforces three invariants before the file is opened:
|
||||
//
|
||||
// 1. The path resolves to a regular file within resolvedRoot (path
|
||||
// confinement): prevents a PR-controlled --docmap from reading arbitrary
|
||||
// host files via absolute paths or ".." traversal.
|
||||
// 2. The path is not a symlink: prevents denial-of-service via /dev/zero or
|
||||
// information disclosure via symlinks that point outside the workspace.
|
||||
// 3. The file does not exceed maxDocmapBytes: prevents memory exhaustion
|
||||
// from an oversized but legitimately committed doc-map file.
|
||||
//
|
||||
// resolvedRoot must already be an absolute, symlink-free path (obtained from
|
||||
// filepath.Abs + filepath.EvalSymlinks).
|
||||
func validateDocmapPath(localPath, resolvedRoot string) error {
|
||||
// Resolve the docmap path to an absolute path.
|
||||
absPath, err := filepath.Abs(localPath)
|
||||
if err != nil {
|
||||
return fmt.Errorf("cannot resolve path: %w", err)
|
||||
}
|
||||
|
||||
// Lstat: do NOT follow symlinks. We want to inspect the entry itself.
|
||||
fi, err := os.Lstat(absPath)
|
||||
if err != nil {
|
||||
return fmt.Errorf("cannot stat file: %w", err)
|
||||
}
|
||||
|
||||
// Reject symlinks outright — a symlink can point to /dev/zero or arbitrary
|
||||
// host paths, bypassing both the confinement check and the size check.
|
||||
if fi.Mode()&os.ModeSymlink != 0 {
|
||||
return fmt.Errorf("symlinks are not allowed")
|
||||
}
|
||||
|
||||
// Confine to resolvedRoot: the cleaned absolute path must be a descendant
|
||||
// of the repo root. This catches paths that escaped via "..", absolute
|
||||
// paths that happen to be outside the root, etc.
|
||||
rel, err := filepath.Rel(resolvedRoot, absPath)
|
||||
if err != nil || rel == ".." || strings.HasPrefix(rel, ".."+string(os.PathSeparator)) {
|
||||
return fmt.Errorf("path must be within --repo-root")
|
||||
}
|
||||
|
||||
// Enforce size cap before reading to prevent memory exhaustion.
|
||||
if fi.Size() > maxDocmapBytes {
|
||||
return fmt.Errorf("file size %d bytes exceeds %d-byte limit", fi.Size(), maxDocmapBytes)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
//
|
||||
// It reads changed file paths from stdin (one per line, as produced by
|
||||
// `git diff --name-only`), parses a doc-map YAML file, and performs two checks:
|
||||
@@ -51,6 +103,36 @@ func runValidateDocmap(args []string) int {
|
||||
return 2
|
||||
}
|
||||
|
||||
// Resolve repoRoot first — the docmap path is validated against it below.
|
||||
// Use an absolute, symlink-free path so a symlinked --repo-root cannot
|
||||
// bypass the escape guard in validateDocmapPath or checkStaleDocs.
|
||||
absRoot, err := filepath.Abs(*repoRootFlag)
|
||||
if err != nil {
|
||||
fmt.Fprintf(errWriter, "Error: failed to resolve --repo-root %q: %v\n", *repoRootFlag, err)
|
||||
return 2
|
||||
}
|
||||
resolvedRoot, err := filepath.EvalSymlinks(absRoot)
|
||||
if err != nil {
|
||||
if os.IsNotExist(err) {
|
||||
fmt.Fprintf(errWriter, "Error: --repo-root %q does not exist\n", *repoRootFlag)
|
||||
} else {
|
||||
fmt.Fprintf(errWriter, "Error: failed to resolve --repo-root %q: %v\n", *repoRootFlag, err)
|
||||
}
|
||||
return 2
|
||||
}
|
||||
|
||||
// Harden the docmap file path before reading it. The --docmap flag value
|
||||
// may reference a PR-controlled file (e.g. .review-bot/doc-map.yml).
|
||||
// Validate that it:
|
||||
// 1. Resolves within resolvedRoot (prevent reading arbitrary host files).
|
||||
// 2. Is not a symlink (prevent /dev/zero or symlink-based host probing).
|
||||
// 3. Does not exceed maxDocmapBytes (prevent memory exhaustion from an
|
||||
// oversized committed file).
|
||||
if err := validateDocmapPath(*docmapFlag, resolvedRoot); err != nil {
|
||||
fmt.Fprintf(errWriter, "Error: --docmap %q is invalid: %v\n", *docmapFlag, err)
|
||||
return 2
|
||||
}
|
||||
|
||||
// Parse docmap YAML.
|
||||
cfg, err := review.ParseDocMapConfig(*docmapFlag)
|
||||
if err != nil {
|
||||
@@ -90,23 +172,6 @@ func runValidateDocmap(args []string) int {
|
||||
}
|
||||
|
||||
// --- Check 2: Stale docs ---
|
||||
// Resolve repoRoot to an absolute, symlink-free path before any Rel checks
|
||||
// so that a symlinked --repo-root cannot be used to bypass the escape
|
||||
// guard in checkStaleDocs.
|
||||
absRoot, err := filepath.Abs(*repoRootFlag)
|
||||
if err != nil {
|
||||
fmt.Fprintf(errWriter, "Error: failed to resolve --repo-root %q: %v\n", *repoRootFlag, err)
|
||||
return 2
|
||||
}
|
||||
resolvedRoot, err := filepath.EvalSymlinks(absRoot)
|
||||
if err != nil {
|
||||
if os.IsNotExist(err) {
|
||||
fmt.Fprintf(errWriter, "Error: --repo-root %q does not exist\n", *repoRootFlag)
|
||||
} else {
|
||||
fmt.Fprintf(errWriter, "Error: failed to resolve --repo-root %q: %v\n", *repoRootFlag, err)
|
||||
}
|
||||
return 2
|
||||
}
|
||||
// checkStaleDocs validates each path before touching the filesystem; see
|
||||
// its documentation for the path-traversal hardening applied.
|
||||
staleDocs := checkStaleDocs(cfg, resolvedRoot)
|
||||
|
||||
Reference in New Issue
Block a user