permission: fix fs allowlist bypass on shared path prefixes#63813
Open
uwezkhan wants to merge 1 commit into
Open
permission: fix fs allowlist bypass on shared path prefixes#63813uwezkhan wants to merge 1 commit into
uwezkhan wants to merge 1 commit into
Conversation
Inserting a path through an existing radix tree split node marked that intermediate node as an end node, so a shared prefix of several granted paths was treated as granted on its own. Mark a node as an end node only when the inserted path terminates exactly at it.
Collaborator
|
Review requested:
|
nodejs-github-bot
added
c++
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
CreateChildin the fs permission radix tree marks a node as an end node whenever an inserted path runs through it, not only when a granted path ends there. Allowing three or more paths that share a common prefix is enough to trigger it: with--allow-fs-readset to/var/log/app1.log,/var/log/app2.logand/var/log/app3.log, the shared split node/var/log/appgets flagged as a leaf, andpermission.has('fs.read', '/var/log/app')then returns true for a path that was never granted.Before, the node was flagged the moment its prefix was fully matched, even when more of the inserted path remained to descend into. After, it is flagged only when the inserted path terminates exactly at that node. The tradeoff is nil for legitimate use: explicit grants, wildcard grants, and the end-node-with-children case from the comment above (
/slowinserted after/slowerand/slown) all keep working; the single behavioral change is that an unallowed common prefix is no longer treated as granted.