7efe8bbfbf
Security Fixes: - CVE-2024-45339: Add O_EXCL flag to temp file creation in storage_write_entries() Prevents symlink attacks on predictable .tmp file paths - CVE-2025-47290: Use openat_nofollow() in storage_open() Closes TOCTOU race condition via path_sanitizer infrastructure - CVE-2025-0838: Add MAX_BATCH_SIZE=10000 to add_tasks() Prevents integer overflow in batch operations Research Trustworthiness (dataset_hash): - Deterministic file ordering: std::sort after collect_files() - Recursive directory traversal: depth-limited with cycle detection - Documented exclusions: hidden files and special files noted in API Bug Fixes: - R1: storage_init path validation for non-existent directories - R2: safe_strncpy return value check before strcat - R3: parallel_hash 256-file cap replaced with std::vector - R4: wire qi_compact_index/qi_rebuild_index stubs - R5: CompletionLatch race condition fix (hold mutex during decrement) - R6: ARMv8 SHA256 transform fix (save abcd_pre before vsha256hq_u32) - R7: fuzz_index_storage header format fix - R8: enforce null termination in add_tasks/update_tasks - R9: use 64 bytes (not 65) in combined hash to exclude null terminator - R10: status field persistence in save() New Tests: - test_recursive_dataset.cpp: Verify deterministic recursive hashing - test_storage_symlink_resistance.cpp: Verify CVE-2024-45339 fix - test_queue_index_batch_limit.cpp: Verify CVE-2025-0838 fix - test_sha256_arm_kat.cpp: ARMv8 known-answer tests - test_storage_init_new_dir.cpp: F1 verification - test_parallel_hash_large_dir.cpp: F3 verification - test_queue_index_compact.cpp: F4 verification All 8 native tests passing. Library ready for research lab deployment.
59 lines
1.6 KiB
C++
59 lines
1.6 KiB
C++
#include "path_sanitizer.h"
|
|
#include <fcntl.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <unistd.h>
|
|
#include <limits.h>
|
|
|
|
namespace fetchml::common {
|
|
|
|
bool canonicalize_and_validate(const char* path, char* out_canonical, size_t out_size) {
|
|
if (!path || !out_canonical || out_size == 0) {
|
|
return false;
|
|
}
|
|
|
|
// Use realpath to canonicalize (resolves symlinks, removes .., etc.)
|
|
char* resolved = realpath(path, nullptr);
|
|
if (!resolved) {
|
|
return false;
|
|
}
|
|
|
|
// Check size
|
|
size_t len = strlen(resolved);
|
|
if (len >= out_size) {
|
|
free(resolved);
|
|
return false;
|
|
}
|
|
|
|
// Copy to output
|
|
memcpy(out_canonical, resolved, len + 1);
|
|
free(resolved);
|
|
|
|
// Additional validation: ensure no embedded nulls or control chars
|
|
for (size_t i = 0; i < len; i++) {
|
|
if (out_canonical[i] == '\0' || (unsigned char)out_canonical[i] < 32) {
|
|
return false;
|
|
}
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
int open_dir_nofollow(const char* path) {
|
|
if (!path) return -1;
|
|
|
|
// Open with O_DIRECTORY | O_NOFOLLOW | O_CLOEXEC
|
|
// O_NOFOLLOW ensures we don't follow symlinks
|
|
// O_DIRECTORY ensures it's actually a directory
|
|
return open(path, O_DIRECTORY | O_NOFOLLOW | O_RDONLY | O_CLOEXEC);
|
|
}
|
|
|
|
int openat_nofollow(int dir_fd, const char* filename, int flags, int mode) {
|
|
if (dir_fd < 0 || !filename) return -1;
|
|
|
|
// Use O_NOFOLLOW to prevent symlink attacks
|
|
// Use openat to open relative to directory fd
|
|
return openat(dir_fd, filename, flags | O_NOFOLLOW | O_CLOEXEC, mode);
|
|
}
|
|
|
|
} // namespace fetchml::common
|