243 lines
8.5 KiB
TypeScript
243 lines
8.5 KiB
TypeScript
import {
|
|
accessSync,
|
|
closeSync,
|
|
constants,
|
|
fstatSync,
|
|
lstatSync,
|
|
mkdirSync,
|
|
openSync,
|
|
readFileSync,
|
|
} from 'node:fs';
|
|
import { platform } from 'node:os';
|
|
import { dirname, isAbsolute, relative, resolve, sep } from 'node:path';
|
|
|
|
export interface SecureFileReadOptions {
|
|
root: string;
|
|
maxBytes?: number;
|
|
executable?: boolean;
|
|
}
|
|
|
|
export interface SecureFileSnapshot {
|
|
content: Buffer;
|
|
mode: number;
|
|
dev: number | bigint;
|
|
ino: number | bigint;
|
|
}
|
|
|
|
function sameIdentity(
|
|
left: { dev: number | bigint; ino: number | bigint },
|
|
right: { dev: number | bigint; ino: number | bigint },
|
|
): boolean {
|
|
return left.dev === right.dev && left.ino === right.ino;
|
|
}
|
|
|
|
function secureFilesystemError(message: string, cause: unknown): Error {
|
|
const error = new Error(message);
|
|
if (cause instanceof Error && 'code' in cause && typeof cause.code === 'string') {
|
|
Object.defineProperty(error, 'code', { value: cause.code, enumerable: true });
|
|
}
|
|
return error;
|
|
}
|
|
|
|
function closeDescriptors(descriptors: number[]): void {
|
|
for (const fd of descriptors.reverse()) {
|
|
try {
|
|
closeSync(fd);
|
|
} catch {
|
|
// Best-effort cleanup must not replace the security decision already made.
|
|
}
|
|
}
|
|
}
|
|
|
|
function procDescriptorPath(fd: number, component?: string): string {
|
|
const descriptor = `/proc/self/fd/${fd}`;
|
|
return component === undefined ? descriptor : `${descriptor}/${component}`;
|
|
}
|
|
|
|
/**
|
|
* Hold each directory while opening its child through Linux proc-fd. The only
|
|
* symlink followed is the kernel-owned descriptor link; O_NOFOLLOW protects
|
|
* every appended filesystem component from substitution.
|
|
*/
|
|
function openDirectoryChain(absoluteDirectory: string): { fd: number; descriptors: number[] } {
|
|
if (platform() !== 'linux') {
|
|
throw new Error('secure descriptor traversal is unsupported on this platform');
|
|
}
|
|
|
|
const descriptors: number[] = [];
|
|
try {
|
|
let fd = openSync(sep, constants.O_RDONLY | constants.O_DIRECTORY | constants.O_NOFOLLOW);
|
|
descriptors.push(fd);
|
|
for (const component of absoluteDirectory.split(sep).filter(Boolean)) {
|
|
fd = openSync(
|
|
procDescriptorPath(fd, component),
|
|
constants.O_RDONLY | constants.O_DIRECTORY | constants.O_NOFOLLOW,
|
|
);
|
|
descriptors.push(fd);
|
|
if (!fstatSync(fd).isDirectory()) {
|
|
throw new Error('secure descriptor traversal encountered a non-directory component');
|
|
}
|
|
}
|
|
return { fd, descriptors };
|
|
} catch (error) {
|
|
closeDescriptors(descriptors);
|
|
throw secureFilesystemError(
|
|
'secure descriptor traversal failed: symbolic link, unavailable, or not a directory',
|
|
error,
|
|
);
|
|
}
|
|
}
|
|
|
|
function openFileBeneathRoot(root: string, target: string): { fd: number; descriptors: number[] } {
|
|
const canonicalRoot = resolve(root);
|
|
const canonicalTarget = resolve(target);
|
|
assertCanonicalContainment(canonicalRoot, canonicalTarget);
|
|
const components = relative(canonicalRoot, canonicalTarget).split(sep).filter(Boolean);
|
|
const fileName = components.pop();
|
|
if (fileName === undefined) throw new Error('managed file path names the managed root');
|
|
|
|
const rootChain = openDirectoryChain(canonicalRoot);
|
|
try {
|
|
let parentFd = rootChain.fd;
|
|
for (const component of components) {
|
|
try {
|
|
parentFd = openSync(
|
|
procDescriptorPath(parentFd, component),
|
|
constants.O_RDONLY | constants.O_DIRECTORY | constants.O_NOFOLLOW,
|
|
);
|
|
} catch (error) {
|
|
throw secureFilesystemError(
|
|
'path ancestor is a symbolic link, unavailable, or not a directory',
|
|
error,
|
|
);
|
|
}
|
|
rootChain.descriptors.push(parentFd);
|
|
if (!fstatSync(parentFd).isDirectory()) {
|
|
throw new Error('path ancestor is a symbolic link or not a directory');
|
|
}
|
|
}
|
|
let fd: number;
|
|
try {
|
|
fd = openSync(
|
|
procDescriptorPath(parentFd, fileName),
|
|
constants.O_RDONLY | constants.O_NONBLOCK | constants.O_NOFOLLOW,
|
|
);
|
|
} catch (error) {
|
|
throw secureFilesystemError('file is a symbolic link or unavailable', error);
|
|
}
|
|
rootChain.descriptors.push(fd);
|
|
return { fd, descriptors: rootChain.descriptors };
|
|
} catch (error) {
|
|
closeDescriptors(rootChain.descriptors);
|
|
if (error instanceof Error) throw error;
|
|
throw new Error('secure managed file open failed');
|
|
}
|
|
}
|
|
|
|
export function assertCanonicalContainment(root: string, target: string): void {
|
|
const canonicalRoot = resolve(root);
|
|
const canonicalTarget = resolve(target);
|
|
const rel = relative(canonicalRoot, canonicalTarget);
|
|
if (rel === '..' || rel.startsWith(`..${sep}`) || isAbsolute(rel)) {
|
|
throw new Error(`path escapes managed root ${canonicalRoot}: ${canonicalTarget}`);
|
|
}
|
|
}
|
|
|
|
/** Reject every symlink from the filesystem root through the target's parent. */
|
|
export function assertNoSymlinkAncestors(target: string): void {
|
|
const absolute = resolve(target);
|
|
const parent = dirname(absolute);
|
|
const pieces = parent.split(sep).filter(Boolean);
|
|
let cursor: string = sep;
|
|
for (const piece of pieces) {
|
|
cursor = resolve(cursor, piece);
|
|
const stat = lstatSync(cursor);
|
|
if (stat.isSymbolicLink()) throw new Error(`path ancestor is a symbolic link: ${cursor}`);
|
|
if (!stat.isDirectory()) throw new Error(`path ancestor is not a directory: ${cursor}`);
|
|
}
|
|
}
|
|
|
|
export function ensureManagedDirectory(root: string, directory: string): void {
|
|
assertCanonicalContainment(root, directory);
|
|
const canonicalRoot = resolve(root);
|
|
const canonicalDirectory = resolve(directory);
|
|
assertNoSymlinkAncestors(canonicalRoot);
|
|
try {
|
|
const rootStat = lstatSync(canonicalRoot);
|
|
if (rootStat.isSymbolicLink() || !rootStat.isDirectory()) {
|
|
throw new Error(`managed root is not a real directory: ${canonicalRoot}`);
|
|
}
|
|
} catch (error) {
|
|
if (!(error instanceof Error && 'code' in error && error.code === 'ENOENT')) throw error;
|
|
mkdirSync(canonicalRoot, { mode: 0o700 });
|
|
const rootStat = lstatSync(canonicalRoot);
|
|
if (rootStat.isSymbolicLink() || !rootStat.isDirectory()) {
|
|
throw new Error(`managed root creation was redirected: ${canonicalRoot}`);
|
|
}
|
|
}
|
|
const rel = relative(canonicalRoot, canonicalDirectory);
|
|
let cursor = canonicalRoot;
|
|
for (const piece of rel.split(sep).filter(Boolean)) {
|
|
cursor = resolve(cursor, piece);
|
|
try {
|
|
const stat = lstatSync(cursor);
|
|
if (stat.isSymbolicLink()) throw new Error(`path ancestor is a symbolic link: ${cursor}`);
|
|
if (!stat.isDirectory()) throw new Error(`path ancestor is not a directory: ${cursor}`);
|
|
} catch (error) {
|
|
if (!(error instanceof Error && 'code' in error && error.code === 'ENOENT')) throw error;
|
|
mkdirSync(cursor, { mode: 0o700 });
|
|
const created = lstatSync(cursor);
|
|
if (!created.isDirectory() || created.isSymbolicLink()) {
|
|
throw new Error(`managed directory creation was redirected: ${cursor}`);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Read a regular file through an O_NOFOLLOW descriptor. The inode is checked
|
|
* before and after access/read, and executable access is tested against the
|
|
* already-open descriptor so path replacement cannot redirect the check.
|
|
*/
|
|
export function readRegularFileSecure(
|
|
path: string,
|
|
options: SecureFileReadOptions,
|
|
): SecureFileSnapshot {
|
|
const openedFile = openFileBeneathRoot(options.root, path);
|
|
try {
|
|
const opened = fstatSync(openedFile.fd);
|
|
if (!opened.isFile()) throw new Error('managed file is not a regular file');
|
|
if (options.maxBytes !== undefined && opened.size > options.maxBytes) {
|
|
throw new Error(`managed file exceeds ${options.maxBytes} bytes`);
|
|
}
|
|
if (options.executable) {
|
|
try {
|
|
accessSync(procDescriptorPath(openedFile.fd), constants.X_OK);
|
|
} catch (error) {
|
|
throw secureFilesystemError('managed file is not executable', error);
|
|
}
|
|
const afterAccess = fstatSync(openedFile.fd);
|
|
if (!afterAccess.isFile() || !sameIdentity(opened, afterAccess)) {
|
|
throw new Error('managed file changed during executable access check');
|
|
}
|
|
}
|
|
|
|
const content = readFileSync(openedFile.fd);
|
|
const after = fstatSync(openedFile.fd);
|
|
if (!after.isFile() || !sameIdentity(opened, after)) {
|
|
throw new Error('managed file changed during secure read');
|
|
}
|
|
if (options.maxBytes !== undefined && content.byteLength > options.maxBytes) {
|
|
throw new Error(`managed file exceeds ${options.maxBytes} bytes`);
|
|
}
|
|
return {
|
|
content,
|
|
mode: Number(opened.mode),
|
|
dev: opened.dev,
|
|
ino: opened.ino,
|
|
};
|
|
} finally {
|
|
closeDescriptors(openedFile.descriptors);
|
|
}
|
|
}
|