GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → cyphar → filepath-securejoin

cyphar / filepath-securejoin

Licence: BSD-3-Clause License
Proposed filepath.SecureJoin implementation

Programming Languages

go
31211 projects - #10 most used programming language

Labels

filesystemsymlink

Projects that are alternatives of or similar to filepath-securejoin

parallel-disk-usage
Highly parallelized, blazing fast directory tree analyzer
Stars: ✭ 145 (+137.7%)
Mutual labels:  filesystem
DroidFS
Encrypted overlay filesystems implementation for Android. Also available on gitea: https://forge.chapril.org/hardcoresushi/DroidFS
Stars: ✭ 152 (+149.18%)
Mutual labels:  filesystem
Zeus
🔭 A modern cross platform `ls` with powerful searching and querying capabilities to scale your productivity to the moon 🚀 (and yeah it has file explorer like capabilities too 🤫)
Stars: ✭ 75 (+22.95%)
Mutual labels:  filesystem
dotfiles
Config files for i3, polybar, rofi, mpv, Xresources, kitty and some bash-things...
Stars: ✭ 52 (-14.75%)
Mutual labels:  symlink
SharpLink
Create file system symbolic links from low privileged user accounts within PowerShell
Stars: ✭ 51 (-16.39%)
Mutual labels:  symlink
go-mtree
File systems verification utility and library, in likeness of mtree(8)
Stars: ✭ 55 (-9.84%)
Mutual labels:  filesystem
FireFiles
Powerful Android File Manager for everything that runs on Android OS (Android TV, Android Watch, Mobile, etc)
Stars: ✭ 37 (-39.34%)
Mutual labels:  filesystem
fs.smbfs
Pyfilesystem2 over SMB using pysmb
Stars: ✭ 21 (-65.57%)
Mutual labels:  filesystem
redis-fs
Mount a Redis database as a filesystem using fuse.
Stars: ✭ 76 (+24.59%)
Mutual labels:  filesystem
haxe-files
A haxelib for cross-platform filesystem operations.
Stars: ✭ 36 (-40.98%)
Mutual labels:  filesystem
asl
A C++ cross-platform library including JSON, XML, HTTP, Sockets, WebSockets, threads, processes, logs, file system, CSV, INI files, etc.
Stars: ✭ 44 (-27.87%)
Mutual labels:  filesystem
consul-generator
📦 Creates files from consul keys
Stars: ✭ 15 (-75.41%)
Mutual labels:  filesystem
storage
Go package for abstracting local, in-memory, and remote (Google Cloud Storage/S3) filesystems
Stars: ✭ 49 (-19.67%)
Mutual labels:  filesystem
mongoose-gridfs
mongoose gridfs on top of new gridfs api
Stars: ✭ 79 (+29.51%)
Mutual labels:  filesystem
fs-changes
A persistent file system changes monitor, backed by leveldb
Stars: ✭ 12 (-80.33%)
Mutual labels:  filesystem
replace-in-files
Replace text in one or more files or globs.
Stars: ✭ 21 (-65.57%)
Mutual labels:  filesystem
aeon
AEON is an In-place file system designed for non-volatile memories.
Stars: ✭ 13 (-78.69%)
Mutual labels:  filesystem
littlefs2
Idiomatic Rust API for littlefs
Stars: ✭ 19 (-68.85%)
Mutual labels:  filesystem
FSMon
File system monitoring utility written in plain PHP
Stars: ✭ 12 (-80.33%)
Mutual labels:  filesystem
yorm
Automatic object-YAML mapping for Python.
Stars: ✭ 23 (-62.3%)
Mutual labels:  filesystem
View All Similar Projects ➔

filepath-securejoin

Build Status

An implementation of SecureJoin, a candidate for inclusion in the Go standard library. The purpose of this function is to be a "secure" alternative to filepath.Join, and in particular it provides certain guarantees that are not provided by filepath.Join.

NOTE: This code is only safe if you are not at risk of other processes modifying path components after you've used SecureJoin. If it is possible for a malicious process to modify path components of the resolved path, then you will be vulnerable to some fairly trivial TOCTOU race conditions. There are some Linux kernel patches I'm working on which might allow for a better solution.

In addition, with a slightly modified API it might be possible to use O_PATH and verify that the opened path is actually the resolved one -- but I have not done that yet. I might add it in the future as a helper function to help users verify the path (we can't just return /proc/self/fd/<foo> because that doesn't always work transparently for all users).

This is the function prototype:

func SecureJoin(root, unsafePath string) (string, error)

This library guarantees the following:

  • If no error is set, the resulting string must be a child path of root and will not contain any symlink path components (they will all be expanded).

  • When expanding symlinks, all symlink path components must be resolved relative to the provided root. In particular, this can be considered a userspace implementation of how chroot(2) operates on file paths. Note that these symlinks will not be expanded lexically (filepath.Clean is not called on the input before processing).

  • Non-existent path components are unaffected by SecureJoin (similar to filepath.EvalSymlinks's semantics).

  • The returned path will always be filepath.Cleaned and thus not contain any .. components.

A (trivial) implementation of this function on GNU/Linux systems could be done with the following (note that this requires root privileges and is far more opaque than the implementation in this library, and also requires that readlink is inside the root path):

package securejoin

import (
	"os/exec"
	"path/filepath"
)

func SecureJoin(root, unsafePath string) (string, error) {
	unsafePath = string(filepath.Separator) + unsafePath
	cmd := exec.Command("chroot", root,
		"readlink", "--canonicalize-missing", "--no-newline", unsafePath)
	output, err := cmd.CombinedOutput()
	if err != nil {
		return "", err
	}
	expanded := string(output)
	return filepath.Join(root, expanded), nil
}

License

The license of this project is the same as Go, which is a BSD 3-clause license available in the LICENSE file.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].