Symlink test (#20)

* check referenced sources for out-of-bounds symlinks Signed-off-by: Michael Crenshaw <[email protected]>
crenshaw-dev · Dec 14, 2022 · ec55be5 · ec55be5
1 parent 7813195
commit ec55be5
Show file tree

Hide file tree

Showing 2 changed files with 55 additions and 0 deletions.
diff --git a/reposerver/repository/repository.go b/reposerver/repository/repository.go
@@ -652,6 +652,27 @@ func (s *Service) runManifestGenAsync(ctx context.Context, repoRoot, commitSHA,
 								ch.errCh <- fmt.Errorf("failed to get git client for repo %s", q.Repo.Repo)
 								return
 							}
+
+							if !s.initConstants.AllowOutOfBoundsSymlinks {
+								err := argopath.CheckOutOfBoundsSymlinks(gitClient.Root())
+								if err != nil {
+									oobError := &argopath.OutOfBoundsSymlinkError{}
+									if errors.As(err, &oobError) {
+										log.WithFields(log.Fields{
+											common.SecurityField: common.SecurityHigh,
+											"repo":               refSourceMapping.Repo,
+											"revision":           refSourceMapping.TargetRevision,
+											"file":               oobError.File,
+										}).Warn("repository contains out-of-bounds symlink")
+										ch.errCh <- fmt.Errorf("repository contains out-of-bounds symlinks. file: %s", oobError.File)
+										return
+									} else {
+										ch.errCh <- err
+										return
+									}
+								}
+							}
+
 							if git.NormalizeGitURL(q.ApplicationSource.RepoURL) == normalizedRepoURL && commitSHA != referencedCommitSHA {
 								ch.errCh <- fmt.Errorf("cannot reference a different revision of the same repository (%s references %q which resolves to %q while the application references %q which resolves to %q)", refVar, refSourceMapping.TargetRevision, referencedCommitSHA, q.Revision, commitSHA)
 								return

diff --git a/reposerver/repository/repository_test.go b/reposerver/repository/repository_test.go
@@ -325,6 +325,40 @@ func TestHelmChartReferencingExternalValues(t *testing.T) {
 	}, response)
 }
 
+func TestHelmChartReferencingExternalValues_OutOfBounds_Symlink(t *testing.T) {
+	service := newService(".")
+	err := os.Mkdir("testdata/oob-symlink", 0755)
+	require.NoError(t, err)
+	t.Cleanup(func() {
+		err = os.RemoveAll("testdata/oob-symlink")
+		require.NoError(t, err)
+	})
+	// Create a symlink to a file outside of the repo
+	err = os.Symlink("../../../values.yaml", "./testdata/oob-symlink/oob-symlink.yaml")
+	// Create a regular file to reference from another source
+	err = os.WriteFile("./testdata/oob-symlink/values.yaml", []byte("foo: bar"), 0644)
+	require.NoError(t, err)
+	spec := argoappv1.ApplicationSpec{
+		Sources: []argoappv1.ApplicationSource{
+			{RepoURL: "https://helm.example.com", Chart: "my-chart", TargetRevision: ">= 1.0.0", Helm: &argoappv1.ApplicationSourceHelm{
+				// Reference `ref` but do not use the oob symlink. The mere existence of the link should be enough to
+				// cause an error.
+				ValueFiles: []string{"$ref/testdata/oob-symlink/values.yaml"},
+			}},
+			{Ref: "ref", RepoURL: "https://git.example.com/test/repo"},
+		},
+	}
+	repoDB := &dbmocks.ArgoDB{}
+	repoDB.On("GetRepository", context.Background(), "https://git.example.com/test/repo").Return(&argoappv1.Repository{
+		Repo: "https://git.example.com/test/repo",
+	}, nil)
+	refSources, err := argo.GetRefSources(context.Background(), spec, repoDB)
+	require.NoError(t, err)
+	request := &apiclient.ManifestRequest{Repo: &argoappv1.Repository{}, ApplicationSource: &spec.Sources[0], NoCache: true, RefSources: refSources, HasMultipleSources: true}
+	_, err = service.GenerateManifest(context.Background(), request)
+	assert.Error(t, err)
+}
+
 func TestGenerateManifestsUseExactRevision(t *testing.T) {
 	service, gitClient := newServiceWithMocks(".", false)