Impact
It is possible to create an RRDP snapshot containing an object with a URL with relative paths (including '..') to write data outside of the dedicated rsync repository directory.
E.g. the following object in the RRDP snapshot would write a file PATH_INJECTION.txt file outside of the repository directory.
<publish uri="rsync://rsync.host.net/repository/../../../../../../tmp/PATH_INJECTION.txt"> UGF0aCBpbmplY3Rpb24g4pyFCg== </publish>
Patches
290d699
e183d58
These patches are part of the version 0.4.2 release.
Workarounds
The rsyncit process SHOULD be running without writing permissions outside of the repository directory. When rsyncit runs in a Docker container, its container SHOULD not have any FS mounts other than the directory allocated for rsync repository.
Impact
It is possible to create an RRDP snapshot containing an object with a URL with relative paths (including '..') to write data outside of the dedicated rsync repository directory.
E.g. the following object in the RRDP snapshot would write a file
PATH_INJECTION.txtfile outside of the repository directory.Patches
290d699
e183d58
These patches are part of the version 0.4.2 release.
Workarounds
The rsyncit process SHOULD be running without writing permissions outside of the repository directory. When rsyncit runs in a Docker container, its container SHOULD not have any FS mounts other than the directory allocated for rsync repository.