revendor teleport / bump etcd (#650)

* bump planet with etcd clients restart fix * revendor teleport with fixes for doyensec security findings * fix interface change * fix tar path sanitization when link path is absolute (#19) * fix tar path sanitization when link path is absolute * don't mangle extracted links, just generate an error instead * update path sanitization unit tests to reflect changes in handling absolute paths * fix extra newline * revendor teleport * bump planet to avoid time drift check * revendor teleport
gravitational · Sep 18, 2019 · 0d12e6d · 0d12e6d
1 parent 89b3922
commit 0d12e6d
Show file tree

Hide file tree

Showing 77 changed files with 3,401 additions and 598 deletions.
diff --git a/Gopkg.lock b/Gopkg.lock
diff --git a/Gopkg.toml b/Gopkg.toml
@@ -32,7 +32,7 @@ ignored = [
 
 [[override]]
   name = "github.com/gravitational/trace"
-  version = "=1.1.7"
+  version = "=1.1.8"
 
 [[override]]
   name = "github.com/mitchellh/go-ps"

diff --git a/Makefile b/Makefile
@@ -42,7 +42,7 @@ RELEASE_OUT ?=
 TELEPORT_TAG = 3.0.5
 # TELEPORT_REPOTAG adapts TELEPORT_TAG to the teleport tagging scheme
 TELEPORT_REPOTAG := v$(TELEPORT_TAG)
-PLANET_TAG := 5.5.23-$(K8S_VER_SUFFIX)
+PLANET_TAG := 5.5.26-$(K8S_VER_SUFFIX)
 PLANET_BRANCH := $(PLANET_TAG)
 K8S_APP_TAG := $(GRAVITY_TAG)
 TELEKUBE_APP_TAG := $(GRAVITY_TAG)

diff --git a/lib/archive/archive.go b/lib/archive/archive.go
@@ -394,13 +394,20 @@ func SanitizeTarPath(header *tar.Header, dir string) error {
 	// Security: sanitize that all tar paths resolve to within the destination directory
 	destPath := filepath.Join(dir, header.Name)
 	if !strings.HasPrefix(destPath, filepath.Clean(dir)+string(os.PathSeparator)) {
-		return trace.BadParameter("%s: illegal file path", header.Name)
+		return trace.BadParameter("%s: illegal file path", header.Name).AddField("prefix", dir)
 	}
 	// Security: Ensure link destinations resolve to within the destination directory
 	if header.Linkname != "" {
-		linkPath := filepath.Join(dir, header.Linkname)
-		if !strings.HasPrefix(linkPath, filepath.Clean(dir)+string(os.PathSeparator)) {
-			return trace.BadParameter("%s: illegal link path", header.Linkname)
+		if filepath.IsAbs(header.Linkname) {
+			if !strings.HasPrefix(filepath.Clean(header.Linkname), filepath.Clean(dir)+string(os.PathSeparator)) {
+				return trace.BadParameter("%s: illegal link path", header.Linkname).AddField("prefix", dir)
+			}
+		} else {
+			// relative paths are relative to the filename after extraction to a directory
+			linkPath := filepath.Join(dir, filepath.Dir(header.Name), header.Linkname)
+			if !strings.HasPrefix(linkPath, filepath.Clean(dir)+string(os.PathSeparator)) {
+				return trace.BadParameter("%s: illegal link path", header.Linkname).AddField("prefix", dir)
+			}
 		}
 	}
 	return nil

diff --git a/lib/archive/archive_test.go b/lib/archive/archive_test.go
@@ -280,14 +280,14 @@ func TestSanitizeTarPath(t *testing.T) {
 		{
 			header: &tar.Header{
 				Name:     "test7.txt",
-				Linkname: "/dir/../dir2/test7.txt",
+				Linkname: "./dir/../dir2/test7.txt",
 			},
 			expectError: false,
 		},
 		{
 			header: &tar.Header{
-				Name:     "test8.txt",
-				Linkname: "./dir/test8.txt",
+				Name:     "dir1/test8.txt",
+				Linkname: "dir1/../dir2/test8.txt",
 			},
 			expectError: false,
 		},
@@ -319,6 +319,30 @@ func TestSanitizeTarPath(t *testing.T) {
 			},
 			expectError: true,
 		},
+		// Relative link that remains inside the directory
+		{
+			header: &tar.Header{
+				Name:     "/test/dir/test13.txt",
+				Linkname: "../../test2/dir2/test14.txt",
+			},
+			expectError: false,
+		},
+		// Linkname is absolute path outside extraction directory
+		{
+			header: &tar.Header{
+				Name:     "test14.txt",
+				Linkname: "/test14.txt",
+			},
+			expectError: true,
+		},
+		// Linkname is absolute path inside extraction directory
+		{
+			header: &tar.Header{
+				Name:     "test15.txt",
+				Linkname: "/tmp/test15.txt",
+			},
+			expectError: false,
+		},
 	}
 
 	for _, tt := range cases {

diff --git a/lib/process/proxy.go b/lib/process/proxy.go
@@ -433,11 +433,15 @@ func (t *teleportProxyService) getTLSConfig(clusterName string) (*tls.Config, er
 		Username: constants.OpsCenterUser,
 		Groups:   []string{defaults.SystemAccountOrg},
 	}
+	subject, err := identity.Subject()
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
 	cert, err := tlsAuthority.GenerateCertificate(
 		tlsca.CertificateRequest{
 			Clock:     clockwork.NewRealClock(),
 			PublicKey: cryptoPublicKey,
-			Subject:   identity.Subject(),
+			Subject:   subject,
 			NotAfter:  time.Now().UTC().Add(defaults.CertTTL),
 		})
 	if err != nil {

diff --git a/vendor/github.com/gravitational/teleport/Makefile b/vendor/github.com/gravitational/teleport/Makefile
diff --git a/vendor/github.com/gravitational/teleport/constants.go b/vendor/github.com/gravitational/teleport/constants.go
diff --git a/vendor/github.com/gravitational/teleport/lib/auth/apiserver.go b/vendor/github.com/gravitational/teleport/lib/auth/apiserver.go