From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 0380A1FF183 for ; Wed, 19 Nov 2025 19:30:46 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 23C7915C1B; Wed, 19 Nov 2025 19:30:51 +0100 (CET) Message-ID: <8686399d-c28c-4ae5-8565-94f5608fdfd6@proxmox.com> Date: Wed, 19 Nov 2025 19:30:46 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Beta To: Proxmox Datacenter Manager development discussion , Lukas Wagner References: <20251119111105.174145-1-l.wagner@proxmox.com> Content-Language: en-US From: Thomas Lamprecht In-Reply-To: <20251119111105.174145-1-l.wagner@proxmox.com> X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1763577016137 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.024 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_SHORT 0.001 Use of a URL Shortener for very short URL RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pdm-devel] [PATCH proxmox] rrd: restrict archive path via regex X-BeenThere: pdm-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Datacenter Manager development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Datacenter Manager development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pdm-devel-bounces@lists.proxmox.com Sender: "pdm-devel" Am 19.11.25 um 12:11 schrieb Lukas Wagner: > The `rel_path` parameter is used as a relative path inside the `rrdb` > base directory to build the final path for the archive file. Usually, > this is something like 'node/localhost/cpu_avg1'. For PBS, this is fine, > since these paths are hardcoded or derived from safe datastore names. In > PDM however, these paths are built from potentially 'untrusted' (as in, > one could 'pretend' to be a PBS/PVE remote and send malicious data) > metric data points - so we should have additional safe guards in place > to disallow potentially dangerous paths like '../abc' which would escape > the base directory. thanks for tackling this. > diff --git a/proxmox-rrd/src/cache.rs b/proxmox-rrd/src/cache.rs > index 29d46ed5..042b4213 100644 > --- a/proxmox-rrd/src/cache.rs > +++ b/proxmox-rrd/src/cache.rs > @@ -8,8 +8,11 @@ use std::thread::spawn; > use std::time::SystemTime; > > use anyhow::{bail, format_err, Error}; > +use const_format::concatcp; > use crossbeam_channel::{bounded, TryRecvError}; > > +use proxmox_schema::api_types::SAFE_ID_REGEX_STR; > +use proxmox_schema::const_regex; > use proxmox_sys::fs::{create_path, CreateOptions}; > > use crate::rrd::{AggregationFn, DataSourceType, Database}; > @@ -21,6 +24,10 @@ use journal::*; > mod rrd_map; > use rrd_map::*; > > +const_regex! { > + DATAPOINT_PATH_REGEX = concatcp!(r"^", SAFE_ID_REGEX_STR, r"(/", SAFE_ID_REGEX_STR, r")+$"); > +} > + > /// RRD cache - keep RRD data in RAM, but write updates to disk > /// > /// This cache is designed to run as single instance (no concurrent > @@ -214,6 +221,10 @@ impl Cache { > dst: DataSourceType, > new_only: bool, > ) -> Result<(), Error> { > + if !DATAPOINT_PATH_REGEX.is_match(rel_path) { Hmm, not really sure if we want to couple this to SAFE_ID here, especially if the main goal is to avoid breaking out the filesystem. This approach could probably get away with forbidding `../` explicitly. That said, IMO this is a bit overfitted to the current usage and problem, we have quite a few other public function that allow passing rel_path, which might be used in the future for these things. For these it's IMO often better to ensure the actual file operations are contained, i.e. open these rel_path's using openat2 [0] with a dirfd from the basedir directory and the open_how RESOLVE_BENEATH mode used, so that it's anchored to the correct directory. nix has bindings for this syscall [1]. We could combine that with your approach (favoring just bailing on matching "../") to get some better UX, but the "definitive" protection would come from the openat2 usage. [0]: man openat2 or https://manpages.debian.org/trixie/manpages-dev/openat2.2.en.html [1]: https://docs.rs/nix/latest/nix/fcntl/fn.openat2.html > + bail!("invalid datapoint path: {rel_path}"); > + } > + > let journal_applied = self.apply_journal()?; > > self.state _______________________________________________ pdm-devel mailing list pdm-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pdm-devel