[GitHub] [arrow-ballista] avantgardnerio commented on a diff in pull request #468: Add some validation for remove_job_data in the executor server

GitBox Fri, 28 Oct 2022 19:06:54 -0700


avantgardnerio commented on code in PR #468:
URL: https://github.com/apache/arrow-ballista/pull/468#discussion_r1008607442



##########
ballista/executor/src/executor_server.rs:
##########
@@ -720,13 +720,45 @@ impl<T: 'static + AsLogicalPlan, U: 'static + 
AsExecutionPlan> ExecutorGrpc
         request: Request<RemoveJobDataParams>,
     ) -> Result<Response<RemoveJobDataResult>, Status> {
         let job_id = request.into_inner().job_id;
+        info!("Remove data for job {:?}", job_id);
+
+        // Verify whether it's a legal job id
+        {
+            if job_id.is_empty() {
+                return Err(Status::internal(
+                    "Job id should not be empty!!!".to_string(),
+                ));
+            }
+            if job_id.contains('.') {

Review Comment:
   This is to prevent files with extensions? Or parent directories?



##########
ballista/executor/src/executor_server.rs:
##########
@@ -720,13 +720,45 @@ impl<T: 'static + AsLogicalPlan, U: 'static + 
AsExecutionPlan> ExecutorGrpc
         request: Request<RemoveJobDataParams>,
     ) -> Result<Response<RemoveJobDataResult>, Status> {
         let job_id = request.into_inner().job_id;
+        info!("Remove data for job {:?}", job_id);
+
+        // Verify whether it's a legal job id
+        {

Review Comment:
   Why the redundant scope?



##########
ballista/executor/src/executor_server.rs:
##########
@@ -720,13 +720,45 @@ impl<T: 'static + AsLogicalPlan, U: 'static + 
AsExecutionPlan> ExecutorGrpc
         request: Request<RemoveJobDataParams>,
     ) -> Result<Response<RemoveJobDataResult>, Status> {
         let job_id = request.into_inner().job_id;
+        info!("Remove data for job {:?}", job_id);
+
+        // Verify whether it's a legal job id
+        {
+            if job_id.is_empty() {
+                return Err(Status::internal(
+                    "Job id should not be empty!!!".to_string(),
+                ));
+            }
+            if job_id.contains('.') {
+                return Err(Status::internal(format!(
+                    "Job id {} should not contain char '.'!!!",
+                    job_id
+                )));
+            }
+        }
+
         let work_dir = self.executor.work_dir.clone();
         let mut path = PathBuf::from(work_dir);
-        path.push(job_id.clone());
-        if path.is_dir() {
-            info!("Remove data for job {:?}", job_id);
-            std::fs::remove_dir_all(&path)?;
+        path.push(job_id);
+
+        // Verify whether the path is for an existing directory
+        {
+            if !path.exists() {
+                return Err(Status::internal(format!(
+                    "Path {:?} does not exist!!!",
+                    path
+                )));
+            }
+            if !path.is_dir() {
+                return Err(Status::internal(format!(
+                    "Path {:?} is not for a directory!!!",
+                    path
+                )));
+            }
         }
+
+        std::fs::remove_dir_all(&path)?;

Review Comment:
   According to [the 
docs](https://doc.rust-lang.org/std/path/struct.PathBuf.html) we have a 
vulnerability here: 
   
   ```
   if self has a verbatim prefix (e.g. \\?\C:\windows) and path is not empty, 
the new path is normalized: all references to . and .. are removed.
   ```
   
   I can bypass the `.` string check on Windows by doing a `\\?`. It is 
impossible to validate directories at a string level. The missing check is to 
fully normalize this directory, then check if the normalized directory is a 
subdirectory of the `work_dir`.



##########
ballista/executor/src/executor_server.rs:
##########
@@ -720,13 +720,45 @@ impl<T: 'static + AsLogicalPlan, U: 'static + 
AsExecutionPlan> ExecutorGrpc
         request: Request<RemoveJobDataParams>,
     ) -> Result<Response<RemoveJobDataResult>, Status> {
         let job_id = request.into_inner().job_id;
+        info!("Remove data for job {:?}", job_id);
+
+        // Verify whether it's a legal job id
+        {
+            if job_id.is_empty() {
+                return Err(Status::internal(
+                    "Job id should not be empty!!!".to_string(),
+                ));
+            }
+            if job_id.contains('.') {
+                return Err(Status::internal(format!(
+                    "Job id {} should not contain char '.'!!!",
+                    job_id
+                )));
+            }
+        }
+
         let work_dir = self.executor.work_dir.clone();
         let mut path = PathBuf::from(work_dir);
-        path.push(job_id.clone());
-        if path.is_dir() {
-            info!("Remove data for job {:?}", job_id);
-            std::fs::remove_dir_all(&path)?;
+        path.push(job_id);

Review Comment:
   Love the `work_dir` subdirectory check... that's the critical vulnerability 
here.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

[GitHub] [arrow-ballista] avantgardnerio commented on a diff in pull request #468: Add some validation for remove_job_data in the executor server

Reply via email to