Pull request 2656: AG-54304-path-traversal-vuln

Squashed commit of the following:

commit 33991de
Merge: 3f88261 83d8d65
Author: f.setrakov <f.setrakov@adguard.com>
Date:   Fri May 22 16:10:53 2026 +0300

    Merge branch 'master' into AG-54304-path-traversal-vuln

commit 3f88261
Author: f.setrakov <f.setrakov@adguard.com>
Date:   Thu May 21 17:13:37 2026 +0300

    home: imp code

commit 589589f
Author: f.setrakov <f.setrakov@adguard.com>
Date:   Wed May 20 15:42:34 2026 +0300

    all: fix race, imp code

commit 762f073
Author: f.setrakov <f.setrakov@adguard.com>
Date:   Tue May 19 18:13:24 2026 +0300

    all: fix path-traversal vuln

Author: masterkusok

CHANGELOG.md

@@ -54,6 +54,8 @@ See also the [v0.107.75 GitHub milestone][ms-v0.107.75].
 
 ### Security
 
+- Authorization in GLiNET mode is no longer vulnerable to path traversal attacks.
+
 - Go version has been updated to prevent the possibility of exploiting the Go vulnerabilities fixed in [1.26.3][go-1.26.3].
 
 - IDs of requests received over DoH and DoQ and forwarded to plain-DNS upstreams are now set to non-zero values to improve security.

internal/home/auth.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"log/slog"
 	"net/http"
+	"os"
 	"time"
 
 	"github.com/AdguardTeam/AdGuardHome/internal/aghuser"
@@ -56,6 +57,10 @@ type authConfig struct {
 	// mux is the server's multiplexer.  It must not be nil.
 	mux *http.ServeMux
 
+	// gliNetTokenRoot is the root where GLiNet tokens are stored.  It must not
+	// be nil if isGLiNet is true.
+	gliNetTokenRoot *os.Root
+
 	// rateLimiter manages the rate limiting for login attempts.  It must not be
 	// nil.
 	rateLimiter loginRateLimiter
@@ -88,6 +93,10 @@ type auth struct {
 	// mux is the server's multiplexer.
 	mux *http.ServeMux
 
+	// gliNetTokenRoot is the root where GLiNet tokens are stored.  It must not
+	// be nil if isGLiNet is true.
+	gliNetTokenRoot *os.Root
+
 	// rateLimiter manages rate limiting for login attempts.
 	rateLimiter loginRateLimiter
 
@@ -133,29 +142,30 @@ func newAuth(ctx context.Context, conf *authConfig) (a *auth, err error) {
 	}
 
 	return &auth{
-		logger:         conf.baseLogger.With(slogutil.KeyPrefix, "auth"),
-		mux:            conf.mux,
-		rateLimiter:    conf.rateLimiter,
-		trustedProxies: conf.trustedProxies,
-		sessions:       s,
-		users:          userDB,
-		doHRoutes:      conf.doHRoutes,
-		isGLiNet:       conf.isGLiNet,
-		isUserless:     len(conf.users) == 0,
+		logger:          conf.baseLogger.With(slogutil.KeyPrefix, "auth"),
+		mux:             conf.mux,
+		rateLimiter:     conf.rateLimiter,
+		trustedProxies:  conf.trustedProxies,
+		gliNetTokenRoot: conf.gliNetTokenRoot,
+		sessions:        s,
+		users:           userDB,
+		doHRoutes:       conf.doHRoutes,
+		isGLiNet:        conf.isGLiNet,
+		isUserless:      len(conf.users) == 0,
 	}, nil
 }
 
 // middleware returns authentication middleware.
 func (a *auth) middleware() (mw httputil.Middleware) {
 	if a.isGLiNet {
 		return newAuthMiddlewareGLiNet(&authMiddlewareGLiNetConfig{
-			logger:          a.logger,
-			mux:             a.mux,
-			clock:           timeutil.SystemClock{},
-			doHRoutes:       a.doHRoutes,
-			tokenFilePrefix: glFilePrefix,
-			ttl:             glTokenTimeout,
-			maxTokenSize:    MaxFileSize,
+			logger:        a.logger,
+			mux:           a.mux,
+			clock:         timeutil.SystemClock{},
+			doHRoutes:     a.doHRoutes,
+			tokenFileRoot: a.gliNetTokenRoot,
+			ttl:           glTokenTimeout,
+			maxTokenSize:  MaxFileSize,
 		})
 	}
 

internal/home/authglinet.go

@@ -18,11 +18,9 @@ import (
 	"github.com/AdguardTeam/golibs/timeutil"
 )
 
-// glFilePrefix is the prefix of the filepath where the authentication token is
-// stored.  Note that it is variable so it can be edited in tests.
-//
-// TODO(s.chzhen):  Make it a constant.
-var glFilePrefix = "/tmp/gl_token_"
+// glFilePrefix is the prefix of the file where the authentication token is
+// stored.
+const glFilePrefix = "gl_token_"
 
 const (
 	// glTokenTimeout is the TTL (Time To Live) of the authentication token.
@@ -54,9 +52,9 @@ type authMiddlewareGLiNetConfig struct {
 	// doHRoutes is a list of DoH routes for public access.
 	doHRoutes []string
 
-	// tokenFilePrefix is the prefix of the filepath where the authentication
-	// token is stored.  It must not be empty.
-	tokenFilePrefix string
+	// tokenFileRoot is the root where GLiNet tokens are stored.  It must not be
+	// nil.
+	tokenFileRoot *os.Root
 
 	// ttl is the TTL (Time To Live) of the authentication token.  It must be
 	// greater than zero.
@@ -70,26 +68,26 @@ type authMiddlewareGLiNetConfig struct {
 // authMiddlewareGLiNet is the GLiNet authentication middleware.  It checks if
 // the request is authenticated using a cookie.
 type authMiddlewareGLiNet struct {
-	logger          *slog.Logger
-	mux             *http.ServeMux
-	clock           timeutil.Clock
-	doHRoutes       []string
-	tokenFilePrefix string
-	ttl             time.Duration
-	maxTokenSize    uint
+	logger        *slog.Logger
+	mux           *http.ServeMux
+	clock         timeutil.Clock
+	doHRoutes     []string
+	tokenFileRoot *os.Root
+	ttl           time.Duration
+	maxTokenSize  uint
 }
 
 // newAuthMiddlewareGLiNet returns the new properly initialized
 // *authMiddlewareGLiNet.
 func newAuthMiddlewareGLiNet(c *authMiddlewareGLiNetConfig) (mw *authMiddlewareGLiNet) {
 	return &authMiddlewareGLiNet{
-		logger:          c.logger,
-		mux:             c.mux,
-		clock:           c.clock,
-		doHRoutes:       c.doHRoutes,
-		tokenFilePrefix: c.tokenFilePrefix,
-		ttl:             c.ttl,
-		maxTokenSize:    c.maxTokenSize,
+		logger:        c.logger,
+		mux:           c.mux,
+		clock:         c.clock,
+		doHRoutes:     c.doHRoutes,
+		tokenFileRoot: c.tokenFileRoot,
+		ttl:           c.ttl,
+		maxTokenSize:  c.maxTokenSize,
 	}
 }
 
@@ -158,8 +156,7 @@ func (mw *authMiddlewareGLiNet) isAuthenticated(ctx context.Context, r *http.Req
 // the time stored in a file named after the token and checks if the token has
 // expired based on that time.
 func (mw *authMiddlewareGLiNet) checkToken(ctx context.Context, token string) (ok bool) {
-	tokenFile := mw.tokenFilePrefix + token
-	tokenDate := mw.tokenDate(ctx, tokenFile)
+	tokenDate := mw.tokenDate(ctx, glFilePrefix+token)
 	now := mw.clock.Now()
 	if now.Before(tokenDate.Add(mw.ttl)) {
 		return true
@@ -173,7 +170,7 @@ func (mw *authMiddlewareGLiNet) checkToken(ctx context.Context, token string) (o
 // tokenDate returns the time stored in the authentication token file.  If there
 // is an error, it logs the error and returns the zero time.
 func (mw *authMiddlewareGLiNet) tokenDate(ctx context.Context, tokenFile string) (t time.Time) {
-	f, err := os.Open(tokenFile)
+	f, err := mw.tokenFileRoot.Open(tokenFile)
 	if err != nil {
 		mw.logger.ErrorContext(ctx, "opening token file", slogutil.KeyError, err)
 

internal/home/authglinet_internal_test.go

@@ -2,12 +2,15 @@ package home
 
 import (
 	"encoding/binary"
+	"io/fs"
 	"net/http"
 	"net/http/httptest"
 	"os"
+	"path/filepath"
 	"testing"
 	"time"
 
+	"github.com/AdguardTeam/golibs/testutil"
 	"github.com/AdguardTeam/golibs/timeutil"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -20,25 +23,42 @@ func TestAuthMiddlewareGLiNet(t *testing.T) {
 		testTTL = 60 * time.Second
 
 		glTokenFileSuffix = "test"
+
+		testPerm fs.FileMode = 0o644
 	)
 
 	tempDir := t.TempDir()
-	glFilePrefix = tempDir + "/gl_token_"
-	glTokenFile := glFilePrefix + glTokenFileSuffix
+	glTokenFolder := filepath.Join(tempDir, "foo")
+	err := os.MkdirAll(glTokenFolder, 0o755)
+	require.NoError(t, err)
+
+	tokenFileRoot, err := os.OpenRoot(glTokenFolder)
+	require.NoError(t, err)
+	testutil.CleanupAndRequireSuccess(t, tokenFileRoot.Close)
+
+	err = os.MkdirAll(filepath.Join(glTokenFolder, glFilePrefix), testPerm)
+	require.NoError(t, err)
+
+	glTokenFile := filepath.Join(glTokenFolder, glFilePrefix+glTokenFileSuffix)
 
 	glFileData := make([]byte, 4)
 	binary.NativeEndian.PutUint32(glFileData, uint32(time.Now().Add(testTTL).Unix()))
 
-	err := os.WriteFile(glTokenFile, glFileData, 0o644)
+	err = os.WriteFile(glTokenFile, glFileData, testPerm)
+	require.NoError(t, err)
+
+	// Mock token file for testing path traversal vulnerability.  See AG-54304.
+	passwdFile := filepath.Join(tempDir, "path_traversal_token")
+	err = os.WriteFile(passwdFile, glFileData, testPerm)
 	require.NoError(t, err)
 
 	mw := newAuthMiddlewareGLiNet(&authMiddlewareGLiNetConfig{
-		logger:          testLogger,
-		mux:             http.NewServeMux(),
-		clock:           timeutil.SystemClock{},
-		tokenFilePrefix: glFilePrefix,
-		maxTokenSize:    MaxFileSize,
-		ttl:             testTTL,
+		logger:        testLogger,
+		mux:           http.NewServeMux(),
+		clock:         timeutil.SystemClock{},
+		tokenFileRoot: tokenFileRoot,
+		maxTokenSize:  MaxFileSize,
+		ttl:           testTTL,
 	})
 
 	h := &testAuthHandler{}
@@ -50,6 +70,12 @@ func TestAuthMiddlewareGLiNet(t *testing.T) {
 	reqInvalidCookie := httptest.NewRequest(http.MethodGet, "/", nil)
 	reqInvalidCookie.AddCookie(&http.Cookie{Name: glCookieName, Value: "invalid_cookie"})
 
+	reqPathTraversalToken := httptest.NewRequest(http.MethodGet, "/", nil)
+	reqPathTraversalToken.AddCookie(&http.Cookie{
+		Name:  glCookieName,
+		Value: "/../../path_traversal_token",
+	})
+
 	testCases := []struct {
 		req      *http.Request
 		name     string
@@ -66,6 +92,10 @@ func TestAuthMiddlewareGLiNet(t *testing.T) {
 		req:      reqInvalidCookie,
 		name:     "invalid_cookie",
 		wantCode: http.StatusFound,
+	}, {
+		req:      reqPathTraversalToken,
+		name:     "path_traversal_token",
+		wantCode: http.StatusFound,
 	}}
 
 	for _, tc := range testCases {

internal/home/authhttp_internal_test.go

@@ -517,6 +517,10 @@ func TestAuth_ServeHTTP_auth(t *testing.T) {
 	writeGLFile(t, tempDir, testTTL)
 	sessionsDB := filepath.Join(tempDir, "sessions.db")
 
+	gliNetRoot, err := os.OpenRoot(tempDir)
+	require.NoError(t, err)
+	testutil.CleanupAndRequireSuccess(t, gliNetRoot.Close)
+
 	mw := &webMw{}
 	baseMux := http.NewServeMux()
 	httpReg := aghhttp.NewDefaultRegistrar(baseMux, mw.wrap)
@@ -529,14 +533,15 @@ func TestAuth_ServeHTTP_auth(t *testing.T) {
 	require.NoError(t, err)
 
 	auth, err := newAuth(testutil.ContextWithTimeout(t, testTimeout), &authConfig{
-		baseLogger:     testLogger,
-		mux:            baseMux,
-		rateLimiter:    emptyRateLimiter{},
-		trustedProxies: testTrustedProxies,
-		dbFilename:     sessionsDB,
-		users:          users,
-		sessionTTL:     testTTL * time.Second,
-		isGLiNet:       false,
+		baseLogger:      testLogger,
+		mux:             baseMux,
+		rateLimiter:     emptyRateLimiter{},
+		trustedProxies:  testTrustedProxies,
+		gliNetTokenRoot: gliNetRoot,
+		dbFilename:      sessionsDB,
+		users:           users,
+		sessionTTL:      testTTL * time.Second,
+		isGLiNet:        false,
 	})
 	require.NoError(t, err)
 
@@ -620,8 +625,7 @@ func TestAuth_ServeHTTP_auth(t *testing.T) {
 func writeGLFile(t *testing.T, tempDir string, testTTL int64) {
 	t.Helper()
 
-	glFilePrefix = tempDir + "/gl_token_"
-	glTokenFile := glFilePrefix + "test"
+	glTokenFile := filepath.Join(tempDir, glFilePrefix+"test")
 
 	glFileData := make([]byte, 4)
 	binary.NativeEndian.PutUint32(glFileData, uint32(time.Now().Unix()+testTTL))