fs: Scope all DirFS operations through os.Root (#2187)

This runs all filesystem operations of DirFS through an `os.Root`
instance to prevent any kind of path-traversal outside of that root,
either through walking the paths directly or through following symlinks.

Behavior has largerly been preserved. Notable mentions are:

- `Mknode`: There's no `Mknodat` for non-linux targets but this likely
was the effective behavior beforehand as well. We used to gracefully
handle errors by writing empty files. That behavior is preserved across
platforms.
- `Chmod`/`Chown`: We used to ignore all errors due to filesystem
incompatibilities and the presence of the in-memory overlay. We're now
only ignoring errors that point to those incompatibilities and are
surfacing any other errors to the callers.

Author: markusthoemmes

pkg/apk/apk/path_traversal_test.go

@@ -88,6 +88,257 @@ func TestPathTraversalHardlink(t *testing.T) {
 	}
 }
 
+// TestSymlinkEscape_FileThroughAbsoluteSymlink covers the classic symlink-escape
+// shape: a malicious APK plants a symlink inside the image whose target is an
+// absolute path pointing outside the rootfs, then a regular file whose tar
+// header name traverses that symlink. The install must fail and the outside
+// path must remain untouched.
+func TestSymlinkEscape_FileThroughAbsoluteSymlink(t *testing.T) {
+	ctx := t.Context()
+
+	sandbox := t.TempDir()
+	base := filepath.Join(sandbox, "base")
+	outsideDir := filepath.Join(sandbox, "outside")
+	outsideFile := filepath.Join(outsideDir, "pwned")
+	if err := os.MkdirAll(outsideDir, 0o755); err != nil {
+		t.Fatal(err)
+	}
+
+	fsys := apkfs.DirFS(ctx, base, apkfs.WithCreateDir())
+	if fsys == nil {
+		t.Fatalf("failed to create dirfs for base %s", base)
+	}
+
+	a, err := New(ctx, WithFS(fsys))
+	if err != nil {
+		t.Fatalf("apk.New: %v", err)
+	}
+
+	r, err := makeSymlinkThenFileTar("evil", outsideDir, "evil/pwned", []byte("malicious"))
+	if err != nil {
+		t.Fatalf("makeSymlinkThenFileTar: %v", err)
+	}
+
+	if _, err := a.installAPKFiles(ctx, r, &Package{}); err == nil {
+		t.Fatalf("expected installAPKFiles to fail, but it succeeded")
+	}
+
+	if _, statErr := os.Stat(outsideFile); statErr == nil {
+		t.Fatalf("expected %s to not exist after fix", outsideFile)
+	}
+}
+
+// TestSymlinkEscape_FileThroughRelativeSymlink is the ../outside variant.
+func TestSymlinkEscape_FileThroughRelativeSymlink(t *testing.T) {
+	ctx := t.Context()
+
+	sandbox := t.TempDir()
+	base := filepath.Join(sandbox, "base")
+	outsideDir := filepath.Join(sandbox, "outside")
+	outsideFile := filepath.Join(outsideDir, "pwned")
+	if err := os.MkdirAll(outsideDir, 0o755); err != nil {
+		t.Fatal(err)
+	}
+
+	fsys := apkfs.DirFS(ctx, base, apkfs.WithCreateDir())
+	if fsys == nil {
+		t.Fatalf("failed to create dirfs for base %s", base)
+	}
+
+	a, err := New(ctx, WithFS(fsys))
+	if err != nil {
+		t.Fatalf("apk.New: %v", err)
+	}
+
+	r, err := makeSymlinkThenFileTar("evil", "../outside", "evil/pwned", []byte("malicious"))
+	if err != nil {
+		t.Fatalf("makeSymlinkThenFileTar: %v", err)
+	}
+
+	if _, err := a.installAPKFiles(ctx, r, &Package{}); err == nil {
+		t.Fatalf("expected installAPKFiles to fail, but it succeeded")
+	}
+
+	if _, statErr := os.Stat(outsideFile); statErr == nil {
+		t.Fatalf("expected %s to not exist after fix", outsideFile)
+	}
+}
+
+// TestSymlinkEscape_MkdirAllThroughSymlink plants a symlink whose target is an
+// outside directory, then a TypeDir entry traversing the symlink. MkdirAll
+// must not merge new dirs into the outside location.
+func TestSymlinkEscape_MkdirAllThroughSymlink(t *testing.T) {
+	ctx := t.Context()
+
+	sandbox := t.TempDir()
+	base := filepath.Join(sandbox, "base")
+	outsideDir := filepath.Join(sandbox, "outside")
+	outsideSub := filepath.Join(outsideDir, "sub")
+	if err := os.MkdirAll(outsideDir, 0o755); err != nil {
+		t.Fatal(err)
+	}
+
+	fsys := apkfs.DirFS(ctx, base, apkfs.WithCreateDir())
+	if fsys == nil {
+		t.Fatalf("failed to create dirfs for base %s", base)
+	}
+
+	a, err := New(ctx, WithFS(fsys))
+	if err != nil {
+		t.Fatalf("apk.New: %v", err)
+	}
+
+	r, err := makeSymlinkThenDirTar("evil", outsideDir, "evil/sub")
+	if err != nil {
+		t.Fatalf("makeSymlinkThenDirTar: %v", err)
+	}
+
+	if _, err := a.installAPKFiles(ctx, r, &Package{}); err == nil {
+		t.Fatalf("expected installAPKFiles to fail, but it succeeded")
+	}
+
+	if _, statErr := os.Stat(outsideSub); statErr == nil {
+		t.Fatalf("expected %s to not exist after fix", outsideSub)
+	}
+}
+
+// TestSymlinkEscape_HardlinkThroughSymlink validates the hardlink path: the
+// prior GHSA guarded target-side escapes, but the newname side could still be
+// redirected through an attacker-planted symlink.
+func TestSymlinkEscape_HardlinkThroughSymlink(t *testing.T) {
+	ctx := t.Context()
+
+	sandbox := t.TempDir()
+	base := filepath.Join(sandbox, "base")
+	outsideDir := filepath.Join(sandbox, "outside")
+	outsideLinked := filepath.Join(outsideDir, "linked")
+	if err := os.MkdirAll(outsideDir, 0o755); err != nil {
+		t.Fatal(err)
+	}
+
+	fsys := apkfs.DirFS(ctx, base, apkfs.WithCreateDir())
+	if fsys == nil {
+		t.Fatalf("failed to create dirfs for base %s", base)
+	}
+
+	a, err := New(ctx, WithFS(fsys))
+	if err != nil {
+		t.Fatalf("apk.New: %v", err)
+	}
+
+	r, err := makeHardlinkThroughSymlinkTar("legit", "evil", outsideDir, "evil/linked")
+	if err != nil {
+		t.Fatalf("makeHardlinkThroughSymlinkTar: %v", err)
+	}
+
+	if _, err := a.installAPKFiles(ctx, r, &Package{}); err == nil {
+		t.Fatalf("expected installAPKFiles to fail, but it succeeded")
+	}
+
+	if _, statErr := os.Lstat(outsideLinked); statErr == nil {
+		t.Fatalf("expected %s to not exist after fix", outsideLinked)
+	}
+}
+
+func makeSymlinkThenFileTar(symlinkName, symlinkTarget, fileName string, content []byte) (*bytes.Reader, error) {
+	var buf bytes.Buffer
+	tw := tar.NewWriter(&buf)
+
+	if err := tw.WriteHeader(&tar.Header{
+		Name:     symlinkName,
+		Linkname: symlinkTarget,
+		Typeflag: tar.TypeSymlink,
+		Mode:     0o777,
+	}); err != nil {
+		return nil, err
+	}
+
+	if err := tw.WriteHeader(&tar.Header{
+		Name:     fileName,
+		Typeflag: tar.TypeReg,
+		Mode:     0o644,
+		Size:     int64(len(content)),
+	}); err != nil {
+		return nil, err
+	}
+	if _, err := tw.Write(content); err != nil {
+		return nil, err
+	}
+
+	if err := tw.Close(); err != nil {
+		return nil, err
+	}
+	return bytes.NewReader(buf.Bytes()), nil
+}
+
+func makeSymlinkThenDirTar(symlinkName, symlinkTarget, dirName string) (*bytes.Reader, error) {
+	var buf bytes.Buffer
+	tw := tar.NewWriter(&buf)
+
+	if err := tw.WriteHeader(&tar.Header{
+		Name:     symlinkName,
+		Linkname: symlinkTarget,
+		Typeflag: tar.TypeSymlink,
+		Mode:     0o777,
+	}); err != nil {
+		return nil, err
+	}
+
+	if err := tw.WriteHeader(&tar.Header{
+		Name:     dirName,
+		Typeflag: tar.TypeDir,
+		Mode:     0o755,
+	}); err != nil {
+		return nil, err
+	}
+
+	if err := tw.Close(); err != nil {
+		return nil, err
+	}
+	return bytes.NewReader(buf.Bytes()), nil
+}
+
+func makeHardlinkThroughSymlinkTar(regularName, symlinkName, symlinkTarget, hardlinkName string) (*bytes.Reader, error) {
+	var buf bytes.Buffer
+	tw := tar.NewWriter(&buf)
+
+	content := []byte("legitimate")
+	if err := tw.WriteHeader(&tar.Header{
+		Name:     regularName,
+		Typeflag: tar.TypeReg,
+		Mode:     0o644,
+		Size:     int64(len(content)),
+	}); err != nil {
+		return nil, err
+	}
+	if _, err := tw.Write(content); err != nil {
+		return nil, err
+	}
+
+	if err := tw.WriteHeader(&tar.Header{
+		Name:     symlinkName,
+		Linkname: symlinkTarget,
+		Typeflag: tar.TypeSymlink,
+		Mode:     0o777,
+	}); err != nil {
+		return nil, err
+	}
+
+	if err := tw.WriteHeader(&tar.Header{
+		Name:     hardlinkName,
+		Linkname: regularName,
+		Typeflag: tar.TypeLink,
+		Mode:     0o644,
+	}); err != nil {
+		return nil, err
+	}
+
+	if err := tw.Close(); err != nil {
+		return nil, err
+	}
+	return bytes.NewReader(buf.Bytes()), nil
+}
+
 func makeTestTar(dirName, symlinkName, symlinkTarget string) (*bytes.Reader, error) {
 	var buf bytes.Buffer
 	tw := tar.NewWriter(&buf)