Prevent writing outside allowed directories list from a config payload with actions (#766)

* added AllowedDirectories to agent details, added tests for allowed directories

Author: oliveromahony

Makefile

@@ -176,10 +176,11 @@ $(TEST_BUILD_DIR):
 
 # Unit tests
 unit-test: $(TEST_BUILD_DIR) test-core test-plugins test-sdk test-extensions ## Run unit tests
-	echo 'mode: atomic' > $(TEST_BUILD_DIR)/coverage.out
-	tail -q -n +2 $(TEST_BUILD_DIR)/*_coverage.out >> $(TEST_BUILD_DIR)/coverage.out
-	go tool cover -html=$(TEST_BUILD_DIR)/coverage.out -o $(TEST_BUILD_DIR)/coverage.html
-	@printf "\nTotal code coverage: " && go tool cover -func=$(TEST_BUILD_DIR)/coverage.out | grep 'total:' | awk '{print $$3}'
+	@tail -q -n +2 $(TEST_BUILD_DIR)/*_coverage.out >> $(TEST_BUILD_DIR)/tmp_coverage.out
+	@echo 'mode: atomic' > $(TEST_BUILD_DIR)/coverage.out
+	@cat $(TEST_BUILD_DIR)/tmp_coverage.out | grep -v ".pb.go" | grep -v ".gen.go" | grep -v ".pb.validate.go" | grep -v "fake_" | grep -v "_mock.go" | grep -v "_stub.go" >> $(TEST_BUILD_DIR)/coverage.out
+	@go tool cover -html=$(TEST_BUILD_DIR)/coverage.out -o $(TEST_BUILD_DIR)/coverage.html
+	@printf "\nTotal code coverage: " && $(GOTOOL) cover -func=$(TEST_BUILD_DIR)/coverage.out | grep 'total:' | awk '{print $$3}'
 
 test-core: $(TEST_BUILD_DIR) ## Run core unit tests
 	GOWORK=off CGO_ENABLED=0 go test -count=1 -coverprofile=$(TEST_BUILD_DIR)/core_coverage.out -covermode count ./src/core/...

docs/proto/proto.md

@@ -215,6 +215,7 @@ Represents agent details. This message is sent from the management server to the
 | tags | [string](#string) | repeated | List of tags |
 | alias | [string](#string) |  | Alias name for the agent |
 | server | [Server](#f5-nginx-agent-sdk-Server) |  | Server setting for the agent |
+| allowed_directories | [string](#string) | repeated | List of allowed directories that the Agent can write to |
 
 
 

sdk/proto/agent.pb.go

@@ -82,6 +82,8 @@ message AgentDetails {
   string alias = 4 [(gogoproto.jsontag) = "alias"];
   // Server setting for the agent
   Server server = 5 [(gogoproto.jsontag) = "server"];
+  // List of allowed directories that the Agent can write to
+  repeated string allowed_directories = 6 [(gogoproto.jsontag) = "allowed_directories"];
 }
 
 message Server {

sdk/proto/agent.proto

@@ -38,6 +38,16 @@ type Config struct {
 	QueueSize             int                 `mapstructure:"queue_size" yaml:"queue_size,omitempty"`
 }
 
+func (c *Config) AllowedDirectories() []string {
+	values := []string{}
+
+	// Iterate through the map and append keys to the slice
+	for key := range c.AllowedDirectoriesMap {
+		values = append(values, key)
+	}
+	return values
+}
+
 func (c *Config) IsGrpcServerConfigured() bool {
 	return c.Server.Host != "" && c.Server.GrpcPort != 0
 }

src/core/config/types.go

@@ -732,6 +732,16 @@ func TestWriteFilesNotAllowed(t *testing.T) {
 			Contents:    []byte("multi"),
 			Permissions: "0644",
 		},
+		{
+			Name:        "etc/shadow/multiple1.conf",
+			Contents:    []byte("shadowfile2"),
+			Permissions: "0644",
+		},
+		{
+			Name:        "/hello.conf",
+			Contents:    []byte("rootfile"),
+			Permissions: "0644",
+		},
 	}
 	backup, err := sdk.NewConfigApplyWithIgnoreDirectives("", nil, []string{})
 	assert.NoError(t, err)

src/core/environment_test.go

@@ -502,6 +502,11 @@ func (n *NginxBinaryType) writeConfigWithWithFileActions(
 		return nil, err
 	}
 
+	confDir := filepath.Dir(details.ConfPath)
+	if err := ensureFilesAllowed(confFiles, n.config.AllowedDirectoriesMap, confDir); err != nil {
+		return configApply, err
+	}
+
 	for _, file := range confFiles {
 		rootDirectoryPath := filepath.Dir(details.ConfPath)
 		fileFullPath := file.Name
@@ -519,6 +524,10 @@ func (n *NginxBinaryType) writeConfigWithWithFileActions(
 		}
 	}
 
+	if err := ensureFilesAllowed(auxFiles, n.config.AllowedDirectoriesMap, confDir); err != nil {
+		return configApply, err
+	}
+
 	for _, file := range auxFiles {
 		rootDirectoryPath := config.GetZaux().GetRootDirectory()
 		fileFullPath := file.Name

src/core/nginx.go

@@ -229,6 +229,7 @@ func (r *OneTimeRegistration) registerAgent() {
 								MaxElapsedTime:      r.config.Server.Backoff.MaxElapsedTime.Milliseconds(),
 							},
 						},
+						AllowedDirectories: r.config.AllowedDirectories(),
 					},
 				},
 				Details:                  details,