add check for symlinks, disallow all symlinks

Author: sean-breen

go.mod

@@ -2,7 +2,7 @@ module github.com/nginx/agent/v3
 
 go 1.23.7
 
-toolchain go1.24.4
+toolchain go1.23.10
 
 require (
 	buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.4-20250130201111-63bb56e20495.1

internal/config/types.go

@@ -436,11 +436,23 @@ func isAllowedDir(path string, allowedDirs []string) bool {
 		slog.Debug("File path detected, checking parent directory is allowed", "path", directoryPath)
 	}
 
-	_, err = os.Stat(directoryPath)
+	fInfo, err := os.Stat(directoryPath)
 	if err != nil {
 		slog.Warn("Path error", "path", path, "error", err)
 	}
 
+	if fInfo != nil {
+		//check if it contains a symlink
+		lInfo, err := os.Lstat(directoryPath)
+		if err != nil {
+			slog.Warn("Lstat error", "path", path, "error", err)
+		}
+		if lInfo != nil && lInfo.Mode()&os.ModeSymlink != 0 {
+			slog.Warn("Path is a symlink, not allowed", "path", path)
+			return false
+		}
+	}
+
 	for _, allowedDirectory := range allowedDirs {
 		// Check if the directoryPath starts with the allowedDirectory
 		// This allows for subdirectories within the allowed directories.

internal/config/types_test.go

@@ -6,6 +6,8 @@
 package config
 
 import (
+	"github.com/stretchr/testify/require"
+	"os"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -74,4 +76,33 @@ func TestTypes_isAllowedDir(t *testing.T) {
 			assert.Equal(t, test.allowed, result)
 		})
 	}
+
+	t.Run("Symlink in allowed directory", func(t *testing.T) {
+		allowedDirs := []string{"/etc/nginx"}
+		filePath := "file.conf"
+		symlinkPath := "file_link"
+
+		// Create a temp directory for the symlink
+		tempDir, err := os.MkdirTemp("", "symlink_test")
+		assert.NoError(t, err)
+		defer os.RemoveAll(tempDir) // Clean up the temp directory after the test
+
+		// Ensure the temp directory is in the allowedDirs
+		allowedDirs = append(allowedDirs, tempDir)
+
+		//create filePath
+		filePath = tempDir + "/" + filePath
+		defer os.RemoveAll(filePath)
+		err = os.WriteFile(filePath, []byte("test content"), 0644)
+		require.NoError(t, err)
+
+		// Create a symlink for testing
+		symlinkPath = tempDir + "/" + symlinkPath
+		defer os.Remove(symlinkPath)
+		err = os.Symlink(filePath, symlinkPath)
+		assert.NoError(t, err)
+
+		result := isAllowedDir(symlinkPath, allowedDirs)
+		assert.False(t, result, "Symlink in allowed directory should return false")
+	})
 }