receiver, compactor, sidecar: use os.Root API#8797
Open
guidonguido wants to merge 3 commits intothanos-io:mainfrom
Open
receiver, compactor, sidecar: use os.Root API#8797guidonguido wants to merge 3 commits intothanos-io:mainfrom
guidonguido wants to merge 3 commits intothanos-io:mainfrom
Conversation
Signed-off-by: Guido Ricioppo <griciopp@redhat.com>
guidonguido
force-pushed
the
fix/os-root-api
branch
from
ac9a3ff to
1a4f445
Compare
Signed-off-by: Guido Ricioppo <griciopp@redhat.com> Defer compactDir close to goroutine end Signed-off-by: Guido Ricioppo <griciopp@redhat.com>
Signed-off-by: Guido Ricioppo <griciopp@redhat.com>
guidonguido
force-pushed
the
fix/os-root-api
branch
from
1a4f445 to
a662f3e
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #8103
Issue
Current os filesystem access methods do not prevent accidental path traversal access, so directory operations based on user input may access unintended paths.
Changes
Force the use of os.Root to confine access to subdirectories only to the root working folder of the specific service.
Approach
Receiver, Sidecar: long-lived os.Root. The data directory persists for the entire service lifetime, so the Root is stored in the owning struct.
Compactor: transient os.Root. The compaction dir is fully removed after each compaction iteration, so the Root dir is opened on-demand.
Analysis
Receiver: real protection from user input, since the tenants directory paths are retrieved from the tenant IDs, derived either from HTTP Header, TLS cert or metric label.
Compactor: no path is composed from user input. The change only prevents accidental use on the codebase side.
Sidecar: as compactor.