-
Notifications
You must be signed in to change notification settings - Fork 275
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Metadata API: Delegation role names validation #1527
Comments
I don't know of specific problems with using these as urls (although those might exist as well), but the obvious problems are in client using the rolename as part of a local file name (this is not just how the reference client is implemented, the spec seems to require doing this): in this client case role names like I don't think think escaping is enough: we probably should not allow rolenames with any of |
Ah, yeah, by and large I agree. In the case of Sigstore delegations to projects, e.g. |
Maybe this should be part of the filesystem API? That way Although, these role names are in signed metadata, so it might be reasonable to just trust the delegator to know what a reasonable role name is for a particular situation. |
I'm not suggesting banning e.g. dots because filesystems can't cope with them (they certainly can). But if you implement clients/repository tools that use the filesystem to store metadata, you end up with code that writes a lot of files with either "ROLENAME.EXT" or "VERSION.ROLENAME.EXT". So let's assume there is a file In other words, I don't think this is just a filesystem compatibility issue, I think it's a "this may lead to bugs or vulnerabilities because the spec demands using role name as filename - issue". It could be I'm overreacting but I definitely have to review all of my own file saving code with this in mind... |
Yeah I can see really reasonable use cases here... preventing this does seem bad. Maybe we need to think about changing the filename aspect instead: either review all the possible conflicting cases WRT versions and names or use something safe as filename (straw man suggestion: rolename hashes as filenames) |
Ugh, what a case. Yeah, this turns hairy. You could say we expect that if there's a . then interpret that as a VERSION, but then we get really weird parsing rules like, we expect rolenames to start with an ^[0-9] character, or say we only expect [a-z], _ that end up limiting our possible name and uses of URLs.
Yeah interesting! This all be solved by having the delegation object include a |
Clients should not store consistent snapshots of metadata with version numbers in the filename, but this may complicate consistent snapshots on the server side. You may see funny things like I'm not sure this is a security issue: as long as one cannot forge keys, we should be ok, but need to think about this a bit more. |
spec say does say that, you are right... but one of the reasons I noticed this was that I was planning to store versioned files for root as it would help with bootstrapping from a "more" trusted root (#1168). Since "1.root" is also a valid rolename, this obviously isn't currently safe -- and I don't think this is immediately obvious to a client developer: it wasn't to me.
For the client, I'm not yet convinced: A rolename like "../../filename" could mean a badly written client might overwrite a file in my home directory when I just queried some target info, didn't even download anything. I don't think "but that requires repository key compromise" is a good enough explanation at that point. I'm actually not sure what a well written client should do with role "../../filename" |
Agreed. I think we should able to define good rolenames without opening any funny path-traversal attacks. A regex that allows for simple rolenames but also GitHub repos should work. Might be a bit too restrictive to keep absolutely everybody happy, but better than allowing nothing complicated, and also safe. What does everyone think? |
And also, obviously, this becomes a https://github.com/theupdateframework/specification rather than implementation-specific issue |
Collecting some observations from the thread:
My thinking right now is that the spec can not both require using rolenames as filenames and say that rolenames are arbitrary strings: it's impossible to implement safely or reliably. In fact spec should not require the storage format anyway: we already know implementations might not use files at all (see Warehouse). Possibly a complementary "implementor notes" document should instead explain the issues and offer advice. As for this immediate Metadata API implemention issue (how do we validate rolenames): I guess we don't (since I believe we don't want to prevent arbitrary strings as rolenames):
We could still prevent delegated roles names being any of the toplevel role names -- it might prevent some weird corner cases from happening |
@jku I agree with all of your thoughts here.
With this, I think we have specified this issue scope and split it into two. |
yeah agreed.
|
Description of issue or feature request:
Delegation role names are not restricted in any way in the spec, but they are targets metadata role names.
They could be
"."
,"../../filename"
or1.role
.The problem is that at some point those delegation role names are used when constructing an URL used
to download the delegated target metadata file:
https://github.com/theupdateframework/tuf/blob/e9106b59cdb5bbfb4260c5ffc3144e79f8f9596a/tuf/ngclient/updater.py#L287 which is likely to be a problem.
Current behavior:
No validation is used for Delegation role names.
Expected behavior:
Escape special symbols like
.
or\
.The text was updated successfully, but these errors were encountered: