JCLOUDS-612: Securely create temporary directories

This commit addresses a potential security issue where an attacker
could hijack the ScriptBuilder payload by predicting the temporary
directory name.
This commit is contained in:
Andrew Gaul 2014-06-19 14:20:26 -07:00
parent 7f2845349c
commit 0cb2a1563d
6 changed files with 24 additions and 23 deletions

View File

@ -227,11 +227,11 @@ END_OF_JCLOUDS_SCRIPT
installOpenJDK || return 1 installOpenJDK || return 1
iptables -I INPUT 1 -p tcp --dport 8080 -j ACCEPT iptables -I INPUT 1 -p tcp --dport 8080 -j ACCEPT
iptables-save iptables-save
mkdir /tmp/$$ export TAR_TEMP="$(mktemp -d)"
curl -q -s -S -L --connect-timeout 10 --max-time 600 --retry 20 -X GET http://archive.eclipse.org/jetty/8.1.8.v20121106/dist/jetty-distribution-8.1.8.v20121106.tar.gz |(mkdir -p /tmp/$$ &&cd /tmp/$$ &&tar -xpzf -) curl -q -s -S -L --connect-timeout 10 --max-time 600 --retry 20 -X GET http://archive.eclipse.org/jetty/8.1.8.v20121106/dist/jetty-distribution-8.1.8.v20121106.tar.gz |(mkdir -p "${TAR_TEMP}" &&cd "${TAR_TEMP}" &&tar -xpzf -)
mkdir -p /usr/local/jetty mkdir -p /usr/local/jetty
mv /tmp/$$/*/* /usr/local/jetty mv "${TAR_TEMP}"/*/* /usr/local/jetty
rm -rf /tmp/$$ rm -rf "${TAR_TEMP}"
chown -R web /usr/local/jetty chown -R web /usr/local/jetty
END_OF_JCLOUDS_SCRIPT END_OF_JCLOUDS_SCRIPT

View File

@ -189,11 +189,12 @@ public class Statements {
*/ */
public static Statement extractTargzAndFlattenIntoDirectory(URI tgz, String dest) { public static Statement extractTargzAndFlattenIntoDirectory(URI tgz, String dest) {
return new StatementList(ImmutableSet.<Statement> builder() return new StatementList(ImmutableSet.<Statement> builder()
.add(exec("mkdir /tmp/$$")) .add(exec("export TAR_TEMP=\"$(mktemp -d)\""))
.add(extractTargzIntoDirectory(tgz, "/tmp/$$")) .add(extractTargzIntoDirectory(tgz, "\"${TAR_TEMP}\""))
.add(exec("mkdir -p " + dest)) .add(exec("mkdir -p " + dest))
.add(exec("mv /tmp/$$/*/* " + dest)) .add(exec("mv \"${TAR_TEMP}\"/*/* " + dest))
.add(exec("rm -rf /tmp/$$")).build()); .add(exec("rm -rf \"${TAR_TEMP}\""))
.build());
} }
public static Statement extractTargzIntoDirectory(URI targz, String directory) { public static Statement extractTargzIntoDirectory(URI targz, String directory) {

View File

@ -54,11 +54,11 @@ public class StatementsTest {
"/usr/local/maven"); "/usr/local/maven");
assertEquals( assertEquals(
save.render(OsFamily.UNIX), save.render(OsFamily.UNIX),
"mkdir /tmp/$$\n" + "export TAR_TEMP=\"$(mktemp -d)\"\n" +
"curl -q -s -S -L --connect-timeout 10 --max-time 600 --retry 20 -X GET http://www.us.apache.org/dist/maven/binaries/apache-maven-3.0.4-bin.tar.gz |(mkdir -p /tmp/$$ &&cd /tmp/$$ &&tar -xpzf -)\n" + "curl -q -s -S -L --connect-timeout 10 --max-time 600 --retry 20 -X GET http://www.us.apache.org/dist/maven/binaries/apache-maven-3.0.4-bin.tar.gz |(mkdir -p \"${TAR_TEMP}\" &&cd \"${TAR_TEMP}\" &&tar -xpzf -)\n" +
"mkdir -p /usr/local/maven\n" + "mkdir -p /usr/local/maven\n" +
"mv /tmp/$$/*/* /usr/local/maven\n" + "mv \"${TAR_TEMP}\"/*/* /usr/local/maven\n" +
"rm -rf /tmp/$$\n"); "rm -rf \"${TAR_TEMP}\"\n");
} }

View File

@ -87,10 +87,10 @@ public class InstallRubyGemsTest {
private static String installRubyGems(String version) { private static String installRubyGems(String version) {
String script = "if ! hash gem 2>/dev/null; then\n" String script = "if ! hash gem 2>/dev/null; then\n"
+ "(\n" + "(\n"
+ "mkdir /tmp/$$\n" + "export TAR_TEMP=\"$(mktemp -d)\"\n"
+ "curl -q -s -S -L --connect-timeout 10 --max-time 600 --retry 20 -X GET http://production.cf.rubygems.org/rubygems/rubygems-" + "curl -q -s -S -L --connect-timeout 10 --max-time 600 --retry 20 -X GET http://production.cf.rubygems.org/rubygems/rubygems-"
+ version + ".tgz |(mkdir -p /tmp/$$ &&cd /tmp/$$ &&tar -xpzf -)\n" + "mkdir -p /tmp/rubygems\n" + version + ".tgz |(mkdir -p \"${TAR_TEMP}\" &&cd \"${TAR_TEMP}\" &&tar -xpzf -)\n" + "mkdir -p /tmp/rubygems\n"
+ "mv /tmp/$$/*/* /tmp/rubygems\n" + "rm -rf /tmp/$$\n" + "cd /tmp/rubygems\n" + "mv \"${TAR_TEMP}\"/*/* /tmp/rubygems\n" + "rm -rf \"${TAR_TEMP}\"\n" + "cd /tmp/rubygems\n"
+ "ruby setup.rb --no-format-executable\n" // + "ruby setup.rb --no-format-executable\n" //
+ "rm -fr /tmp/rubygems\n" + // + "rm -fr /tmp/rubygems\n" + //
")\n" + // ")\n" + //

View File

@ -1,10 +1,10 @@
if ! hash gem 2>/dev/null; then if ! hash gem 2>/dev/null; then
( (
mkdir /tmp/$$ export TAR_TEMP="$(mktemp -d)"
curl -q -s -S -L --connect-timeout 10 --max-time 600 --retry 20 -X GET http://production.cf.rubygems.org/rubygems/rubygems-1.8.10.tgz |(mkdir -p /tmp/$$ &&cd /tmp/$$ &&tar -xpzf -) curl -q -s -S -L --connect-timeout 10 --max-time 600 --retry 20 -X GET http://production.cf.rubygems.org/rubygems/rubygems-1.8.10.tgz |(mkdir -p "${TAR_TEMP}" &&cd "${TAR_TEMP}" &&tar -xpzf -)
mkdir -p /tmp/rubygems mkdir -p /tmp/rubygems
mv /tmp/$$/*/* /tmp/rubygems mv "${TAR_TEMP}"/*/* /tmp/rubygems
rm -rf /tmp/$$ rm -rf "${TAR_TEMP}"
cd /tmp/rubygems cd /tmp/rubygems
ruby setup.rb --no-format-executable ruby setup.rb --no-format-executable
rm -fr /tmp/rubygems rm -fr /tmp/rubygems

View File

@ -86,11 +86,11 @@ END_OF_JCLOUDS_SCRIPT
trap 'echo $?>$INSTANCE_HOME/rc' 0 1 2 3 15 trap 'echo $?>$INSTANCE_HOME/rc' 0 1 2 3 15
if ! hash gem 2>/dev/null; then if ! hash gem 2>/dev/null; then
( (
mkdir /tmp/$$ export TAR_TEMP="$(mktemp -d)"
curl -q -s -S -L --connect-timeout 10 --max-time 600 --retry 20 -X GET http://production.cf.rubygems.org/rubygems/rubygems-1.8.10.tgz |(mkdir -p /tmp/$$ &&cd /tmp/$$ &&tar -xpzf -) curl -q -s -S -L --connect-timeout 10 --max-time 600 --retry 20 -X GET http://production.cf.rubygems.org/rubygems/rubygems-1.8.10.tgz |(mkdir -p "${TAR_TEMP}" &&cd "${TAR_TEMP}" &&tar -xpzf -)
mkdir -p /tmp/rubygems mkdir -p /tmp/rubygems
mv /tmp/$$/*/* /tmp/rubygems mv "${TAR_TEMP}"/*/* /tmp/rubygems
rm -rf /tmp/$$ rm -rf "${TAR_TEMP}"
cd /tmp/rubygems cd /tmp/rubygems
ruby setup.rb --no-format-executable ruby setup.rb --no-format-executable
rm -fr /tmp/rubygems rm -fr /tmp/rubygems