Artifact format: Avoid spaces and wildcards in files list

Description

Acceptance criteria:

  • Make sure that when reading artifact v3 files in the payload section, no characters besides letters, digits and characters in the set ".,_-" are allowed.

  • A test which tries to read a crafted artifact that has a disallowed character

  • If MEN-2309 is already done, make sure deployments service has its mender-artifact vendor dependency updated to include this change

The primary motivation for doing this is to prevent shell evaluation attacks in update modules using files with specially crafted names (such as wildcards or spaces). The effect of this would be similar to the Shell Shock security vulnerability.

We cannot do this task after v3 is released, since constraining the filename validity would break existing artifacts.

Affects versions

None

Environment

None

Checklist

Activity

Show:

eystein.maloy.stenbergJanuary 18, 2019 at 8:57 PM

Kristian AmlieJanuary 18, 2019 at 11:58 AM

To get started, you probably want to look at the readAndInstall function for the reading part, and the writeOneDataFile for the writing part.

Adam PodogrockiJanuary 18, 2019 at 11:13 AM

Together with we decided that this can be my next task. I added it to the current sprint. Starting on Thursday next week I will work only on Azure related tasks.

Kristian AmlieJanuary 16, 2019 at 8:16 AM

Oh, and actually I thought of a quite relevant use case that would fail: If a user updated his fleet from image-1.0 to image-2.0, then later (after committing) realized that image-2.0 is performing poorly, he wants to downgrade to his previous image-1.0, he can't anymore.

Kristian AmlieJanuary 16, 2019 at 8:13 AM

And to answer your question: No, it cannot brick devices. It can however, prevent your fleet of new Menderized devices from accepting an update, despite older devices accepting the very same update.

Fixed

Details

Assignee

Reporter

Labels

Story Points

Priority

Sprint

Backlog

yes

Zendesk Support

Checklist

Created January 14, 2019 at 7:46 AM
Updated June 25, 2024 at 11:55 AM
Resolved January 24, 2019 at 11:02 AM