2189544880

Committed 01 Dec 2025 04:20PM UTC coverage: 75.865%. First build

Build # 2189544880

Build Type

push

gitlab-ci

Committed by

michalkopczan

Commit Message

fix: Sanitize Update Module paths - payload_type must not point outside of Update Modules' directory

(cherry picked from commit c76f042b3)

Ticket: MEN-9027
Changelog: Sanitized the payload_type field of Mender artifacts, removing relative paths pointing outside Update Modules directory.

Signed-off-by: Michal Kopczan <michal.kopczan@northern.tech>

Run Details

37 of 54 new or added lines in 7 files covered. (68.52%)

7415 of 9774 relevant lines covered (75.86%)

13875.41 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

71.43

/src/common/path/path.cpp

// Copyright 2025 Northern.tech AS
//
//    Licensed under the Apache License, Version 2.0 (the "License");
//    you may not use this file except in compliance with the License.
//    You may obtain a copy of the License at
//
//        http://www.apache.org/licenses/LICENSE-2.0
//
//    Unless required by applicable law or agreed to in writing, software
//    distributed under the License is distributed on an "AS IS" BASIS,
//    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
//    See the License for the specific language governing permissions and
//    limitations under the License.

#include <common/path.hpp>

#include <filesystem>
#include <string>
#include <unordered_set>

#include <common/error.hpp>

namespace mender {
namespace common {
namespace path {

using namespace std;

expected::ExpectedBool IsWithinOrEqual(const string &check_path, const string &target_dir) {
        auto exp_canonical_check_path = WeaklyCanonical(check_path);
        if (!exp_canonical_check_path.has_value()) {
                return expected::unexpected(exp_canonical_check_path.error().WithContext(
                        "Error creating canonical path, path to check: '" + check_path));
        }

        auto exp_canonical_target_dir = WeaklyCanonical(target_dir);
        if (!exp_canonical_target_dir.has_value()) {
                return expected::unexpected(exp_canonical_target_dir.error().WithContext(
                        "Error creating canonical path, target directory: '" + target_dir));
        }

        auto canonical_check_path = exp_canonical_check_path.value();
        auto canonical_target_dir = exp_canonical_target_dir.value();

        // Terminate both with "/", otherwise we could mistakenly say that
        // 1. /test/testabc in contained within /test/test
        // 2. /test/test in not equal to /test/test/
        if (canonical_check_path.back() != '/') {
                canonical_check_path += '/';
        }
        if (canonical_target_dir.back() != '/') {
                canonical_target_dir += '/';
        }

        if (canonical_check_path.rfind(canonical_target_dir, 0) == 0) {
                return true;
        }
        return false;
}

} // namespace path
} // namespace common
} // namespace mender

1	// Copyright 2025 Northern.tech AS
2	//
3	// Licensed under the Apache License, Version 2.0 (the "License");
4	// you may not use this file except in compliance with the License.
5	// You may obtain a copy of the License at
6	//
7	// http://www.apache.org/licenses/LICENSE-2.0
8	//
9	// Unless required by applicable law or agreed to in writing, software
10	// distributed under the License is distributed on an "AS IS" BASIS,
11	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12	// See the License for the specific language governing permissions and
13	// limitations under the License.
14
15	#include <common/path.hpp>
16
17	#include <filesystem>
18	#include <string>
19	#include <unordered_set>
20
21	#include <common/error.hpp>
22
23	namespace mender {
24	namespace common {
25	namespace path {
26
27	using namespace std;
28
29	expected::ExpectedBool IsWithinOrEqual(const string &check_path, const string &target_dir) {	248✔
30	auto exp_canonical_check_path = WeaklyCanonical(check_path);	248✔
31	if (!exp_canonical_check_path.has_value()) {	248✔
NEW 32	return expected::unexpected(exp_canonical_check_path.error().WithContext(	×
NEW 33	"Error creating canonical path, path to check: '" + check_path));	×
34	}
35
36	auto exp_canonical_target_dir = WeaklyCanonical(target_dir);	248✔
37	if (!exp_canonical_target_dir.has_value()) {	248✔
NEW 38	return expected::unexpected(exp_canonical_target_dir.error().WithContext(	×
NEW 39	"Error creating canonical path, target directory: '" + target_dir));	×
40	}
41
42	auto canonical_check_path = exp_canonical_check_path.value();	248✔
43	auto canonical_target_dir = exp_canonical_target_dir.value();	248✔
44
45	// Terminate both with "/", otherwise we could mistakenly say that
46	// 1. /test/testabc in contained within /test/test
47	// 2. /test/test in not equal to /test/test/
48	if (canonical_check_path.back() != '/') {	248✔
49	canonical_check_path += '/';
50	}
51	if (canonical_target_dir.back() != '/') {	248✔
52	canonical_target_dir += '/';
53	}
54
55	if (canonical_check_path.rfind(canonical_target_dir, 0) == 0) {	248✔
56	return true;
57	}
58	return false;
59	}
60
61	} // namespace path
62	} // namespace common
63	} // namespace mender

mendersoftware / mender / 2189544880

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous