Block symlink dir traversal for /static

This is in line with how it behaved before, but it was lifted a little for the project mount for Hugo Modules, but that could create hard-to-detect loops.
2025-08-29 22:29:56 +02:00 · 2019-07-25 00:12:40 +02:00
parent 87a07282a2
commit e5f2299741
24 changed files with 320 additions and 130 deletions
--- a/hugofs/decorators.go
+++ b/hugofs/decorators.go
@@ -90,19 +90,14 @@ func NewBaseFileDecorator(fs afero.Fs) afero.Fs {
 		isSymlink := isSymlink(fi)
 		if isSymlink {
 			meta[metaKeyOriginalFilename] = filename
-			link, err := filepath.EvalSymlinks(filename)
+			var link string
+			var err error
+			link, fi, err = evalSymlinks(fs, filename)
 			if err != nil {
 				return nil, err
 			}
-
-			fi, err = fs.Stat(link)
-			if err != nil {
-				return nil, err
-			}
-
 			filename = link
 			meta[metaKeyIsSymlink] = true
-
 		}

 		opener := func() (afero.File, error) {
@@ -117,6 +112,20 @@ func NewBaseFileDecorator(fs afero.Fs) afero.Fs {
 	return ffs
 }

+func evalSymlinks(fs afero.Fs, filename string) (string, os.FileInfo, error) {
+	link, err := filepath.EvalSymlinks(filename)
+	if err != nil {
+		return "", nil, err
+	}
+
+	fi, err := fs.Stat(link)
+	if err != nil {
+		return "", nil, err
+	}
+
+	return link, fi, nil
+}
+
 type baseFileDecoratorFs struct {
 	afero.Fs
 	decorate func(fi os.FileInfo, filename string) (os.FileInfo, error)
--- a/hugofs/fileinfo.go
+++ b/hugofs/fileinfo.go
@@ -180,9 +180,20 @@ type FileMetaInfo interface {

 type fileInfoMeta struct {
 	os.FileInfo
+
 	m FileMeta
 }

+// Name returns the file's name. Note that we follow symlinks,
+// if supported by the file system, and the Name given here will be the
+// name of the symlink, which is what Hugo needs in all situations.
+func (fi *fileInfoMeta) Name() string {
+	if name := fi.m.Name(); name != "" {
+		return name
+	}
+	return fi.FileInfo.Name()
+}
+
 func (fi *fileInfoMeta) Meta() FileMeta {
 	return fi.m
 }
@@ -295,3 +306,11 @@ func normalizeFilename(filename string) string {
 	}
 	return filename
 }
+
+func fileInfosToNames(fis []os.FileInfo) []string {
+	names := make([]string, len(fis))
+	for i, d := range fis {
+		names[i] = d.Name()
+	}
+	return names
+}
--- a/hugofs/nosymlink_fs.go
+++ b/hugofs/nosymlink_fs.go
@@ -16,6 +16,9 @@ package hugofs
 import (
 	"errors"
 	"os"
+	"path/filepath"
+
+	"github.com/gohugoio/hugo/common/loggers"

 	"github.com/spf13/afero"
 )
@@ -24,15 +27,48 @@ var (
 	ErrPermissionSymlink = errors.New("symlinks not allowed in this filesystem")
 )

-func NewNoSymlinkFs(fs afero.Fs) afero.Fs {
-	return &noSymlinkFs{Fs: fs}
+// NewNoSymlinkFs creates a new filesystem that prevents symlinks.
+func NewNoSymlinkFs(fs afero.Fs, logger *loggers.Logger, allowFiles bool) afero.Fs {
+	return &noSymlinkFs{Fs: fs, logger: logger, allowFiles: allowFiles}
 }

 // noSymlinkFs is a filesystem that prevents symlinking.
 type noSymlinkFs struct {
+	allowFiles bool // block dirs only
+	logger     *loggers.Logger
 	afero.Fs
 }

+type noSymlinkFile struct {
+	fs *noSymlinkFs
+	afero.File
+}
+
+func (f *noSymlinkFile) Readdir(count int) ([]os.FileInfo, error) {
+	fis, err := f.File.Readdir(count)
+
+	filtered := fis[:0]
+	for _, x := range fis {
+		filename := filepath.Join(f.Name(), x.Name())
+		if _, err := f.fs.checkSymlinkStatus(filename, x); err != nil {
+			// Log a warning and drop the file from the list
+			logUnsupportedSymlink(filename, f.fs.logger)
+		} else {
+			filtered = append(filtered, x)
+		}
+	}
+
+	return filtered, err
+}
+
+func (f *noSymlinkFile) Readdirnames(count int) ([]string, error) {
+	dirs, err := f.Readdir(count)
+	if err != nil {
+		return nil, err
+	}
+	return fileInfosToNames(dirs), nil
+}
+
 func (fs *noSymlinkFs) LstatIfPossible(name string) (os.FileInfo, bool, error) {
 	return fs.stat(name)
 }
@@ -53,33 +89,68 @@ func (fs *noSymlinkFs) stat(name string) (os.FileInfo, bool, error) {
 	if lstater, ok := fs.Fs.(afero.Lstater); ok {
 		fi, wasLstat, err = lstater.LstatIfPossible(name)
 	} else {
-
 		fi, err = fs.Fs.Stat(name)
 	}

+	if err != nil {
+		return nil, false, err
+	}
+
+	fi, err = fs.checkSymlinkStatus(name, fi)
+
+	return fi, wasLstat, err
+}
+
+func (fs *noSymlinkFs) checkSymlinkStatus(name string, fi os.FileInfo) (os.FileInfo, error) {
 	var metaIsSymlink bool

 	if fim, ok := fi.(FileMetaInfo); ok {
-		metaIsSymlink = fim.Meta().IsSymlink()
+		meta := fim.Meta()
+		metaIsSymlink = meta.IsSymlink()
 	}

-	if metaIsSymlink || isSymlink(fi) {
-		return nil, wasLstat, ErrPermissionSymlink
+	if metaIsSymlink {
+		if fs.allowFiles && !fi.IsDir() {
+			return fi, nil
+		}
+		return nil, ErrPermissionSymlink
 	}

-	return fi, wasLstat, err
+	// Also support non-decorated filesystems, e.g. the Os fs.
+	if isSymlink(fi) {
+		// Need to determine if this is a directory or not.
+		_, sfi, err := evalSymlinks(fs.Fs, name)
+		if err != nil {
+			return nil, err
+		}
+		if fs.allowFiles && !sfi.IsDir() {
+			// Return the original FileInfo to get the expected Name.
+			return fi, nil
+		}
+		return nil, ErrPermissionSymlink
+	}
+
+	return fi, nil
 }

 func (fs *noSymlinkFs) Open(name string) (afero.File, error) {
 	if _, _, err := fs.stat(name); err != nil {
 		return nil, err
 	}
-	return fs.Fs.Open(name)
+	return fs.wrapFile(fs.Fs.Open(name))
 }

 func (fs *noSymlinkFs) OpenFile(name string, flag int, perm os.FileMode) (afero.File, error) {
 	if _, _, err := fs.stat(name); err != nil {
 		return nil, err
 	}
-	return fs.Fs.OpenFile(name, flag, perm)
+	return fs.wrapFile(fs.Fs.OpenFile(name, flag, perm))
+}
+
+func (fs *noSymlinkFs) wrapFile(f afero.File, err error) (afero.File, error) {
+	if err != nil {
+		return nil, err
+	}
+
+	return &noSymlinkFile{File: f, fs: fs}, nil
 }
--- a/hugofs/nosymlink_test.go
+++ b/hugofs/nosymlink_test.go
@@ -18,6 +18,8 @@ import (
 	"path/filepath"
 	"testing"

+	"github.com/gohugoio/hugo/common/loggers"
+
 	"github.com/gohugoio/hugo/htesting"

 	"github.com/spf13/afero"
@@ -25,73 +27,120 @@ import (
 	"github.com/stretchr/testify/require"
 )

+func prepareSymlinks(t *testing.T) (string, func()) {
+	assert := require.New(t)
+
+	workDir, clean, err := htesting.CreateTempDir(Os, "hugo-symlink-test")
+	assert.NoError(err)
+	wd, _ := os.Getwd()
+
+	blogDir := filepath.Join(workDir, "blog")
+	blogSubDir := filepath.Join(blogDir, "sub")
+	assert.NoError(os.MkdirAll(blogSubDir, 0777))
+	blogFile1 := filepath.Join(blogDir, "a.txt")
+	blogFile2 := filepath.Join(blogSubDir, "b.txt")
+	afero.WriteFile(Os, filepath.Join(blogFile1), []byte("content1"), 0777)
+	afero.WriteFile(Os, filepath.Join(blogFile2), []byte("content2"), 0777)
+	os.Chdir(workDir)
+	assert.NoError(os.Symlink("blog", "symlinkdedir"))
+	os.Chdir(blogDir)
+	assert.NoError(os.Symlink("sub", "symsub"))
+	assert.NoError(os.Symlink("a.txt", "symlinkdedfile.txt"))
+
+	return workDir, func() {
+		clean()
+		os.Chdir(wd)
+	}
+}
+
 func TestNoSymlinkFs(t *testing.T) {
 	if skipSymlink() {
 		t.Skip("Skip; os.Symlink needs administrator rights on Windows")
 	}
 	assert := require.New(t)
-	workDir, clean, err := htesting.CreateTempDir(Os, "hugo-nosymlink")
-	assert.NoError(err)
+	workDir, clean := prepareSymlinks(t)
 	defer clean()
-	wd, _ := os.Getwd()
-	defer func() {
-		os.Chdir(wd)
-	}()

 	blogDir := filepath.Join(workDir, "blog")
-	blogFile := filepath.Join(blogDir, "a.txt")
-	assert.NoError(os.MkdirAll(blogDir, 0777))
-	afero.WriteFile(Os, filepath.Join(blogFile), []byte("content"), 0777)
-	os.Chdir(workDir)
-	assert.NoError(os.Symlink("blog", "symlinkdedir"))
-	os.Chdir(blogDir)
-	assert.NoError(os.Symlink("a.txt", "symlinkdedfile.txt"))
+	blogFile1 := filepath.Join(blogDir, "a.txt")

-	fs := NewNoSymlinkFs(Os)
-	ls := fs.(afero.Lstater)
-	symlinkedDir := filepath.Join(workDir, "symlinkdedir")
-	symlinkedFile := filepath.Join(blogDir, "symlinkdedfile.txt")
+	logger := loggers.NewWarningLogger()

-	// Check Stat and Lstat
-	for _, stat := range []func(name string) (os.FileInfo, error){
-		func(name string) (os.FileInfo, error) {
-			return fs.Stat(name)
-		},
-		func(name string) (os.FileInfo, error) {
-			fi, _, err := ls.LstatIfPossible(name)
-			return fi, err
-		},
-	} {
-		_, err = stat(symlinkedDir)
-		assert.Equal(ErrPermissionSymlink, err)
-		_, err = stat(symlinkedFile)
-		assert.Equal(ErrPermissionSymlink, err)
+	for _, bfs := range []afero.Fs{NewBaseFileDecorator(Os), Os} {
+		for _, allowFiles := range []bool{false, true} {
+			logger.WarnCounter.Reset()
+			fs := NewNoSymlinkFs(bfs, logger, allowFiles)
+			ls := fs.(afero.Lstater)
+			symlinkedDir := filepath.Join(workDir, "symlinkdedir")
+			symlinkedFilename := "symlinkdedfile.txt"
+			symlinkedFile := filepath.Join(blogDir, symlinkedFilename)

-		fi, err := stat(filepath.Join(workDir, "blog"))
-		assert.NoError(err)
-		assert.NotNil(fi)
+			assertFileErr := func(err error) {
+				if allowFiles {
+					assert.NoError(err)
+				} else {
+					assert.Equal(ErrPermissionSymlink, err)
+				}
+			}

-		fi, err = stat(blogFile)
-		assert.NoError(err)
-		assert.NotNil(fi)
+			assertFileStat := func(name string, fi os.FileInfo, err error) {
+				t.Helper()
+				assertFileErr(err)
+				if err == nil {
+					assert.NotNil(fi)
+					assert.Equal(name, fi.Name())
+				}
+			}
+
+			// Check Stat and Lstat
+			for _, stat := range []func(name string) (os.FileInfo, error){
+				func(name string) (os.FileInfo, error) {
+					return fs.Stat(name)
+				},
+				func(name string) (os.FileInfo, error) {
+					fi, _, err := ls.LstatIfPossible(name)
+					return fi, err
+				},
+			} {
+				fi, err := stat(symlinkedDir)
+				assert.Equal(ErrPermissionSymlink, err)
+				fi, err = stat(symlinkedFile)
+				assertFileStat(symlinkedFilename, fi, err)
+
+				fi, err = stat(filepath.Join(workDir, "blog"))
+				assert.NoError(err)
+				assert.NotNil(fi)
+
+				fi, err = stat(blogFile1)
+				assert.NoError(err)
+				assert.NotNil(fi)
+			}
+
+			// Check Open
+			_, err := fs.Open(symlinkedDir)
+			assert.Equal(ErrPermissionSymlink, err)
+			_, err = fs.OpenFile(symlinkedDir, os.O_RDWR|os.O_APPEND|os.O_CREATE, 0666)
+			assert.Equal(ErrPermissionSymlink, err)
+			_, err = fs.OpenFile(symlinkedFile, os.O_RDWR|os.O_APPEND|os.O_CREATE, 0666)
+			assertFileErr(err)
+			_, err = fs.Open(symlinkedFile)
+			assertFileErr(err)
+			f, err := fs.Open(blogDir)
+			assert.NoError(err)
+			f.Close()
+			f, err = fs.Open(blogFile1)
+			assert.NoError(err)
+			f.Close()
+
+			// Check readdir
+			f, err = fs.Open(workDir)
+			assert.NoError(err)
+			// There is at least one unsported symlink inside workDir
+			_, err = f.Readdir(-1)
+			f.Close()
+			assert.Equal(uint64(1), logger.WarnCounter.Count())
+
+		}
 	}

-	// Check Open
-	_, err = fs.Open(symlinkedDir)
-	assert.Equal(ErrPermissionSymlink, err)
-	_, err = fs.OpenFile(symlinkedDir, os.O_RDWR|os.O_APPEND|os.O_CREATE, 0666)
-	assert.Equal(ErrPermissionSymlink, err)
-	_, err = fs.OpenFile(symlinkedFile, os.O_RDWR|os.O_APPEND|os.O_CREATE, 0666)
-	assert.Equal(ErrPermissionSymlink, err)
-	_, err = fs.Open(symlinkedFile)
-	assert.Equal(ErrPermissionSymlink, err)
-	f, err := fs.Open(blogDir)
-	assert.NoError(err)
-	f.Close()
-	f, err = fs.Open(blogFile)
-	assert.NoError(err)
-	f.Close()
-
-	// os.OpenFile(logFile, os.O_RDWR|os.O_APPEND|os.O_CREATE, 0666)
-
 }
--- a/hugofs/rootmapping_fs.go
+++ b/hugofs/rootmapping_fs.go
@@ -459,9 +459,5 @@ func (f *rootMappingFile) Readdirnames(count int) ([]string, error) {
 	if err != nil {
 		return nil, err
 	}
-	dirss := make([]string, len(dirs))
-	for i, d := range dirs {
-		dirss[i] = d.Name()
-	}
-	return dirss, nil
+	return fileInfosToNames(dirs), nil
 }
--- a/hugofs/walk.go
+++ b/hugofs/walk.go
@@ -121,8 +121,7 @@ func (w *Walkway) Walk() error {
 				return nil
 			}

-			if err == ErrPermissionSymlink {
-				w.logger.WARN.Printf("Unsupported symlink found in %q, skipping.", w.root)
+			if w.checkErr(w.root, err) {
 				return nil
 			}

@@ -149,6 +148,19 @@ func lstatIfPossible(fs afero.Fs, path string) (os.FileInfo, bool, error) {
 	return fi, false, err
 }

+// checkErr returns true if the error is handled.
+func (w *Walkway) checkErr(filename string, err error) bool {
+	if err == ErrPermissionSymlink {
+		logUnsupportedSymlink(filename, w.logger)
+		return true
+	}
+	return false
+}
+
+func logUnsupportedSymlink(filename string, logger *loggers.Logger) {
+	logger.WARN.Printf("Unsupported symlink found in %q, skipping.", filename)
+}
+
 // walk recursively descends path, calling walkFn.
 // It follow symlinks if supported by the filesystem, but only the same path once.
 func (w *Walkway) walk(path string, info FileMetaInfo, dirEntries []FileMetaInfo, walkFn WalkFunc) error {
@@ -168,16 +180,17 @@ func (w *Walkway) walk(path string, info FileMetaInfo, dirEntries []FileMetaInfo

 	if dirEntries == nil {
 		f, err := w.fs.Open(path)
-
 		if err != nil {
+			if w.checkErr(path, err) {
+				return nil
+			}
 			return walkFn(path, info, errors.Wrapf(err, "walk: open %q (%q)", path, w.root))
 		}

 		fis, err := f.Readdir(-1)
 		f.Close()
 		if err != nil {
-			if err == ErrPermissionSymlink {
-				w.logger.WARN.Printf("Unsupported symlink found in %q, skipping.", filename)
+			if w.checkErr(filename, err) {
 				return nil
 			}
 			return walkFn(path, info, errors.Wrap(err, "walk: Readdir"))