Merge pull request #165 from deploymenttheory/dev

ShocOne · web-flow · commit a7c9a6d0f390 · 2024-04-18T08:01:51.000+01:00
Security fixes
diff --git a/README.md b/README.md
@@ -96,7 +96,7 @@ Example configuration file (clientconfig.json):
   "Environment": {
     "InstanceName": "yourinstance",
     "OverrideBaseDomain": "",
-    "APIType": "" // "jamfpro" / "graph"
+    "APIType": "" // "jamfpro" / "msgraph"
   },
   "ClientOptions": {
     "LogLevel": "LogLevelDebug",  // "LogLevelDebug" / "LogLevelInfo" / "LogLevelWarn" / "LogLevelError" / "LogLevelFatal" / "LogLevelPanic"
diff --git a/apiintegrations/jamfpro/jamfpro_api_request.go b/apiintegrations/jamfpro/jamfpro_api_request.go
@@ -7,9 +7,10 @@ import (
 	"encoding/xml"
 	"io"
 	"mime/multipart"
-	"os"
+	"path/filepath"
 	"strings"
 
+	"github.com/deploymenttheory/go-api-http-client/helpers"
 	"github.com/deploymenttheory/go-api-http-client/logger"
 	"go.uber.org/zap"
 )
@@ -55,7 +56,7 @@ func (j *JamfAPIHandler) MarshalRequest(body interface{}, method string, endpoin
 	return data, nil
 }
 
-// MarshalMultipartFormData takes a map with form fields and file paths and returns the encoded body and content type.
+// MarshalMultipartRequest handles multipart form data encoding with secure file handling and returns the encoded body and content type.
 func (j *JamfAPIHandler) MarshalMultipartRequest(fields map[string]string, files map[string]string, log logger.Logger) ([]byte, string, error) {
 	body := &bytes.Buffer{}
 	writer := multipart.NewWriter(body)
@@ -67,15 +68,16 @@ func (j *JamfAPIHandler) MarshalMultipartRequest(fields map[string]string, files
 		}
 	}
 
-	// Add the files to the form data
-	for formField, filepath := range files {
-		file, err := os.Open(filepath)
+	// Add the files to the form data, using safeOpenFile to ensure secure file access
+	for formField, filePath := range files {
+		file, err := helpers.SafeOpenFile(filePath)
 		if err != nil {
+			log.Error("Failed to open file securely", zap.String("file", filePath), zap.Error(err))
 			return nil, "", err
 		}
 		defer file.Close()
 
-		part, err := writer.CreateFormFile(formField, filepath)
+		part, err := writer.CreateFormFile(formField, filepath.Base(filePath))
 		if err != nil {
 			return nil, "", err
 		}
@@ -84,7 +86,7 @@ func (j *JamfAPIHandler) MarshalMultipartRequest(fields map[string]string, files
 		}
 	}
 
-	// Close the writer before returning
+	// Close the writer to finish writing the multipart message
 	contentType := writer.FormDataContentType()
 	if err := writer.Close(); err != nil {
 		return nil, "", err
diff --git a/apiintegrations/msgraph/msgraph_api_request.go b/apiintegrations/msgraph/msgraph_api_request.go
@@ -6,8 +6,9 @@ import (
 	"encoding/json"
 	"io"
 	"mime/multipart"
-	"os"
+	"path/filepath"
 
+	"github.com/deploymenttheory/go-api-http-client/helpers"
 	"github.com/deploymenttheory/go-api-http-client/logger"
 	"go.uber.org/zap"
 )
@@ -29,8 +30,9 @@ func (g *GraphAPIHandler) MarshalRequest(body interface{}, method string, endpoi
 	return data, nil
 }
 
-// MarshalMultipartFormData takes a map with form fields and file paths and returns the encoded body and content type.
+// MarshalMultipartRequest handles multipart form data encoding with secure file handling and returns the encoded body and content type.
 func (g *GraphAPIHandler) MarshalMultipartRequest(fields map[string]string, files map[string]string, log logger.Logger) ([]byte, string, error) {
+
 	body := &bytes.Buffer{}
 	writer := multipart.NewWriter(body)
 
@@ -41,15 +43,16 @@ func (g *GraphAPIHandler) MarshalMultipartRequest(fields map[string]string, file
 		}
 	}
 
-	// Add the files to the form data
-	for formField, filepath := range files {
-		file, err := os.Open(filepath)
+	// Add the files to the form data, using safeOpenFile to ensure secure file access
+	for formField, filePath := range files {
+		file, err := helpers.SafeOpenFile(filePath)
 		if err != nil {
+			log.Error("Failed to open file securely", zap.String("file", filePath), zap.Error(err))
 			return nil, "", err
 		}
 		defer file.Close()
 
-		part, err := writer.CreateFormFile(formField, filepath)
+		part, err := writer.CreateFormFile(formField, filepath.Base(filePath))
 		if err != nil {
 			return nil, "", err
 		}
@@ -58,7 +61,7 @@ func (g *GraphAPIHandler) MarshalMultipartRequest(fields map[string]string, file
 		}
 	}
 
-	// Close the writer before returning
+	// Close the writer to finish writing the multipart message
 	contentType := writer.FormDataContentType()
 	if err := writer.Close(); err != nil {
 		return nil, "", err
diff --git a/helpers/helpers.go b/helpers/helpers.go
@@ -2,10 +2,34 @@
 package helpers
 
 import (
+	"fmt"
+	"os"
+	"path/filepath"
 	"time"
 )
 
 // ParseISO8601Date attempts to parse a string date in ISO 8601 format.
 func ParseISO8601Date(dateStr string) (time.Time, error) {
 	return time.Parse(time.RFC3339, dateStr)
 }
+
+// SafeOpenFile opens a file safely after validating and resolving its path.
+func SafeOpenFile(filePath string) (*os.File, error) {
+	// Clean the file path to remove any ".." or similar components that can lead to directory traversal
+	cleanPath := filepath.Clean(filePath)
+
+	// Resolve the clean path to an absolute path and ensure it resolves any symbolic links
+	absPath, err := filepath.EvalSymlinks(cleanPath)
+	if err != nil {
+		return nil, fmt.Errorf("unable to resolve the absolute path: %s, error: %w", filePath, err)
+	}
+
+	// Optionally, check if the absolute path is within a permitted directory (omitted here for brevity)
+	// Example: allowedPathPrefix := "/safe/directory/"
+	// if !strings.HasPrefix(absPath, allowedPathPrefix) {
+	// 	return nil, fmt.Errorf("access to the file path is not allowed: %s", absPath)
+	// }
+
+	// Open the file if the path is deemed safe
+	return os.Open(absPath)
+}
diff --git a/httpclient/client_configuration.go b/httpclient/client_configuration.go
@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"log"
 	"os"
+	"path/filepath"
 	"strconv"
 	"strings"
 	"time"
@@ -24,16 +25,35 @@ const (
 	DefaultTimeout                   = 10 * time.Second
 	FollowRedirects                  = true
 	MaxRedirects                     = 10
+	ConfigFileExtension              = ".json"
 )
 
 // LoadConfigFromFile loads configuration values from a JSON file into the ClientConfig struct.
 // This function opens the specified configuration file, reads its content, and unmarshals the JSON data
 // into the ClientConfig struct. It's designed to initialize the client configuration with values
 // from a file, complementing or overriding defaults and environment variable settings.
-// LoadConfigFromFile loads configuration values from a JSON file into the ClientConfig struct.
 func LoadConfigFromFile(filePath string) (*ClientConfig, error) {
+	// Clean up the file path to prevent directory traversal
+	cleanPath := filepath.Clean(filePath)
+
+	// Resolve the cleanPath to an absolute path to ensure it resolves any symbolic links
+	absPath, err := filepath.EvalSymlinks(cleanPath)
+	if err != nil {
+		return nil, fmt.Errorf("unable to resolve the absolute path of the configuration file: %s, error: %w", filePath, err)
+	}
+
+	// Check for suspicious patterns in the resolved path
+	if strings.Contains(absPath, "..") {
+		return nil, fmt.Errorf("invalid path, path traversal patterns detected: %s", filePath)
+	}
+
+	// Ensure the file has the correct extension
+	if filepath.Ext(absPath) != ConfigFileExtension {
+		return nil, fmt.Errorf("invalid file extension for configuration file: %s, expected .json", filePath)
+	}
+
 	// Read the entire file
-	fileBytes, err := os.ReadFile(filePath)
+	fileBytes, err := os.ReadFile(absPath)
 	if err != nil {
 		return nil, fmt.Errorf("failed to read the configuration file: %s, error: %w", filePath, err)
 	}
@@ -48,11 +68,9 @@ func LoadConfigFromFile(filePath string) (*ClientConfig, error) {
 
 	log.Printf("Configuration successfully loaded from file: %s", filePath)
 
-	// Set default values if necessary
+	// Set default values if necessary and validate the configuration
 	setLoggerDefaultValues(&config)
 	setClientDefaultValues(&config)
-
-	// Validate mandatory configuration fields
 	if err := validateMandatoryConfiguration(&config); err != nil {
 		return nil, fmt.Errorf("configuration validation failed: %w", err)
 	}
diff --git a/logger/zaplogger_logpath.go b/logger/zaplogger_logpath.go
@@ -31,7 +31,7 @@ func EnsureLogFilePath(logPath string) (string, error) {
 
 	// Ensure the directory exists
 	dir := filepath.Dir(logPath)
-	if err := os.MkdirAll(dir, 0755); err != nil {
+	if err := os.MkdirAll(dir, 0750); err != nil {
 		return "", err
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -7,9 +7,10 @@ import (`
`7`	`7`	`"encoding/xml"`
`8`	`8`	`"io"`
`9`	`9`	`"mime/multipart"`
`10`		`- "os"`
	`10`	`+ "path/filepath"`
`11`	`11`	`"strings"`
`12`	`12`
	`13`	`+ "github.com/deploymenttheory/go-api-http-client/helpers"`
`13`	`14`	`"github.com/deploymenttheory/go-api-http-client/logger"`
`14`	`15`	`"go.uber.org/zap"`
`15`	`16`	`)`
`@@ -55,7 +56,7 @@ func (j *JamfAPIHandler) MarshalRequest(body interface{}, method string, endpoin`
`55`	`56`	`return data, nil`
`56`	`57`	`}`
`57`	`58`
`58`		`-// MarshalMultipartFormData takes a map with form fields and file paths and returns the encoded body and content type.`
	`59`	`+// MarshalMultipartRequest handles multipart form data encoding with secure file handling and returns the encoded body and content type.`
`59`	`60`	`func (j *JamfAPIHandler) MarshalMultipartRequest(fields map[string]string, files map[string]string, log logger.Logger) ([]byte, string, error) {`
`60`	`61`	`body := &bytes.Buffer{}`
`61`	`62`	`writer := multipart.NewWriter(body)`
`@@ -67,15 +68,16 @@ func (j *JamfAPIHandler) MarshalMultipartRequest(fields map[string]string, files`
`67`	`68`	`}`
`68`	`69`	`}`
`69`	`70`
`70`		`- // Add the files to the form data`
`71`		`- for formField, filepath := range files {`
`72`		`- file, err := os.Open(filepath)`
	`71`	`+ // Add the files to the form data, using safeOpenFile to ensure secure file access`
	`72`	`+ for formField, filePath := range files {`
	`73`	`+ file, err := helpers.SafeOpenFile(filePath)`
`73`	`74`	`if err != nil {`
	`75`	`+ log.Error("Failed to open file securely", zap.String("file", filePath), zap.Error(err))`
`74`	`76`	`return nil, "", err`
`75`	`77`	`}`
`76`	`78`	`defer file.Close()`
`77`	`79`
`78`		`- part, err := writer.CreateFormFile(formField, filepath)`
	`80`	`+ part, err := writer.CreateFormFile(formField, filepath.Base(filePath))`
`79`	`81`	`if err != nil {`
`80`	`82`	`return nil, "", err`
`81`	`83`	`}`
`@@ -84,7 +86,7 @@ func (j *JamfAPIHandler) MarshalMultipartRequest(fields map[string]string, files`
`84`	`86`	`}`
`85`	`87`	`}`
`86`	`88`
`87`		`- // Close the writer before returning`
	`89`	`+ // Close the writer to finish writing the multipart message`
`88`	`90`	`contentType := writer.FormDataContentType()`
`89`	`91`	`if err := writer.Close(); err != nil {`
`90`	`92`	`return nil, "", err`
Original file line number	Diff line number	Diff line change
`@@ -6,8 +6,9 @@ import (`
`6`	`6`	`"encoding/json"`
`7`	`7`	`"io"`
`8`	`8`	`"mime/multipart"`
`9`		`- "os"`
	`9`	`+ "path/filepath"`
`10`	`10`
	`11`	`+ "github.com/deploymenttheory/go-api-http-client/helpers"`
`11`	`12`	`"github.com/deploymenttheory/go-api-http-client/logger"`
`12`	`13`	`"go.uber.org/zap"`
`13`	`14`	`)`
`@@ -29,8 +30,9 @@ func (g *GraphAPIHandler) MarshalRequest(body interface{}, method string, endpoi`
`29`	`30`	`return data, nil`
`30`	`31`	`}`
`31`	`32`
`32`		`-// MarshalMultipartFormData takes a map with form fields and file paths and returns the encoded body and content type.`
	`33`	`+// MarshalMultipartRequest handles multipart form data encoding with secure file handling and returns the encoded body and content type.`
`33`	`34`	`func (g *GraphAPIHandler) MarshalMultipartRequest(fields map[string]string, files map[string]string, log logger.Logger) ([]byte, string, error) {`
	`35`	`+`
`34`	`36`	`body := &bytes.Buffer{}`
`35`	`37`	`writer := multipart.NewWriter(body)`
`36`	`38`
`@@ -41,15 +43,16 @@ func (g *GraphAPIHandler) MarshalMultipartRequest(fields map[string]string, file`
`41`	`43`	`}`
`42`	`44`	`}`
`43`	`45`
`44`		`- // Add the files to the form data`
`45`		`- for formField, filepath := range files {`
`46`		`- file, err := os.Open(filepath)`
	`46`	`+ // Add the files to the form data, using safeOpenFile to ensure secure file access`
	`47`	`+ for formField, filePath := range files {`
	`48`	`+ file, err := helpers.SafeOpenFile(filePath)`
`47`	`49`	`if err != nil {`
	`50`	`+ log.Error("Failed to open file securely", zap.String("file", filePath), zap.Error(err))`
`48`	`51`	`return nil, "", err`
`49`	`52`	`}`
`50`	`53`	`defer file.Close()`
`51`	`54`
`52`		`- part, err := writer.CreateFormFile(formField, filepath)`
	`55`	`+ part, err := writer.CreateFormFile(formField, filepath.Base(filePath))`
`53`	`56`	`if err != nil {`
`54`	`57`	`return nil, "", err`
`55`	`58`	`}`
`@@ -58,7 +61,7 @@ func (g *GraphAPIHandler) MarshalMultipartRequest(fields map[string]string, file`
`58`	`61`	`}`
`59`	`62`	`}`
`60`	`63`
`61`		`- // Close the writer before returning`
	`64`	`+ // Close the writer to finish writing the multipart message`
`62`	`65`	`contentType := writer.FormDataContentType()`
`63`	`66`	`if err := writer.Close(); err != nil {`
`64`	`67`	`return nil, "", err`
Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,7 @@ func EnsureLogFilePath(logPath string) (string, error) {`
`31`	`31`
`32`	`32`	`// Ensure the directory exists`
`33`	`33`	`dir := filepath.Dir(logPath)`
`34`		`- if err := os.MkdirAll(dir, 0755); err != nil {`
	`34`	`+ if err := os.MkdirAll(dir, 0750); err != nil {`
`35`	`35`	`return "", err`
`36`	`36`	`}`
`37`	`37`