roots fileserver fix path verification for symlinks with destination …

…outside of root
saltstack · Apr 23, 2024 · 4819ce7 · 4819ce7
1 parent 144a13e
commit 4819ce7
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 2 deletions.
diff --git a/salt/fileserver/roots.py b/salt/fileserver/roots.py
@@ -101,7 +101,7 @@ def _add_file_stat(fnd):
  full = os.path.join(root, path)
 
  # Refuse to serve file that is not under the root.
- if not salt.utils.verify.clean_path(root, full, subdir=True):
+ if not salt.utils.verify.clean_path(root, full, subdir=True, realpath=not __opts__["fileserver_followsymlinks"]):
  continue
 
  if os.path.isfile(full) and not salt.fileserver.is_file_ignored(__opts__, full):
@@ -149,7 +149,7 @@ def serve_file(load, fnd):
  if saltenv == "__env__":
  root = root.replace("__env__", actual_saltenv)
  # Refuse to serve file that is not under the root.
- if salt.utils.verify.clean_path(root, fpath, subdir=True):
+ if salt.utils.verify.clean_path(root, fpath, subdir=True, realpath=not __opts__["fileserver_followsymlinks"]):
  file_in_root = True
  if not file_in_root:
  return ret

diff --git a/tests/pytests/unit/fileserver/test_roots.py b/tests/pytests/unit/fileserver/test_roots.py
@@ -315,3 +315,28 @@ def test_serve_file_not_in_root(tmp_state_tree):
  assert ret == {"data": "", "dest": "..\\bar"}
  else:
  assert ret == {"data": "", "dest": "../bar"}
+
+
+def test_find_file_symlink_destination_not_in_root(tmp_state_tree):
+ dirname = pathlib.Path(tmp_state_tree).parent / "foo"
+ dirname.mkdir(parents=True, exist_ok=True)
+ testfile = dirname / "testfile"
+ testfile.write_text("testfile")
+ symlink = tmp_state_tree / "bar"
+ symlink.symlink_to(str(dirname))
+ ret = roots.find_file("bar/testfile")
+ assert ret["path"] == str(symlink / "testfile")
+ assert ret["rel"] == "bar/testfile"
+
+
+def test_serve_file_symlink_destination_not_in_root(tmp_state_tree):
+ dirname = pathlib.Path(tmp_state_tree).parent / "foo"
+ dirname.mkdir(parents=True, exist_ok=True)
+ testfile = dirname / "testfile"
+ testfile.write_text("testfile")
+ symlink = tmp_state_tree / "bar"
+ symlink.symlink_to(str(dirname))
+ load = {"path": "bar/testfile", "saltenv": "base", "loc": 0}
+ fnd = {"path": str(symlink / "testfile"), "rel": "bar/testfile"}
+ ret = roots.serve_file(load, fnd)
+ assert ret == {"data": b"testfile", "dest": "bar/testfile"}