Merge branch 'main' into move-jsonwall-manifest

SECURITY.md

@@ -0,0 +1,7 @@
+# Security Policy 
+
+## Reporting a Vulnerability
+
+To report a security issue, file a [Private Security Report](https://github.com/Canonical/chisel/security/advisories/new) with a description of the issue, the steps you took to create the issue, affected versions, and, if known, mitigations for the issue.
+
+The [Ubuntu Security disclosure and embargo policy](https://ubuntu.com/security/disclosure-policy) contains more information about what you can expect when you contact us and what we expect from you.

cmd/chisel/cmd_version.go

@@ -10,7 +10,7 @@ import (
 
 var shortVersionHelp = "Show version details"
 var longVersionHelp = `
-The version command displays the versions of the running client and server.
+Show the tool version and exit.
 `
 
 type cmdVersion struct{}

go.mod

@@ -9,14 +9,14 @@ require (
 	github.com/klauspost/compress v1.15.4
 	github.com/ulikunitz/xz v0.5.10
 	go.starlark.net v0.0.0-20220328144851-d1966c6b9fcd
-	golang.org/x/crypto v0.21.0
-	golang.org/x/term v0.18.0
+	golang.org/x/crypto v0.32.0
+	golang.org/x/term v0.28.0
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c
 	gopkg.in/yaml.v3 v3.0.1
 )
 
 require (
 	github.com/kr/pretty v0.2.1 // indirect
 	github.com/kr/text v0.1.0 // indirect
-	golang.org/x/sys v0.18.0 // indirect
+	golang.org/x/sys v0.29.0 // indirect
 )

go.sum

@@ -42,8 +42,8 @@ github.com/ulikunitz/xz v0.5.10/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0o
 go.starlark.net v0.0.0-20220328144851-d1966c6b9fcd h1:Uo/x0Ir5vQJ+683GXB9Ug+4fcjsbp7z7Ul8UaZbhsRM=
 go.starlark.net v0.0.0-20220328144851-d1966c6b9fcd/go.mod h1:t3mmBBPzAVvK0L0n1drDmrQsJ8FoIx4INCqVMTr/Zo0=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=
-golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
+golang.org/x/crypto v0.32.0 h1:euUpcYgM8WcP71gNpTqQCn6rC2t6ULUPiOzfWaXVVfc=
+golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
@@ -60,10 +60,10 @@ golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
-golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8=
-golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
+golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
+golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/term v0.28.0 h1:/Ts8HFuMR2E6IP/jlo7QVLZHggjKQbhu/7H0LJFr3Gg=
+golang.org/x/term v0.28.0/go.mod h1:Sw/lC2IAUZ92udQNf3WodGtn4k/XoLyZoh8v/8uiwek=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=

internal/archive/archive.go

@@ -18,7 +18,7 @@ import (
 
 type Archive interface {
 	Options() *Options
-	Fetch(pkg string) (io.ReadCloser, *PackageInfo, error)
+	Fetch(pkg string) (io.ReadSeekCloser, *PackageInfo, error)
 	Exists(pkg string) bool
 	Info(pkg string) (*PackageInfo, error)
 }
@@ -123,7 +123,7 @@ func (a *ubuntuArchive) selectPackage(pkg string) (control.Section, *ubuntuIndex
 	return selectedSection, selectedIndex, nil
 }
 
-func (a *ubuntuArchive) Fetch(pkg string) (io.ReadCloser, *PackageInfo, error) {
+func (a *ubuntuArchive) Fetch(pkg string) (io.ReadSeekCloser, *PackageInfo, error) {
 	section, index, err := a.selectPackage(pkg)
 	if err != nil {
 		return nil, nil, err
@@ -363,7 +363,7 @@ func (index *ubuntuIndex) checkComponents(components []string) error {
 	return nil
 }
 
-func (index *ubuntuIndex) fetch(suffix, digest string, flags fetchFlags) (io.ReadCloser, error) {
+func (index *ubuntuIndex) fetch(suffix, digest string, flags fetchFlags) (io.ReadSeekCloser, error) {
 	reader, err := index.archive.cache.Open(digest)
 	if err == nil {
 		return reader, nil

internal/cache/cache.go

@@ -132,7 +132,7 @@ func (c *Cache) Write(digest string, data []byte) error {
 	return err2
 }
 
-func (c *Cache) Open(digest string) (io.ReadCloser, error) {
+func (c *Cache) Open(digest string) (io.ReadSeekCloser, error) {
 	if c.Dir == "" || digest == "" {
 		return nil, MissErr
 	}

internal/deb/extract.go

@@ -62,7 +62,7 @@ func getValidOptions(options *ExtractOptions) (*ExtractOptions, error) {
 	return options, nil
 }
 
-func Extract(pkgReader io.Reader, options *ExtractOptions) (err error) {
+func Extract(pkgReader io.ReadSeeker, options *ExtractOptions) (err error) {
 	defer func() {
 		if err != nil {
 			err = fmt.Errorf("cannot extract from package %q: %w", options.Package, err)
@@ -83,43 +83,15 @@ func Extract(pkgReader io.Reader, options *ExtractOptions) (err error) {
 		return err
 	}
 
-	arReader := ar.NewReader(pkgReader)
-	var dataReader io.Reader
-	for dataReader == nil {
-		arHeader, err := arReader.Next()
-		if err == io.EOF {
-			return fmt.Errorf("no data payload")
-		}
-		if err != nil {
-			return err
-		}
-		switch arHeader.Name {
-		case "data.tar.gz":
-			gzipReader, err := gzip.NewReader(arReader)
-			if err != nil {
-				return err
-			}
-			defer gzipReader.Close()
-			dataReader = gzipReader
-		case "data.tar.xz":
-			xzReader, err := xz.NewReader(arReader)
-			if err != nil {
-				return err
-			}
-			dataReader = xzReader
-		case "data.tar.zst":
-			zstdReader, err := zstd.NewReader(arReader)
-			if err != nil {
-				return err
-			}
-			defer zstdReader.Close()
-			dataReader = zstdReader
-		}
-	}
-	return extractData(dataReader, validOpts)
+	return extractData(pkgReader, validOpts)
 }
 
-func extractData(dataReader io.Reader, options *ExtractOptions) error {
+func extractData(pkgReader io.ReadSeeker, options *ExtractOptions) error {
+	dataReader, err := getDataReader(pkgReader)
+	if err != nil {
+		return err
+	}
+	defer dataReader.Close()
 
 	oldUmask := syscall.Umask(0)
 	defer func() {
@@ -136,6 +108,15 @@ func extractData(dataReader io.Reader, options *ExtractOptions) error {
 		}
 	}
 
+	// Store the hard links that we cannot extract when we first iterate over
+	// the tarball.
+	//
+	// This happens because the tarball only stores the contents once in the
+	// first entry and the rest of them point to the first one. Therefore, we
+	// cannot tell whether we need to extract the content until after we get to
+	// a hard link. In this case, we need a second pass.
+	pendingHardLinks := make(map[string][]pendingHardLink)
+
 	// When creating a file we will iterate through its parent directories and
 	// create them with the permissions defined in the tarball.
 	//
@@ -153,12 +134,8 @@ func extractData(dataReader io.Reader, options *ExtractOptions) error {
 			return err
 		}
 
-		sourcePath := tarHeader.Name
-		if len(sourcePath) < 3 || sourcePath[0] != '.' || sourcePath[1] != '/' {
-			continue
-		}
-		sourcePath = sourcePath[1:]
-		if sourcePath == "" {
+		sourcePath, ok := sanitizeTarPath(tarHeader.Name)
+		if !ok {
 			continue
 		}
 
@@ -245,22 +222,64 @@ func extractData(dataReader io.Reader, options *ExtractOptions) error {
 					return err
 				}
 			}
+			link := tarHeader.Linkname
+			if tarHeader.Typeflag == tar.TypeLink {
+				// A hard link requires the real path of the target file.
+				// TODO This path must be sanitized to prevent a crafted
+				// tarball from referring to content outside the target
+				// directory. This issue also affects targetPath, but it's more
+				// relevant here as this is importing external content into the
+				// target directory. This is not a more serious issue because
+				// these tarballs are signed official packages, but must be
+				// fixed regardless.
+				link = filepath.Join(options.TargetDir, link)
+			}
+
 			// Create the entry itself.
 			createOptions := &fsutil.CreateOptions{
 				Path:         filepath.Join(options.TargetDir, targetPath),
 				Mode:         tarHeader.FileInfo().Mode(),
 				Data:         pathReader,
-				Link:         tarHeader.Linkname,
+				Link:         link,
 				MakeParents:  true,
 				OverrideMode: true,
 			}
 			err := options.Create(extractInfos, createOptions)
-			if err != nil {
+			if err != nil && os.IsNotExist(err) && tarHeader.Typeflag == tar.TypeLink {
+				// The hard link could not be created because the content
+				// was not extracted previously. Add this hard link entry
+				// to the pending list to extract later.
+				relLinkPath, ok := sanitizeTarPath(tarHeader.Linkname)
+				if !ok {
+					return fmt.Errorf("invalid link target %s", tarHeader.Linkname)
+				}
+				info := pendingHardLink{
+					path:         targetPath,
+					extractInfos: extractInfos,
+				}
+				pendingHardLinks[relLinkPath] = append(pendingHardLinks[relLinkPath], info)
+			} else if err != nil {
 				return err
 			}
 		}
 	}
 
+	if len(pendingHardLinks) > 0 {
+		// Go over the tarball again to textract the pending hard links.
+		extractHardLinkOptions := &extractHardLinkOptions{
+			ExtractOptions: options,
+			pendingLinks:   pendingHardLinks,
+		}
+		_, err := pkgReader.Seek(0, io.SeekStart)
+		if err != nil {
+			return err
+		}
+		err = extractHardLinks(pkgReader, extractHardLinkOptions)
+		if err != nil {
+			return err
+		}
+	}
+
 	if len(pendingPaths) > 0 {
 		pendingList := make([]string, 0, len(pendingPaths))
 		for pendingPath := range pendingPaths {
@@ -277,6 +296,128 @@ func extractData(dataReader io.Reader, options *ExtractOptions) error {
 	return nil
 }
 
+type pendingHardLink struct {
+	path         string
+	extractInfos []ExtractInfo
+}
+
+type extractHardLinkOptions struct {
+	*ExtractOptions
+	pendingLinks map[string][]pendingHardLink
+}
+
+// extractHardLinks iterates through the tarball a second time to extract the
+// hard links that were not extracted in the first pass.
+func extractHardLinks(pkgReader io.ReadSeeker, opts *extractHardLinkOptions) error {
+	dataReader, err := getDataReader(pkgReader)
+	if err != nil {
+		return err
+	}
+	defer dataReader.Close()
+
+	tarReader := tar.NewReader(dataReader)
+	for {
+		tarHeader, err := tarReader.Next()
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			return err
+		}
+
+		sourcePath, ok := sanitizeTarPath(tarHeader.Name)
+		if !ok {
+			continue
+		}
+
+		links := opts.pendingLinks[sourcePath]
+		if len(links) == 0 {
+			continue
+		}
+
+		// For a target path, the first hard link will be created as a file with
+		// the content of the target path. If there are more pending hard links,
+		// the remaining ones will be created as hard links with the newly
+		// created file as their target.
+		absLink := filepath.Join(opts.TargetDir, links[0].path)
+		// Extract the content to the first hard link path.
+		createOptions := &fsutil.CreateOptions{
+			Path: absLink,
+			Mode: tarHeader.FileInfo().Mode(),
+			Data: tarReader,
+		}
+		err = opts.Create(links[0].extractInfos, createOptions)
+		if err != nil {
+			return err
+		}
+
+		// Create the remaining hard links.
+		for _, link := range links[1:] {
+			createOptions := &fsutil.CreateOptions{
+				Path: filepath.Join(opts.TargetDir, link.path),
+				Mode: tarHeader.FileInfo().Mode(),
+				// Link to the first file extracted for the hard links.
+				Link: absLink,
+			}
+			err := opts.Create(link.extractInfos, createOptions)
+			if err != nil {
+				return err
+			}
+		}
+		delete(opts.pendingLinks, sourcePath)
+	}
+
+	// If there are pending links, that means the link targets do not come from
+	// this package.
+	if len(opts.pendingLinks) > 0 {
+		var targets []string
+		for target, _ := range opts.pendingLinks {
+			targets = append(targets, target)
+		}
+		sort.Strings(targets)
+		link := opts.pendingLinks[targets[0]][0]
+		return fmt.Errorf("cannot create hard link %s: no content at %s", link.path, targets[0])
+	}
+
+	return nil
+}
+
+func getDataReader(pkgReader io.ReadSeeker) (io.ReadCloser, error) {
+	arReader := ar.NewReader(pkgReader)
+	var dataReader io.ReadCloser
+	for dataReader == nil {
+		arHeader, err := arReader.Next()
+		if err == io.EOF {
+			return nil, fmt.Errorf("no data payload")
+		}
+		if err != nil {
+			return nil, err
+		}
+		switch arHeader.Name {
+		case "data.tar.gz":
+			gzipReader, err := gzip.NewReader(arReader)
+			if err != nil {
+				return nil, err
+			}
+			dataReader = gzipReader
+		case "data.tar.xz":
+			xzReader, err := xz.NewReader(arReader)
+			if err != nil {
+				return nil, err
+			}
+			dataReader = io.NopCloser(xzReader)
+		case "data.tar.zst":
+			zstdReader, err := zstd.NewReader(arReader)
+			if err != nil {
+				return nil, err
+			}
+			dataReader = zstdReader.IOReadCloser()
+		}
+	}
+
+	return dataReader, nil
+}
+
 func parentDirs(path string) []string {
 	path = filepath.Clean(path)
 	parents := make([]string, strings.Count(path, "/"))
@@ -289,3 +430,12 @@ func parentDirs(path string) []string {
 	}
 	return parents
 }
+
+// sanitizeTarPath removes the leading "./" from the source path in the tarball,
+// and verifies that the path is not empty.
+func sanitizeTarPath(path string) (string, bool) {
+	if len(path) < 3 || path[0] != '.' || path[1] != '/' {
+		return "", false
+	}
+	return path[1:], true
+}