Fixed possible security issue in TransferManager’s DownloadToDirectory operation where files could be downloaded to directories outside of the destination directory if the key contained specially-crafted relative paths.

SergeyRyabinin · SergeyRyabinin · commit 9742c23bae2c · 2022-07-14T10:44:57.000-07:00
diff --git a/aws-cpp-sdk-transfer-tests/TransferTests.cpp b/aws-cpp-sdk-transfer-tests/TransferTests.cpp
@@ -1980,4 +1980,81 @@ TEST_F(TransferTests, TransferManager_TemplatesTest)
                        "text/plain",
                        Aws::Map<Aws::String, Aws::String>());
 }
+
+class TestHelperTransferManager : public Aws::Transfer::TransferManager
+{
+public:
+    static bool MakePublicIsWithinParentDirectory(Aws::String parentDirectory, Aws::String filePath)
+    {
+        return Aws::Transfer::TransferManager::IsWithinParentDirectory(parentDirectory, filePath);
+    }
+
+    struct TestCaseEntry
+    {
+        Aws::String parentDir;
+        Aws::String filePath;
+
+        bool expectedIsWithinParentDirectory;
+    };
+};
+
+TEST_F(TransferTests, TransferManager_TestRelativePrefix)
+{
+
+    static const std::vector<TestHelperTransferManager::TestCaseEntry> TEST_CASES =
+            {
+                {R"(C:/temp/)", R"(C:/temp/filename.bmp)", true},
+                {R"(C:/temp)", R"(C:/temp/filename.bmp)", true},
+                {R"(C:/temp/)", R"(C:/temp/../temp-1/filename.bmp)", false},
+                {R"(C:/temp/)", R"(C:/temp/temp/filename..bmp)", true},
+                {R"(C:/temp/)", R"(C:/temp/temp/filename/..bmp)", true},
+                {R"(C:/temp/)", R"(C:/temp/temp/filename/../bmp)", true},
+                {R"(C:/temp/)", R"(C:/temp/../temp-1/filename..bmp)", false},
+                {R"(C:/temp/)", R"(C:/temp/../temp/temp-1/filename..bmp)", false},
+                {R"(C:/)", R"(C:/..../foo.txt)", true},
+                {R"(C:/)", R"(C:/./foo.txt)", true},
+                {R"(C:/)", R"(C:/.../foo.txt)", true},
+                {R"(C:/)", R"(C:/.../../foo.txt)", true},
+                {R"(C:/)", R"(C:/.../.../../../foo.txt)", true},
+                {R"(C:/)", R"(C:/...////./foo.txt)", true},
+
+                {R"(/home/user/my-intended-directory)", R"(/home/user/my-intended-directory/foo.txt)", true},
+                {R"(/home/user/my-intended-directory/)", R"(/home/user/my-intended-directory/foo.txt)", true},
+                {R"(/home/user/my-intended-directory/)", R"(/home/user/my-intended-directory//////foo.txt)", true},
+                {R"(/home/user/)", R"(/home/user/down/../down/../down/../foo.txt)", true},
+                {R"(/home/user/my-intended-directory)", R"(/home/user/my-intended-directory/../my-intended-directory-2/foo.txt)", false},
+                {R"(/home/user/)", R"(/home/user/../../root/foo.txt)", false},
+                {R"(/home/user)", R"(/home/user/../../root/foo.txt)", false},
+
+                {R"(/home/user/)", R"(/home/user/.. )", true},
+                {R"(/home/user/)", R"(/home/user/ .. )", true},
+                {R"(/home/user/)", R"(/home/user/ ..)", true},
+                {R"(/home/user/)", R"(/home/user/./foo)", true},
+                {R"(/home/user)", R"(/home/user/./foo)", true},
+                {R"(/home/user/)", R"(/home/user/./././././foo)", true},
+                {R"(/home/user/)", R"(/home/user/./././.././foo)", false},
+
+                {R"(./)", R"(./foo)", true},
+                {R"(./)", R"(./..foo)", true},
+                {R"(./)", R"(./../foo)", false},
+                {R"(./)", R"(./.../foo)", true},
+                {R"(./)", R"(./.../../foo)", true},
+                {R"(./)", R"(.//.../../foo)", true},
+            };
+
+    for(const TestHelperTransferManager::TestCaseEntry& TC_ENTRY : TEST_CASES)
+    {
+        char delimiter[] = { Aws::FileSystem::PATH_DELIM, 0 };
+        Aws::String osNormalizedParentDir = TC_ENTRY.parentDir;
+        Aws::Utils::StringUtils::Replace(osNormalizedParentDir, "/", delimiter);
+        Aws::String osNormalizedFilePath = TC_ENTRY.filePath;
+        Aws::Utils::StringUtils::Replace(osNormalizedFilePath, "/", delimiter);
+
+        bool actualResult = TestHelperTransferManager::MakePublicIsWithinParentDirectory(osNormalizedParentDir, osNormalizedFilePath);
+
+        ASSERT_EQ(TC_ENTRY.expectedIsWithinParentDirectory, actualResult)
+            << (TC_ENTRY.expectedIsWithinParentDirectory ? "EXPECTED \"" : "NOT EXPECTED \"") << osNormalizedFilePath << "\" to be found in \"" << osNormalizedParentDir << "\"";
+    }
+}
+
 }
diff --git a/aws-cpp-sdk-transfer/include/aws/transfer/TransferManager.h b/aws-cpp-sdk-transfer/include/aws/transfer/TransferManager.h
@@ -309,6 +309,9 @@ namespace Aws
 
             Aws::Utils::ExclusiveOwnershipResourceManager<unsigned char*> m_bufferManager;
             TransferManagerConfiguration m_transferConfig;
+
+        protected:
+            static bool IsWithinParentDirectory(Aws::String parentDirectory, Aws::String filePath);
         };
 
         
diff --git a/aws-cpp-sdk-transfer/source/transfer/TransferManager.cpp b/aws-cpp-sdk-transfer/source/transfer/TransferManager.cpp
@@ -1053,6 +1053,12 @@ namespace Aws
                     if (!IsS3KeyPrefix(content.GetKey()))
                     {
                         Aws::String fileName = DetermineFilePath(downloadContext->rootDirectory, downloadContext->prefix, content.GetKey());
+                        if(!IsWithinParentDirectory(downloadContext->rootDirectory, fileName))
+                        {
+                            AWS_LOGSTREAM_ERROR(CLASS_TAG, "SKIPPING PREFIX: S3 bucket contains relative prefix: "
+                                << downloadContext->prefix <<" that goes outside local target directory: " << directory);
+                            continue;
+                        }
                         auto lastDelimter = fileName.find_last_of(Aws::FileSystem::PATH_DELIM);
                         if (lastDelimter != std::string::npos)
                         {
@@ -1077,6 +1083,53 @@ namespace Aws
             }
         }
 
+        bool TransferManager::IsWithinParentDirectory(Aws::String parentDirectory, Aws::String filePath)
+        {
+            char delimiter[] = { Aws::FileSystem::PATH_DELIM, 0 };
+            // normalize to unix ending style
+            Aws::Utils::StringUtils::Replace(parentDirectory, delimiter, "/");
+            Aws::Utils::StringUtils::Replace(filePath, delimiter, "/");
+
+            if(!parentDirectory.empty() && parentDirectory.back() == '/')
+            {
+                parentDirectory.resize(parentDirectory.size() - 1);
+            }
+
+            if (filePath.rfind(parentDirectory, 0) == 0) // if starts_with
+            {
+                filePath = filePath.substr(parentDirectory.size());
+            }
+            else
+            {
+                return false;
+            }
+
+            size_t level = 0;
+            for(size_t i = 0; i < filePath.size(); ++i)
+            {
+                if('/' == filePath[i])
+                {
+                    if(i + 2 < filePath.size() && '.' == filePath[i+1] && '/' == filePath[i+2]) // if "/./"
+                    {
+                        continue;
+                    }
+
+                    if(i + 2 < filePath.size() && '.' == filePath[i+1] && '.' == filePath[i+2]) // if "/.."
+                    {
+                        if(i + 3 == filePath.size() || (i + 3 < filePath.size() && '/' == filePath[i+3])) // if "/.." or "/../"
+                        {
+                            if(0 == level) {
+                                return false; // attempting to escape parent
+                            }
+                            level--;
+                        }
+                    }
+                    level++;
+                }
+            }
+            return true;
+        }
+
         Aws::String TransferManager::DetermineFilePath(const Aws::String& directory, const Aws::String& prefix, const Aws::String& keyName)
         {
             Aws::String shortenedFileName = keyName;
@@ -1088,11 +1141,20 @@ namespace Aws
             }
 
             char delimiter[] = { Aws::FileSystem::PATH_DELIM, 0 };
-            Aws::Utils::StringUtils::Replace(shortenedFileName, "/", delimiter);
-            Aws::StringStream ss;
-            ss << directory << shortenedFileName;
+            Aws::Utils::StringUtils::Replace(shortenedFileName, delimiter, "/");
+
+            Aws::String normalizedDirectory = directory;
+            Aws::Utils::StringUtils::Replace(normalizedDirectory, delimiter, "/");
 
-            return ss.str();
+            Aws::StringStream ss;
+            ss << normalizedDirectory;
+            if (!normalizedDirectory.empty() && normalizedDirectory.back() != '/')
+                ss << '/';
+            ss << shortenedFileName;
+
+            Aws::String result = ss.str();
+            Aws::Utils::StringUtils::Replace(result, "/", delimiter);
+            return result;
         }
 
         TransferStatus TransferManager::DetermineIfFailedOrCanceled(const TransferHandle& handle) const
