security scan reported Join and relpath path traversal in latest cloud-init code
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cloud-init |
Invalid
|
Undecided
|
Unassigned |
Bug Description
There are many occurrences where security scan reported join and relpath path traversal in the latest cloud init code.
It could be potential threat , as an attacker might be able to read/write/modify file/directory.
There are over 350 occurrences and I am adding few of the occurrences.
1. cloudinit\
os.path.
2. cloudinit\
os.path.
3. cloudinit\
os.path.
4. cloudinit\util.py at line 1910
os.path.join(tmpd, basename)
5. cloudinit\
os.path.
Here is the link where it mentioned how an attacker can access files and inject malicious code if not used properly.
https:/
Changed in cloud-init: | |
status: | New → Invalid |
information type: | Private Security → Public |
Thanks for taking the time to help make cloud-init more secure.
Based on our analysis (see below) of the the issue we do not
believe this is a security issue. We will mark this bug as public.
If you have any further questions or clarification feel free to follow up here.
--
The security issue is concerned with users providing a
component of path to a file or resource.
1) cloudinit\ cmd\devel\ logs.py
In this case, the path construction is a temp dir in /tmp init-logs- <date>'
and a date-formatted directory in the form of 'cloud-
and the user does not have direct control over this path construction.
2) cloudinit\ cmd\main. py:649
The path construction here is relpath symlink created in /run/cloud-init cloud/data/ status. json. Both
to point to the status json file, /var/lib/
the the /run/cloud-init and the path to the status.json are hard-coded value to which the user does not control via command line.
3) cloudinit\ cmd\main. py:683
This is the same as (2) but uses a different basename, 'result.json'.
4) cloudinit/ util.py: subp_blob_ in_tempfile( )
This function accepts a keyword argument, 'basename' which is prefixed init/tmp/ used to run
to temporary filename created in /run/cloud-
scripts on-behalf of the user who provided the configuration to the
cloud-init chef module. The user can control the constructed path by
specifying relative values. In this case, this use would allow
local users to write to arbitrary paths, though it would be restricted
by permissions of the invoking user.
5) cloudinit/ net/eni. py:_parse_ deb_config_ data()
This function constructs paths to additional include files that are interfaces network config.
read and parsed for valid /etc/network/
Users could specify sensitive paths other than expected but would be
restricted to reading files they are allowed to read already.