restrict vfs access to home path (#9312)

soninaren · web-flow · commit 4efdcb3bbc18 · 2023-06-06T16:12:38.000-07:00
* restrict vfs access to home path

* Adding test, code clean up
diff --git a/src/WebJobs.Script.WebHost/Management/VirtualFileSystem.cs b/src/WebJobs.Script.WebHost/Management/VirtualFileSystem.cs
@@ -61,6 +61,11 @@ public virtual Task<HttpResponseMessage> GetItem(HttpRequest request)
         {
             string localFilePath = GetLocalFilePath(request);
 
+            if (!PathAccessAllowed(localFilePath))
+            {
+                return Task.FromResult(CreateResponse(HttpStatusCode.Forbidden));
+            }
+
             if (VfsSpecialFolders.TryHandleRequest(request, localFilePath, out HttpResponseMessage response))
             {
                 return Task.FromResult(response);
@@ -111,6 +116,11 @@ public virtual Task<HttpResponseMessage> PutItem(HttpRequest request)
         {
             var localFilePath = GetLocalFilePath(request);
 
+            if (!PathAccessAllowed(localFilePath))
+            {
+                return Task.FromResult(CreateResponse(HttpStatusCode.Forbidden));
+            }
+
             if (VfsSpecialFolders.TryHandleRequest(request, localFilePath, out HttpResponseMessage response))
             {
                 return Task.FromResult(response);
@@ -140,6 +150,11 @@ public virtual Task<HttpResponseMessage> DeleteItem(HttpRequest request, bool re
         {
             string localFilePath = GetLocalFilePath(request);
 
+            if (!PathAccessAllowed(localFilePath))
+            {
+                return Task.FromResult(CreateResponse(HttpStatusCode.Forbidden));
+            }
+
             if (VfsSpecialFolders.TryHandleRequest(request, localFilePath, out HttpResponseMessage response))
             {
                 return Task.FromResult(response);
@@ -633,5 +648,12 @@ protected HttpResponseMessage CreateResponse(HttpStatusCode statusCode, object p
             }
             return response;
         }
+
+        private bool PathAccessAllowed(string path)
+        {
+            var home = ScriptSettingsManager.Instance.GetSetting(EnvironmentSettingNames.AzureWebsiteHomePath);
+            var sitePath = !string.IsNullOrEmpty(home) ? Path.Combine(Path.GetFullPath(home), "site", "wwwroot") : _options.CurrentValue.ScriptPath;
+            return path.StartsWith(sitePath, StringComparison.OrdinalIgnoreCase);
+        }
     }
 }
diff --git a/test/WebJobs.Script.Tests.Integration/WebHostEndToEnd/EndToEndTestFixture.cs b/test/WebJobs.Script.Tests.Integration/WebHostEndToEnd/EndToEndTestFixture.cs
@@ -83,6 +83,8 @@ protected EndToEndTestFixture(string rootPath, string testId,
 
         public string MasterKey { get; private set; }
 
+        public string RootScriptPath { get; private set; }
+
         protected virtual ExtensionPackageReference[] GetExtensionsToInstall()
         {
             return null;
@@ -173,6 +175,7 @@ string GetDestPath(int counter)
             }
 
             MasterKey = await Host.GetMasterKeyAsync();
+            RootScriptPath = _copiedRootPath;
         }
 
         public virtual void ConfigureScriptHost(IWebJobsBuilder webJobsBuilder)
diff --git a/test/WebJobs.Script.Tests.Integration/WebHostEndToEnd/SamplesEndToEndTests_CSharp.cs b/test/WebJobs.Script.Tests.Integration/WebHostEndToEnd/SamplesEndToEndTests_CSharp.cs
@@ -218,6 +218,32 @@ public async Task AdminIsolation_ReturnsExpectedStatus(string uri, bool isAppSer
             }
         }
 
+
+
+        [Theory]
+        [InlineData("admin/vfs/site/wwwroot/host.json", HttpStatusCode.OK)]
+        [InlineData("admin/vfs/host.json", HttpStatusCode.Forbidden)]
+        public async Task AccessPathOutsideHome_ReturnsExpectedStatus(string uri, HttpStatusCode expectedStatus)
+        {
+            HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, uri);
+            await this._fixture.AddMasterKey(request);
+
+            string nowString = DateTime.UtcNow.ToString("yyMMdd-HHmmss");
+            string home = Path.Combine(Path.GetTempPath(), nowString, "home");
+            string wwwroot = Path.Combine(home, "site", "wwwroot");
+            FileUtility.CopyDirectory(this._fixture.RootScriptPath, wwwroot);
+
+            using var envVars = new TestScopedEnvironmentVariable(EnvironmentSettingNames.AzureWebsiteHomePath, home);
+            {
+                using (var httpClient = _fixture.Host.CreateHttpClient())
+                {
+                    HttpResponseMessage response = await httpClient.SendAsync(request);
+                    Assert.Equal(expectedStatus, response.StatusCode);
+                }
+
+            }
+        }
+
         [Theory]
         [InlineData("GET")]
         [InlineData("POST")]

Original file line number	Diff line number	Diff line change
`@@ -61,6 +61,11 @@ public virtual Task<HttpResponseMessage> GetItem(HttpRequest request)`
`61`	`61`	`{`
`62`	`62`	`string localFilePath = GetLocalFilePath(request);`
`63`	`63`
	`64`	`+ if (!PathAccessAllowed(localFilePath))`
	`65`	`+ {`
	`66`	`+ return Task.FromResult(CreateResponse(HttpStatusCode.Forbidden));`
	`67`	`+ }`
	`68`	`+`
`64`	`69`	`if (VfsSpecialFolders.TryHandleRequest(request, localFilePath, out HttpResponseMessage response))`
`65`	`70`	`{`
`66`	`71`	`return Task.FromResult(response);`
`@@ -111,6 +116,11 @@ public virtual Task<HttpResponseMessage> PutItem(HttpRequest request)`
`111`	`116`	`{`
`112`	`117`	`var localFilePath = GetLocalFilePath(request);`
`113`	`118`
	`119`	`+ if (!PathAccessAllowed(localFilePath))`
	`120`	`+ {`
	`121`	`+ return Task.FromResult(CreateResponse(HttpStatusCode.Forbidden));`
	`122`	`+ }`
	`123`	`+`
`114`	`124`	`if (VfsSpecialFolders.TryHandleRequest(request, localFilePath, out HttpResponseMessage response))`
`115`	`125`	`{`
`116`	`126`	`return Task.FromResult(response);`
`@@ -140,6 +150,11 @@ public virtual Task<HttpResponseMessage> DeleteItem(HttpRequest request, bool re`
`140`	`150`	`{`
`141`	`151`	`string localFilePath = GetLocalFilePath(request);`
`142`	`152`
	`153`	`+ if (!PathAccessAllowed(localFilePath))`
	`154`	`+ {`
	`155`	`+ return Task.FromResult(CreateResponse(HttpStatusCode.Forbidden));`
	`156`	`+ }`
	`157`	`+`
`143`	`158`	`if (VfsSpecialFolders.TryHandleRequest(request, localFilePath, out HttpResponseMessage response))`
`144`	`159`	`{`
`145`	`160`	`return Task.FromResult(response);`
`@@ -633,5 +648,12 @@ protected HttpResponseMessage CreateResponse(HttpStatusCode statusCode, object p`
`633`	`648`	`}`
`634`	`649`	`return response;`
`635`	`650`	`}`
	`651`	`+`
	`652`	`+ private bool PathAccessAllowed(string path)`
	`653`	`+ {`
	`654`	`+ var home = ScriptSettingsManager.Instance.GetSetting(EnvironmentSettingNames.AzureWebsiteHomePath);`
	`655`	`+ var sitePath = !string.IsNullOrEmpty(home) ? Path.Combine(Path.GetFullPath(home), "site", "wwwroot") : _options.CurrentValue.ScriptPath;`
	`656`	`+ return path.StartsWith(sitePath, StringComparison.OrdinalIgnoreCase);`
	`657`	`+ }`
`636`	`658`	`}`
`637`	`659`	`}`
Original file line number	Diff line number	Diff line change
`@@ -83,6 +83,8 @@ protected EndToEndTestFixture(string rootPath, string testId,`
`83`	`83`
`84`	`84`	`public string MasterKey { get; private set; }`
`85`	`85`
	`86`	`+ public string RootScriptPath { get; private set; }`
	`87`	`+`
`86`	`88`	`protected virtual ExtensionPackageReference[] GetExtensionsToInstall()`
`87`	`89`	`{`
`88`	`90`	`return null;`
`@@ -173,6 +175,7 @@ string GetDestPath(int counter)`
`173`	`175`	`}`
`174`	`176`
`175`	`177`	`MasterKey = await Host.GetMasterKeyAsync();`
	`178`	`+ RootScriptPath = _copiedRootPath;`
`176`	`179`	`}`
`177`	`180`
`178`	`181`	`public virtual void ConfigureScriptHost(IWebJobsBuilder webJobsBuilder)`