SECVULN-24969 - resolve improper validation CVE-2025-22868 #541
Conversation
| @@ -91,8 +90,7 @@ jobs: | |||
| strategy: | |||
| matrix: | |||
| go-version: | |||
| - 1.18 | |||
| - 1.19 | |||
| - 1.23 | |||
There was a problem hiding this comment.
I see that the workflow now only tests on Go 1.23, and support for Go 1.18/1.19 was removed. This effectively drops CI coverage for older Go versions.
Is this intentional?
There was a problem hiding this comment.
Yes, this change is intentional. The required Go version has been updated to 1.23 in go.mod due to the upgrade of the oauth dependency to version 0.27.0. As a result, it's necessary to align the CI and builds with Go 1.23 or later. We can certainly add Go 1.24 to the matrix for testing as well. However, support for older versions like 1.18 and 1.19 is no longer viable, as they fail linting and other checks.
There was a problem hiding this comment.
Thanks for clarification
There was a problem hiding this comment.
Similar comment as https://github.com/hashicorp/go-getter/pull/541/files#r2294091217, we should rely on the stable versions of go which are 1.24 and 1.25.
| } | ||
|
|
||
| if fi.Mode()&os.ModeSymlink != 0 || fi.Mode()&os.ModeIrregular != 0 { | ||
| return path, nil |
There was a problem hiding this comment.
Just adding a note here for visibility - maybe someone with more context can clarify, but here are my observations:
- If the file is a symlink -->
return path, nil(pretending it’s fine). - If the file is irregular (which on Windows usually means a junction / reparse point) → return path, nil.
- If it’s a normal file/dir → also return path, nil.
In all cases, if EvalSymlinks failed, the function just hands back the original path with nil error.
This feels risky to me - it might be safer to fail or add stricter checks instead of treating all these cases as safe
| @@ -12,8 +12,7 @@ jobs: | |||
| strategy: | |||
| matrix: | |||
| go-version: | |||
| - 1.18 | |||
| - 1.19 | |||
| - 1.23 | |||
There was a problem hiding this comment.
could we maybe bump up to 1.25 already since that's the latest version available?
There was a problem hiding this comment.
This is a matrix, so we want the currently supported versions: 1.24 and 1.25.
There was a problem hiding this comment.
Yep, the stable versions of go are 1.24.X and 1.25.X https://go.dev/dl/ meaning that 1.23.X won't get updates. We should fix this.
| @@ -16,6 +17,26 @@ func mode(mode, umask os.FileMode) os.FileMode { | |||
| return mode & ^umask | |||
| } | |||
|
|
|||
| func safeEvalSymlinks(path string) (string, error) { | |||
There was a problem hiding this comment.
There's nothing in the PR description that explains why we're doing this, just a vague reference to stdlib libraries. It doesn't appear to be at all related to CVE-2025-22868 which is an oauth library bug. We shouldn't be pushing in unrelated work into a security PR; if there's another CVE to cover that should be its own PR.
There was a problem hiding this comment.
Hi Tim, the version upgrade was required as minimum supported version for oauth 0.27.0 (patched version) is go version 1.23
| @@ -12,8 +12,7 @@ jobs: | |||
| strategy: | |||
| matrix: | |||
| go-version: | |||
| - 1.18 | |||
| - 1.19 | |||
| - 1.23 | |||
There was a problem hiding this comment.
This is a matrix, so we want the currently supported versions: 1.24 and 1.25.
There was a problem hiding this comment.
@ritikrajdev Appreciate the work here! While this looks good to me I have a little concern around how windows junctions are being handled. I have made a small comment about that and looped in @james-warren0 from Sec Team to have a look as well.
Thanks!
| fi, statErr := os.Lstat(path) | ||
| if statErr != nil { | ||
| return "", err // fallback to original error | ||
| } |
There was a problem hiding this comment.
off the top of my head - should the 2 errors be joined errors.Join(error...)? or at least be logged? In the interest of not losing any errors.
| @@ -16,6 +17,26 @@ func mode(mode, umask os.FileMode) os.FileMode { | |||
| return mode & ^umask | |||
| } | |||
|
|
|||
| func safeEvalSymlinks(path string) (string, error) { | |||
There was a problem hiding this comment.
The way I understand this is:
- Resolve symlinks to the actual path
- Keep others, including windows junctions as is. i.e. junctions won't be resolved.
If my understanding is right, won't this introduce a new SECVULN?
The whole point of resolving symlinks and junctions is to prevent a lower-privileged user from creating a symlink/junction to a privileged item and then have a field day with it from a security POV. The fact that we use this in Terraform and Nomad makes me more worried.
Adding @james-warren0 as well so that he can share his views on this.
There was a problem hiding this comment.
@dduzgun-security has spent a lot of time with Nomad and go-getter tracking down this kind of problem so he might have more thoughts. He'll probably suggest that we look at using os.Root here to avoid TOCTOU issues too.
There was a problem hiding this comment.
I agree. I think os.Root is the correct way to address this issue and not miss edge cases. os.Root was introduced in go 1.24, so we would need to bump one more version to utilize it.
There was a problem hiding this comment.
Yes, we definitely should be cautious here. I would strongly recommend working on the bump (without the code changes on how we deal with symlinks) and having another work item / task to explore migrating to os.Root.
| @@ -84,12 +84,13 @@ func init() { | |||
| // src is a URL, whereas dst is always just a file path to a folder. This | |||
| // folder doesn't need to exist. It will be created if it doesn't exist. | |||
| func Get(dst, src string, opts ...ClientOption) error { | |||
| return (&Client{ | |||
| result := (&Client{ | |||
There was a problem hiding this comment.
Is this really required, can we revert back to the good olden code?
There was a problem hiding this comment.
Thanks for the PR. This library has been the cause of few incidents in the past and we need to be cautious about the changes.
I think the OAuth change/bump is great but we should tackle the changes to how we deal with symlinks in another PR and prioritize the usage of os.Root which handles all scenarios (Windows, Linux) with less code maintenance for us.
| @@ -91,8 +90,7 @@ jobs: | |||
| strategy: | |||
| matrix: | |||
| go-version: | |||
| - 1.18 | |||
| - 1.19 | |||
| - 1.23 | |||
There was a problem hiding this comment.
Similar comment as https://github.com/hashicorp/go-getter/pull/541/files#r2294091217, we should rely on the stable versions of go which are 1.24 and 1.25.
| @@ -22,7 +22,7 @@ jobs: | |||
| - name: Setup go | |||
| uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 | |||
| with: | |||
| go-version: '^1.15' | |||
| go-version: '^1.23' | |||
There was a problem hiding this comment.
Similar comment as https://github.com/hashicorp/go-getter/pull/541/files#r2294091217, we should rely on the stable versions of go which are 1.24 and 1.25.
|
After going through all the comments in details, there are just a few concerns I'd like to share :-
Action items :-
Let me know if this sounds good @dduzgun-security @tgross @james-warren0 @kkavish ! |
Task
refer to - https://pkg.go.dev/os@master, https://pkg.go.dev/path/filepath@master
NOTE: Update in go version in ci and go.mod as well.
PCI review checklist
I have documented a clear reason for, and description of, the change I am making.
If applicable, I've documented a plan to revert these changes if they require more than reverting the pull request.
Only way is to revert the pr. Should be merged by squashing for easier revert.
If applicable, I've documented the impact of any changes to security controls.
Can impact windows user a bit.
Examples of changes to security controls include using new access control methods, adding or removing logging pipelines, etc.