PathTraversal vulnerabilities in container test code fixed 9.3.3 (#593)

* PathTraversal vulnerabilities in container test code fixed

* corrected the package

* changed copyright version

* removed indice

* added logs to test

* removed indicing

Author: Pradip Routa

test/container/containerengine/containerengine.go

@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2017, 2023
+© Copyright IBM Corporation 2017, 2024
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -25,6 +25,8 @@ import (
 	"strconv"
 	"strings"
 	"time"
+
+	"github.com/ibm-messaging/mq-container/test/container/pathutils"
 )
 
 type ContainerInterface interface {
@@ -303,13 +305,13 @@ func (cli ContainerClient) CopyFromContainer(container, srcPath string) ([]byte,
 	}
 	//Get file name
 	fname := filepath.Base(srcPath)
-	data, err := os.ReadFile(filepath.Join(tmpDir, fname))
+	data, err := os.ReadFile(pathutils.CleanPath(tmpDir, fname))
 	if err != nil {
 		return nil, err
 	}
 
 	//Remove the file
-	err = os.Remove(filepath.Join(tmpDir, fname))
+	err = os.Remove(pathutils.CleanPath(tmpDir, fname))
 	if err != nil {
 		return nil, err
 	}

test/container/devconfig_test_util.go

@@ -2,7 +2,7 @@
 // +build mqdev
 
 /*
-© Copyright IBM Corporation 2018, 2023
+© Copyright IBM Corporation 2018, 2024
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -36,6 +36,7 @@ import (
 	"time"
 
 	ce "github.com/ibm-messaging/mq-container/test/container/containerengine"
+	"github.com/ibm-messaging/mq-container/test/container/pathutils"
 )
 
 const defaultAdminPassword string = "passw0rd"
@@ -82,15 +83,15 @@ func waitForWebReady(t *testing.T, cli ce.ContainerInterface, ID string, tlsConf
 
 // tlsDir returns the host directory where the test certificate(s) are located
 func tlsDir(t *testing.T, unixPath bool) string {
-	return filepath.Join(getCwd(t, unixPath), "../tls")
+	return pathutils.CleanPath(filepath.Dir(getCwd(t, unixPath)), "tls")
 }
 
 func tlsDirWithCA(t *testing.T, unixPath bool) string {
-	return filepath.Join(getCwd(t, unixPath), "../tlscacert")
+	return pathutils.CleanPath(filepath.Dir(getCwd(t, unixPath)), "tlscacert")
 }
 
 func tlsDirInvalid(t *testing.T, unixPath bool) string {
-	return filepath.Join(getCwd(t, unixPath), "../tlsinvalidcert")
+	return pathutils.CleanPath(filepath.Dir(getCwd(t, unixPath)), "tlsinvalidcert")
 }
 
 // runJMSTests runs a container with a JMS client, which connects to the queue manager container with the specified ID

test/container/docker_api_test_util.go

@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2017, 2023
+© Copyright IBM Corporation 2017, 2024
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -34,6 +34,7 @@ import (
 	"time"
 
 	ce "github.com/ibm-messaging/mq-container/test/container/containerengine"
+	"github.com/ibm-messaging/mq-container/test/container/pathutils"
 )
 
 func imageName() string {
@@ -129,7 +130,7 @@ func coverage() bool {
 
 // coverageDir returns the host directory to use for code coverage data
 func coverageDir(t *testing.T, unixStylePath bool) string {
-	return filepath.Join(getCwd(t, unixStylePath), "coverage")
+	return pathutils.CleanPath(getCwd(t, unixStylePath), "coverage")
 }
 
 // coverageBind returns a string to use to add a bind-mounted directory for code coverage data
@@ -213,7 +214,7 @@ func cleanContainer(t *testing.T, cli ce.ContainerInterface, ID string) {
 	t.Log("Container stopped")
 
 	// If a code coverage file has been generated, then rename it to match the test name
-	os.Rename(filepath.Join(coverageDir(t, true), "container.cov"), filepath.Join(coverageDir(t, true), t.Name()+".cov"))
+	os.Rename(pathutils.CleanPath(coverageDir(t, true), "container.cov"), pathutils.CleanPath(coverageDir(t, true), t.Name()+".cov"))
 	// Log the container output for any container we're about to delete
 	t.Logf("Console log from container %v:\n%v", ID, inspectTextLogs(t, cli, ID))
 
@@ -497,7 +498,7 @@ func getExitCodeFilename(t *testing.T) string {
 }
 
 func getCoverageExitCode(t *testing.T, orig int64) int64 {
-	f := filepath.Join(coverageDir(t, true), getExitCodeFilename(t))
+	f := pathutils.CleanPath(coverageDir(t, true), getExitCodeFilename(t))
 	_, err := os.Stat(f)
 	if err != nil {
 		t.Log(err)
@@ -689,7 +690,7 @@ func createImage(t *testing.T, cli ce.ContainerInterface, files []struct{ Name,
 	//Write files to temp directory
 	for _, file := range files {
 		//Add tag to file name to allow parallel testing
-		f, err := os.Create(filepath.Join(tmpDir, file.Name))
+		f, err := os.Create(pathutils.CleanPath(tmpDir, file.Name))
 		if err != nil {
 			t.Fatal(err)
 		}
@@ -701,7 +702,7 @@ func createImage(t *testing.T, cli ce.ContainerInterface, files []struct{ Name,
 			t.Fatal(err)
 		}
 	}
-	_, err = cli.ImageBuild(r, tag, filepath.Join(tmpDir, files[0].Name))
+	_, err = cli.ImageBuild(r, tag, pathutils.CleanPath(tmpDir, files[0].Name))
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -866,5 +867,5 @@ func waitForMessageCountInLog(t *testing.T, cli ce.ContainerInterface, id string
 
 // Returns fully qualified path
 func tlsDirDN(t *testing.T, unixPath bool, certPath string) string {
-	return filepath.Join(getCwd(t, unixPath), certPath)
+	return pathutils.CleanPath(filepath.Dir(getCwd(t, unixPath)), certPath)
 }

test/container/mq_native_ha_test_util.go

@@ -1,5 +1,5 @@
 /*
-© Copyright IBM Corporation 2021, 2023
+© Copyright IBM Corporation 2021, 2024
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -24,6 +24,7 @@ import (
 	"time"
 
 	ce "github.com/ibm-messaging/mq-container/test/container/containerengine"
+	"github.com/ibm-messaging/mq-container/test/container/pathutils"
 )
 
 const defaultHAPort = 9414
@@ -59,7 +60,7 @@ func getNativeHASecureHostConfig(t *testing.T) ce.ContainerHostConfig {
 	return ce.ContainerHostConfig{
 		Binds: []string{
 			coverageBind(t),
-			filepath.Join(getCwd(t, true), "../tls") + ":/etc/mqm/ha/pki/keys/ha",
+			pathutils.CleanPath(filepath.Dir(getCwd(t, true)), "tls") + ":/etc/mqm/ha/pki/keys/ha",
 		},
 	}
 }

test/container/pathutils/path_clean.go

@@ -0,0 +1,39 @@
+/*
+© Copyright IBM Corporation 2024
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package pathutils contains code to provide sanitised file paths
+package pathutils
+
+import (
+	"path"
+	"path/filepath"
+)
+
+// CleanPath returns the result of joining a series of sanitised file paths (preventing directory traversal for each path)
+// If the first path is relative, a relative path is returned
+func CleanPath(paths ...string) string {
+	if len(paths) == 0 {
+		return ""
+	}
+	var combined string
+	if !path.IsAbs(paths[0]) {
+		combined = "./"
+	}
+	for _, part := range paths {
+		combined = filepath.Join(combined, filepath.FromSlash(path.Clean("/"+part)))
+	}
+	return combined
+}