file-server: refactor fs sandbox module

williamstein · williamstein · commit 4cd8f3b44f1e · 2025-07-16T23:48:49.000Z
diff --git a/src/packages/file-server/btrfs/subvolume.ts b/src/packages/file-server/btrfs/subvolume.ts
@@ -6,10 +6,10 @@ import { type Filesystem, DEFAULT_SUBVOLUME_SIZE } from "./filesystem";
 import refCache from "@cocalc/util/refcache";
 import { sudo } from "./util";
 import { join, normalize } from "path";
-import { SubvolumeFilesystem } from "./subvolume-fs";
 import { SubvolumeBup } from "./subvolume-bup";
 import { SubvolumeSnapshots } from "./subvolume-snapshots";
 import { SubvolumeQuota } from "./subvolume-quota";
+import { SandboxedFilesystem } from "../fs";
 import { exists } from "@cocalc/backend/misc/async-utils-node";
 
 import getLogger from "@cocalc/backend/logger";
@@ -26,7 +26,7 @@ export class Subvolume {
 
   public readonly filesystem: Filesystem;
   public readonly path: string;
-  public readonly fs: SubvolumeFilesystem;
+  public readonly fs: SandboxedFilesystem;
   public readonly bup: SubvolumeBup;
   public readonly snapshots: SubvolumeSnapshots;
   public readonly quota: SubvolumeQuota;
@@ -35,7 +35,7 @@ export class Subvolume {
     this.filesystem = filesystem;
     this.name = name;
     this.path = join(filesystem.opts.mount, name);
-    this.fs = new SubvolumeFilesystem(this);
+    this.fs = new SandboxedFilesystem(this.path);
     this.bup = new SubvolumeBup(this);
     this.snapshots = new SubvolumeSnapshots(this);
     this.quota = new SubvolumeQuota(this);
diff --git a/src/packages/file-server/fs/index.ts b/src/packages/file-server/fs/index.ts
@@ -1,3 +1,9 @@
+/*
+Given a path to a folder on the filesystem, this provides
+a wrapper class with an API very similar to the fs/promises modules,
+but which only allows access to files in that folder.
+*/
+
 import {
   appendFile,
   chmod,
@@ -21,111 +27,100 @@ import {
 import { exists } from "@cocalc/backend/misc/async-utils-node";
 import { type DirectoryListingEntry } from "@cocalc/util/types";
 import getListing from "@cocalc/backend/get-listing";
-import { type Subvolume } from "./subvolume";
-import { isdir, sudo } from "./util";
-
-export class SubvolumeFilesystem {
-  constructor(private subvolume: Subvolume) {}
-
-  private normalize = this.subvolume.normalize;
+import { isdir, sudo } from "../btrfs/util";
+import { join, resolve } from "path";
 
-  ls = async (
-    path: string,
-    { hidden, limit }: { hidden?: boolean; limit?: number } = {},
-  ): Promise<DirectoryListingEntry[]> => {
-    return await getListing(this.normalize(path), hidden, {
-      limit,
-      home: "/",
-    });
-  };
+export class SandboxedFilesystem {
+  // path should be the path to a FOLDER on the filesystem (not a file)
+  constructor(public readonly path: string) {}
 
-  readFile = async (path: string, encoding?: any): Promise<string | Buffer> => {
-    return await readFile(this.normalize(path), encoding);
+  private safeAbsPath = (path: string) => {
+    if (typeof path != "string") {
+      throw Error(`path must be a string but is of type ${typeof path}`);
+    }
+    return join(this.path, resolve("/", path));
   };
 
-  writeFile = async (path: string, data: string | Buffer) => {
-    return await writeFile(this.normalize(path), data);
+  appendFile = async (path: string, data: string | Buffer, encoding?) => {
+    return await appendFile(this.safeAbsPath(path), data, encoding);
   };
 
-  appendFile = async (path: string, data: string | Buffer, encoding?) => {
-    return await appendFile(this.normalize(path), data, encoding);
+  chmod = async (path: string, mode: string | number) => {
+    await chmod(this.safeAbsPath(path), mode);
   };
 
-  unlink = async (path: string) => {
-    await unlink(this.normalize(path));
+  copyFile = async (src: string, dest: string) => {
+    await copyFile(this.safeAbsPath(src), this.safeAbsPath(dest));
   };
 
-  stat = async (path: string) => {
-    return await stat(this.normalize(path));
+  cp = async (src: string, dest: string, options?) => {
+    await cp(this.safeAbsPath(src), this.safeAbsPath(dest), options);
   };
 
   exists = async (path: string) => {
-    return await exists(this.normalize(path));
+    return await exists(this.safeAbsPath(path));
   };
 
   // hard link
   link = async (existingPath: string, newPath: string) => {
-    return await link(this.normalize(existingPath), this.normalize(newPath));
-  };
-
-  symlink = async (target: string, path: string) => {
-    return await symlink(this.normalize(target), this.normalize(path));
-  };
-
-  realpath = async (path: string) => {
-    const x = await realpath(this.normalize(path));
-    return x.slice(this.subvolume.path.length + 1);
-  };
-
-  rename = async (oldPath: string, newPath: string) => {
-    await rename(this.normalize(oldPath), this.normalize(newPath));
+    return await link(
+      this.safeAbsPath(existingPath),
+      this.safeAbsPath(newPath),
+    );
   };
 
-  utimes = async (
+  ls = async (
     path: string,
-    atime: number | string | Date,
-    mtime: number | string | Date,
-  ) => {
-    await utimes(this.normalize(path), atime, mtime);
+    { hidden, limit }: { hidden?: boolean; limit?: number } = {},
+  ): Promise<DirectoryListingEntry[]> => {
+    return await getListing(this.safeAbsPath(path), hidden, {
+      limit,
+      home: "/",
+    });
   };
 
-  watch = (filename: string, options?) => {
-    return watch(this.normalize(filename), options);
+  mkdir = async (path: string, options?) => {
+    await mkdir(this.safeAbsPath(path), options);
   };
 
-  truncate = async (path: string, len?: number) => {
-    await truncate(this.normalize(path), len);
+  readFile = async (path: string, encoding?: any): Promise<string | Buffer> => {
+    return await readFile(this.safeAbsPath(path), encoding);
   };
 
-  copyFile = async (src: string, dest: string) => {
-    await copyFile(this.normalize(src), this.normalize(dest));
+  realpath = async (path: string) => {
+    const x = await realpath(this.safeAbsPath(path));
+    return x.slice(this.path.length + 1);
   };
 
-  cp = async (src: string, dest: string, options?) => {
-    await cp(this.normalize(src), this.normalize(dest), options);
+  rename = async (oldPath: string, newPath: string) => {
+    await rename(this.safeAbsPath(oldPath), this.safeAbsPath(newPath));
   };
 
-  chmod = async (path: string, mode: string | number) => {
-    await chmod(this.normalize(path), mode);
+  rm = async (path: string, options?) => {
+    await rm(this.safeAbsPath(path), options);
   };
 
-  mkdir = async (path: string, options?) => {
-    await mkdir(this.normalize(path), options);
+  rmdir = async (path: string, options?) => {
+    await rmdir(this.safeAbsPath(path), options);
   };
 
   rsync = async ({
     src,
     target,
-    args = ["-axH"],
     timeout = 5 * 60 * 1000,
   }: {
     src: string;
     target: string;
-    args?: string[];
     timeout?: number;
   }): Promise<{ stdout: string; stderr: string; exit_code: number }> => {
-    let srcPath = this.normalize(src);
-    let targetPath = this.normalize(target);
+    let srcPath = this.safeAbsPath(src);
+    let targetPath = this.safeAbsPath(target);
+    if (src.endsWith("/")) {
+      srcPath += "/";
+    }
+    if (target.endsWith("/")) {
+      targetPath += "/";
+    }
     if (!srcPath.endsWith("/") && (await isdir(srcPath))) {
       srcPath += "/";
       if (!targetPath.endsWith("/")) {
@@ -134,17 +129,41 @@ export class SubvolumeFilesystem {
     }
     return await sudo({
       command: "rsync",
-      args: [...args, srcPath, targetPath],
+      args: [srcPath, targetPath],
       err_on_exit: false,
       timeout: timeout / 1000,
     });
   };
 
-  rmdir = async (path: string, options?) => {
-    await rmdir(this.normalize(path), options);
+  stat = async (path: string) => {
+    return await stat(this.safeAbsPath(path));
   };
 
-  rm = async (path: string, options?) => {
-    await rm(this.normalize(path), options);
+  symlink = async (target: string, path: string) => {
+    return await symlink(this.safeAbsPath(target), this.safeAbsPath(path));
+  };
+
+  truncate = async (path: string, len?: number) => {
+    await truncate(this.safeAbsPath(path), len);
+  };
+
+  unlink = async (path: string) => {
+    await unlink(this.safeAbsPath(path));
+  };
+
+  utimes = async (
+    path: string,
+    atime: number | string | Date,
+    mtime: number | string | Date,
+  ) => {
+    await utimes(this.safeAbsPath(path), atime, mtime);
+  };
+
+  watch = (filename: string, options?) => {
+    return watch(this.safeAbsPath(filename), options);
+  };
+
+  writeFile = async (path: string, data: string | Buffer) => {
+    return await writeFile(this.safeAbsPath(path), data);
   };
 }
