sosreport: Fix command injection with crafted report names [CVE-2024-2947]

martinpitt · martinpitt · commit 86e7a337ba92 · 2024-04-02T10:24:56.000+02:00
Files in /var/tmp/ are controllable by any user. In particular, an unprivileged user could create an sosreport* file containing a `'` and a shell command, which would then run with root privileges when the admin Cockpit user tried to delete the report. Use the `cockpit.file()` API instead, which entirely avoids shell. The main motivation for using shell and the glob was to ensure that the auxiliary files like *.gpg and *.sha256 get cleaned up -- do that explicitly (which is much safer anyway), and let our tests make sure that we don't leave files behind. https://bugzilla.redhat.com/show_bug.cgi?id=2271614 https://bugzilla.redhat.com/show_bug.cgi?id=2271815 Cherry-picked from main commit 9c4cc9b
diff --git a/pkg/sosreport/index.jsx b/pkg/sosreport/index.jsx
@@ -218,7 +218,16 @@ function sosDownload(path) {
 }
 
 function sosRemove(path) {
-    return cockpit.script(cockpit.format("rm -f '$0' '$0'.*", path), { superuser: true, err: "message" });
+    // there are various potential extra files; not all of them are expected to exist,
+    // the file API tolerates removing nonexisting files
+    const paths = [
+        path,
+        path + ".asc",
+        path + ".gpg",
+        path + ".md5",
+        path + ".sha256",
+    ];
+    return Promise.all(paths.map(p => cockpit.file(p, { superuser: true }).replace(null)));
 }
 
 const SOSDialog = () => {
diff --git a/test/verify/check-sosreport b/test/verify/check-sosreport
@@ -89,8 +89,9 @@ only-plugins=release,date,host,cgroups,networking
         # while the download is ongoing, it will have an *.xz.tmpsuffix name, gets renamed to *.xz when done
         wait(lambda: len(downloaded_sosreports()) > 0)
         report_gpg = downloaded_sosreports()[0]
+        report = report_gpg.removesuffix(".gpg")
         base_report_gpg = os.path.basename(report_gpg)
-        report = report_gpg.replace(".gpg", "")
+        base_report = base_report_gpg.removesuffix(".gpg")
 
         m.execute(f"test -f /var/tmp/{base_report_gpg}")
 
@@ -113,7 +114,8 @@ only-plugins=release,date,host,cgroups,networking
         b.click("tr:contains(mylabel) button.pf-c-dropdown__toggle")
         b.click("tr:contains(mylabel) li:contains(Delete)")
         b.click("#sos-remove-dialog button:contains(Delete)")
-        wait(lambda: m.execute(f"! test -f /var/tmp/{base_report_gpg} && echo yes"))
+        # ensure it removes the report itself, and auxiliary files like .gpg
+        m.execute(f"while ls /var/tmp/{base_report}*; do sleep 1; done", stdout=None, timeout=10)
 
         self.allow_journal_messages('.*comm="sosreport".*')
 
