update (#9380)

* prevent file reads outside of the template clone path * black and bandit * flake - spaces before inline comment * re-black on bandit exclusion * black 22.3.0
Netflix · May 16, 2024 · 2795a2b · 2795a2b
1 parent b746782
commit 2795a2b
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 4 deletions.
diff --git a/consoleme/lib/scm/git/__init__.py b/consoleme/lib/scm/git/__init__.py
@@ -27,6 +27,7 @@ async def clone(self, no_checkout=True, depth: Optional[int] = None):
         await sync_to_async(git.Git(self.tempdir).clone)(*args, **kwargs)
         self.repo = git.Repo(os.path.join(self.tempdir, self.repo_name))
         self.repo.config_writer().set_value("user", "name", "ConsoleMe").release()
+        self.repo.config_writer().set_value("core", "symlinks", "false").release()
         if self.git_email:
             self.repo.config_writer().set_value(
                 "user", "email", self.git_email

diff --git a/consoleme/lib/templated_resources/requests.py b/consoleme/lib/templated_resources/requests.py
@@ -1,5 +1,8 @@
 import io
 import json
+import os
+import random
+import string
 import time
 
 from ruamel.yaml.comments import CommentedSeq
@@ -30,7 +33,10 @@ async def generate_honeybee_request_from_change_model_array(
     repositories_for_request = {}
     primary_principal = None
     t = int(time.time())
-    generated_branch_name = f"{user}-{t}"
+    suffix = "".join(
+        random.choices(string.ascii_lowercase + string.digits, k=10)  # nosec
+    )
+    generated_branch_name = f"{user}-{t}-{suffix}"
     policy_name = config.get(
         "generate_honeybee_request_from_change_model_array.policy_name",
         "self_service_generated",
@@ -78,10 +84,26 @@ async def generate_honeybee_request_from_change_model_array(
         main_branch_name = repositories_for_request[change.principal.repository_name][
             "main_branch_name"
         ]
-        git_client.checkout(
-            f"origin/{main_branch_name}", change.principal.resource_identifier
+
+        change_file_path = os.path.abspath(
+            f"{repo.working_dir}/{change.principal.resource_identifier}"
         )
-        change_file_path = f"{repo.working_dir}/{change.principal.resource_identifier}"
+        clone_wd_path = os.path.abspath(repo.working_dir)
+        if os.path.commonprefix((clone_wd_path, change_file_path)) != clone_wd_path:
+            log.exception(
+                f"User attempted to reference a file outside of the repository: {change_file_path} is not within {clone_wd_path}"
+            )
+            raise ValueError("Unable to raise change request for this resource")
+
+        try:
+            git_client.checkout(
+                f"origin/{main_branch_name}", "--", change.principal.resource_identifier
+            )
+        except Exception:
+            log.exception(
+                f"Unable to checkout {main_branch_name} for {change.principal.resource_identifier}"
+            )
+            raise ValueError("Unable to raise change request for this resource")
         with open(change_file_path, "r") as f:
             yaml_content = yaml.load(f)
 

diff --git a/tests/handlers/v2/test_requests.py b/tests/handlers/v2/test_requests.py
@@ -718,6 +718,7 @@ def test_post_honeybee_request_dry_run(self, mock_git, mock_repo):
           - '*'
         Sid: admin"""
         with patch("builtins.open", mock_open(read_data=template_data)):
+            mock_repo.return_value.working_dir = "/tmp"
             response = self.fetch(
                 "/api/v2/request",
                 method="POST",