Re: NNCP path traversal attack.

public inbox for nncp-devel@lists.stargrave.org
Atom feed

From: Eugene Medvedev <rn3aoh.g@gmail•com>
To: John Goerzen <jgoerzen@complete•org>
Cc: nncp-devel@lists.cypherpunks.su
Subject: Re: NNCP path traversal attack.
Date: Fri, 19 Sep 2025 15:31:56 +0300	[thread overview]
Message-ID: <CAO-d-4pZ=FPzqj=bNO7H+EsGo_dE-BPRK+7T0NvRpe8MVm-5LA@mail.gmail.com> (raw)
In-Reply-To: <87plbmir6f.fsf@complete.org>

On Fri, 19 Sept 2025 at 15:04, John Goerzen <jgoerzen@complete•org> wrote:

> One can at least test if the resulting path is a symlink, and refuse to
> process it if so.  That may possibly have a race condition with other
> things on the system, but since nncp-toss is single-threaded, probably
> not there.

Consider the following usage pattern:

I have "/mnt/extradrive/distros" where I keep ISO images of linux distros.
I also have "/mnt/otherdrive/music" where I keep music I made.
I wish to share both directories, but I can't just put "/mnt" up for freq:
that would give people access to "/mnt/thirdddrive/mildsecret" that I
need world readable for my system to function, but don't want to let
outside users see.

So instead I create "/var/spool/nncp-freq", put that up for freq, and in it,
I create two symlinks: "distros" pointing to "/mnt/extradrive/distros" and
"music" pointing to "/mnt/otherdrive/music"

As of right now, this usage pattern works: from the freq point of view,
making requests for "node:distros/foo" and "node:music/bar" returns
the contents of "/mnt/extradrive/distros/foo" and
"/mnt/otherdrive/music/bar" respectively. If "foo" or "bar" are directories,
or symlinks to directories, nncp will pax them and send the archive,
which makes freqs so much more useful.

I believe this is quite a legitimate usage pattern, which is why I'm saying
that symlinks are probably not a problem, but rather a solution.
Given this example, my patch prevents requests for
"node:../../../mnt/thirddrive/mildsecret" from working, but otherwise does
not change this behavior.

os.Root, available since Go 1.24, would be a lot more comprehensive
than the simple check my patch does, and I think it would catch the
symlinks too, if I'm reading the docs right, but it would also be more
restrictive and prevent this usage pattern entirely, necessitating
more complex things like multiple freq directories, etc.

> One vulnerability could be if incoming and freq are the same path.

Which is something that should probably be documented as a
configuration to be avoided, because no amount of coding can
guard against deliberate misconfiguration.

-- 
Eugene Medvedev

next prev parent reply	other threads:[~2025-09-19 12:33 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-09-19  4:46 NNCP path traversal attack Eugene Medvedev
2025-09-19  6:28 ` Jonathan Lane
2025-09-19  6:43   ` Eugene Medvedev
2025-09-19 12:02 ` John Goerzen
2025-09-19 12:11   ` Eugene Medvedev
2025-09-19 12:04 ` John Goerzen
2025-09-19 12:31   ` Eugene Medvedev [this message]
2025-09-19 13:25 ` Sergey Matveev
2025-09-19 13:30   ` Eugene Medvedev