Create a new 0.6.7-5 release (#2385)

* Verify FILESYSTEM_WRITE permission on copy() function (#2384) Also ensure client id is considered unsafe * Create a new 0.6.7-5 release
Velocidex · Jan 17, 2023 · 4718bb0 · 4718bb0
1 parent c6f11a7
commit 4718bb0
Show file tree

Hide file tree

Showing 7 changed files with 31 additions and 5 deletions.
diff --git a/constants/constants.go b/constants/constants.go
@@ -23,7 +23,7 @@ import (
 )
 
 const (
-	VERSION                    = "0.6.7-4"
+	VERSION                    = "0.6.7-5"
 	ENROLLMENT_WELL_KNOWN_FLOW = "E:Enrol"
 	MONITORING_WELL_KNOWN_FLOW = FLOW_PREFIX + "Monitoring"
 

diff --git a/paths/constants.go b/paths/constants.go
@@ -27,10 +27,10 @@ var (
 	NOTEBOOK_ROOT = path_specs.NewSafeDatastorePath("notebooks").
 			SetType(api.PATH_TYPE_DATASTORE_JSON)
 
-	DOWNLOADS_ROOT = path_specs.NewSafeFilestorePath("downloads").
+	DOWNLOADS_ROOT = path_specs.NewUnsafeFilestorePath("downloads").
 			SetType(api.PATH_TYPE_FILESTORE_DOWNLOAD_ZIP)
 
-	CLIENTS_ROOT = path_specs.NewSafeDatastorePath("clients").
+	CLIENTS_ROOT = path_specs.NewUnsafeDatastorePath("clients").
 			SetType(api.PATH_TYPE_DATASTORE_PROTO)
 
 	CONFIG_ROOT = path_specs.NewSafeDatastorePath("config").

diff --git a/services/indexing/simple.go b/services/indexing/simple.go
@@ -79,7 +79,7 @@ func (self *Indexer) CheckSimpleIndex(
 	for _, keyword := range keywords {
 		message := &emptypb.Empty{}
 		keyword = strings.ToLower(keyword)
-		subject := index_urn.AddChild(keyword, entity)
+		subject := index_urn.AddUnsafeChild(keyword, entity)
 		return db.GetSubject(config_obj, subject, message)
 	}
 	return errors.New("Client does not have label")

diff --git a/services/launcher/launcher.go b/services/launcher/launcher.go
@@ -138,6 +138,7 @@ import (
 	"www.velocidex.com/golang/velociraptor/logging"
 	"www.velocidex.com/golang/velociraptor/paths"
 	"www.velocidex.com/golang/velociraptor/services"
+	"www.velocidex.com/golang/velociraptor/utils"
 	vql_subsystem "www.velocidex.com/golang/velociraptor/vql"
 )
 
@@ -539,6 +540,10 @@ func (self *Launcher) ScheduleArtifactCollectionFromCollectorArgs(
 		return "", errors.New("Client id not provided.")
 	}
 
+	if !utils.ValidateClientId(client_id) {
+		return "", errors.New("Client id not valid.")
+	}
+
 	db, err := datastore.GetDB(config_obj)
 	if err != nil {
 		return "", err

diff --git a/utils/clientid.go b/utils/clientid.go
@@ -0,0 +1,12 @@
+package utils
+
+import "regexp"
+
+var (
+	// Client IDs always start with "C." or they can refer to the "server"
+	client_id_regex = regexp.MustCompile("^(C\\.[a-z0-9]+|server)")
+)
+
+func ValidateClientId(client_id string) bool {
+	return client_id_regex.MatchString(client_id)
+}
diff --git a/vql/filesystem/copy.go b/vql/filesystem/copy.go
@@ -25,6 +25,7 @@ import (
 
 	"github.com/Velocidex/ordereddict"
 	"www.velocidex.com/golang/velociraptor/accessors"
+	"www.velocidex.com/golang/velociraptor/acls"
 	"www.velocidex.com/golang/velociraptor/artifacts"
 	"www.velocidex.com/golang/velociraptor/utils"
 	vql_subsystem "www.velocidex.com/golang/velociraptor/vql"
@@ -109,6 +110,14 @@ func (self *CopyFunction) Call(ctx context.Context,
 			arg.Destination)
 	}
 
+	// We are about to write on the filesystem - make sure the user
+	// has write access.
+	err = vql_subsystem.CheckAccess(scope, acls.FILESYSTEM_WRITE)
+	if err != nil {
+		scope.Log("copy: %s", err.Error())
+		return vfilter.Null{}
+	}
+
 	flags := os.O_RDWR | os.O_CREATE | os.O_TRUNC
 	if arg.Append {
 		flags = os.O_WRONLY | os.O_APPEND

diff --git a/vql/server/compress.go b/vql/server/compress.go
@@ -42,7 +42,7 @@ func (self *Compress) Call(ctx context.Context,
 	scope vfilter.Scope,
 	args *ordereddict.Dict) vfilter.Any {
 
-	err := vql_subsystem.CheckAccess(scope, acls.FILESYSTEM_WRITE)
+	err := vql_subsystem.CheckAccess(scope, acls.FILESYSTEM_WRITE, acls.FILESYSTEM_READ)
 	if err != nil {
 		scope.Log("compress: %v", err)
 		return vfilter.Null{}