From 4718bb0cb426564568abc77910e90a2c211a32e6 Mon Sep 17 00:00:00 2001
From: Mike Cohen <scudette@users.noreply.github.com>
Date: Tue, 17 Jan 2023 13:04:57 +1000
Subject: [PATCH] Create a new 0.6.7-5 release (#2385)

* Verify FILESYSTEM_WRITE permission on copy() function (#2384)

Also ensure client id is considered unsafe

* Create a new 0.6.7-5 release
---
 constants/constants.go        |  2 +-
 paths/constants.go            |  4 ++--
 services/indexing/simple.go   |  2 +-
 services/launcher/launcher.go |  5 +++++
 utils/clientid.go             | 12 ++++++++++++
 vql/filesystem/copy.go        |  9 +++++++++
 vql/server/compress.go        |  2 +-
 7 files changed, 31 insertions(+), 5 deletions(-)
 create mode 100644 utils/clientid.go

diff --git a/constants/constants.go b/constants/constants.go
index c9f997c8273..fe54937cccb 100644
--- a/constants/constants.go
+++ b/constants/constants.go
@@ -23,7 +23,7 @@ import (
 )
 
 const (
-	VERSION                    = "0.6.7-4"
+	VERSION                    = "0.6.7-5"
 	ENROLLMENT_WELL_KNOWN_FLOW = "E:Enrol"
 	MONITORING_WELL_KNOWN_FLOW = FLOW_PREFIX + "Monitoring"
 
diff --git a/paths/constants.go b/paths/constants.go
index 333664f3b65..335371400d4 100644
--- a/paths/constants.go
+++ b/paths/constants.go
@@ -27,10 +27,10 @@ var (
 	NOTEBOOK_ROOT = path_specs.NewSafeDatastorePath("notebooks").
 			SetType(api.PATH_TYPE_DATASTORE_JSON)
 
-	DOWNLOADS_ROOT = path_specs.NewSafeFilestorePath("downloads").
+	DOWNLOADS_ROOT = path_specs.NewUnsafeFilestorePath("downloads").
 			SetType(api.PATH_TYPE_FILESTORE_DOWNLOAD_ZIP)
 
-	CLIENTS_ROOT = path_specs.NewSafeDatastorePath("clients").
+	CLIENTS_ROOT = path_specs.NewUnsafeDatastorePath("clients").
 			SetType(api.PATH_TYPE_DATASTORE_PROTO)
 
 	CONFIG_ROOT = path_specs.NewSafeDatastorePath("config").
diff --git a/services/indexing/simple.go b/services/indexing/simple.go
index e8490a19193..eb013c8ef8b 100644
--- a/services/indexing/simple.go
+++ b/services/indexing/simple.go
@@ -79,7 +79,7 @@ func (self *Indexer) CheckSimpleIndex(
 	for _, keyword := range keywords {
 		message := &emptypb.Empty{}
 		keyword = strings.ToLower(keyword)
-		subject := index_urn.AddChild(keyword, entity)
+		subject := index_urn.AddUnsafeChild(keyword, entity)
 		return db.GetSubject(config_obj, subject, message)
 	}
 	return errors.New("Client does not have label")
diff --git a/services/launcher/launcher.go b/services/launcher/launcher.go
index 03803e3fa35..0e08b0e6400 100644
--- a/services/launcher/launcher.go
+++ b/services/launcher/launcher.go
@@ -138,6 +138,7 @@ import (
 	"www.velocidex.com/golang/velociraptor/logging"
 	"www.velocidex.com/golang/velociraptor/paths"
 	"www.velocidex.com/golang/velociraptor/services"
+	"www.velocidex.com/golang/velociraptor/utils"
 	vql_subsystem "www.velocidex.com/golang/velociraptor/vql"
 )
 
@@ -539,6 +540,10 @@ func (self *Launcher) ScheduleArtifactCollectionFromCollectorArgs(
 		return "", errors.New("Client id not provided.")
 	}
 
+	if !utils.ValidateClientId(client_id) {
+		return "", errors.New("Client id not valid.")
+	}
+
 	db, err := datastore.GetDB(config_obj)
 	if err != nil {
 		return "", err
diff --git a/utils/clientid.go b/utils/clientid.go
new file mode 100644
index 00000000000..eecd4aa254e
--- /dev/null
+++ b/utils/clientid.go
@@ -0,0 +1,12 @@
+package utils
+
+import "regexp"
+
+var (
+	// Client IDs always start with "C." or they can refer to the "server"
+	client_id_regex = regexp.MustCompile("^(C\\.[a-z0-9]+|server)")
+)
+
+func ValidateClientId(client_id string) bool {
+	return client_id_regex.MatchString(client_id)
+}
diff --git a/vql/filesystem/copy.go b/vql/filesystem/copy.go
index 0e8ac80416c..29aa0e7c576 100644
--- a/vql/filesystem/copy.go
+++ b/vql/filesystem/copy.go
@@ -25,6 +25,7 @@ import (
 
 	"github.com/Velocidex/ordereddict"
 	"www.velocidex.com/golang/velociraptor/accessors"
+	"www.velocidex.com/golang/velociraptor/acls"
 	"www.velocidex.com/golang/velociraptor/artifacts"
 	"www.velocidex.com/golang/velociraptor/utils"
 	vql_subsystem "www.velocidex.com/golang/velociraptor/vql"
@@ -109,6 +110,14 @@ func (self *CopyFunction) Call(ctx context.Context,
 			arg.Destination)
 	}
 
+	// We are about to write on the filesystem - make sure the user
+	// has write access.
+	err = vql_subsystem.CheckAccess(scope, acls.FILESYSTEM_WRITE)
+	if err != nil {
+		scope.Log("copy: %s", err.Error())
+		return vfilter.Null{}
+	}
+
 	flags := os.O_RDWR | os.O_CREATE | os.O_TRUNC
 	if arg.Append {
 		flags = os.O_WRONLY | os.O_APPEND
diff --git a/vql/server/compress.go b/vql/server/compress.go
index 4cf3a5b7ce3..a6d07bc33fb 100644
--- a/vql/server/compress.go
+++ b/vql/server/compress.go
@@ -42,7 +42,7 @@ func (self *Compress) Call(ctx context.Context,
 	scope vfilter.Scope,
 	args *ordereddict.Dict) vfilter.Any {
 
-	err := vql_subsystem.CheckAccess(scope, acls.FILESYSTEM_WRITE)
+	err := vql_subsystem.CheckAccess(scope, acls.FILESYSTEM_WRITE, acls.FILESYSTEM_READ)
 	if err != nil {
 		scope.Log("compress: %v", err)
 		return vfilter.Null{}