search

confidential-containers / trustee

Attestation and Secret Delivery Components
Apache License 2.0
68 stars 89 forks source link

Retrieving a resource with name with extension throws error #593

Closed bpradipt closed 4 days ago

bpradipt commented 5 days ago

Describe the bug

Retrieving a resource with name having the pattern . fails with the following error "[2024-11-24T12:59:21Z ERROR kbs::error] PluginInternalError { source: illegal ResourceDesc format. }"

How to reproduce

Create a secret key.pub or key.txt under /opt/confidential-containers/kbs/repository/default/secret/ and retrieve it using CDH.

curl http://127.0.0.1:8006/cdh/resource/default/secret/key.txt

rpc status: Status { code: INTERNAL, message: "[CDH] [ERROR]: Get Resource failed", details: [], special_fields: SpecialFields { unknown_fields: UnknownFields { fields: None }, cached_size: CachedSize { size: 0 } } }

Following error is thrown on the Trustee KBS side

"[2024-11-24T12:59:21Z ERROR kbs::error] PluginInternalError { source: illegal ResourceDesc format. }"

CoCo version information

main

What TEE are you seeing the problem on

Snp

Failing command and relevant log output

No response

Xynnn007 commented 5 days ago

oh. Now we have a regex that only allows number, alphabet, - and _

https://github.com/confidential-containers/trustee/blob/main/kbs/src/plugins/implementations/resource/backend.rs#L41-L41

. is easy to make security issues like ..would access upper directory. but I think it would be ok to have a . not directly aside of a /