Joshua-Anderson
commented
5 months ago A few thoughts:
- Filepath sanitization can be challenging to get right, particularly while supporting UTF-16 characters.
- Operators occasionally have reason to write to sensitive directories (i.e. updating a config file). Note that this could be worked around by uplinking to a safe directory and copying to a sensitive directory
- In my mind, vehicle commanding is considered the security boundary. If your command dictionary exposes the ability to execute arbitrary shell commands, suddenly the ability to write files doesn't seem so scary :)
Instead of adding additional capabilities to FileUplink, I think it may make more sense to rely on operating system provided filesystem permissions and read-only partitions to protect the FSW from overwriting critical files. This provides the secondary benefit of preventing all fprime components from damaging critical files, not just FileUplink
LeStarch
Svc/FileUplinkFeature Description
Change the file path handling for
Svc/FileUplinkto make it relative to a supplied path.Rationale
The current implementation is a security/safety risk, since it uses the pathname as is, including root
/paths. This can make the vehicle vulnerable to invalid/nefarious pathnames. Change the implementation to:1) Take a base pathname as part of a
configure()function. 2) Normalize the file paths for uplinked files to avoid../tricks. 3) Write files to path relative to provided base, creating directories as needed.