fix(security): contain offline pack artifacts

Dicklesworthstone · Dicklesworthstone · commit e4eacf8118ca · 2026-05-14T22:30:39.000-04:00
diff --git a/scripts/lib/security.sh b/scripts/lib/security.sh
@@ -602,14 +602,61 @@ acfs_offline_pack_path_is_safe() {
     local rel_path="${1:-}"
 
     case "$rel_path" in
-        ""|.|..|/*|../*|*/..|*"/../"*|*"/./"*|*"/")
+        ""|.|..|/*|./*|../*|*/..|*"/../"*|*"/./"*|*"/")
             return 1
             ;;
     esac
 
     return 0
 }
 
+acfs_offline_pack_resolve_existing_path() {
+    local path="${1:-}"
+    local realpath_bin=""
+    local dir=""
+    local base=""
+
+    [[ -n "$path" && -e "$path" ]] || return 1
+
+    realpath_bin="$(acfs_security_system_binary_path realpath 2>/dev/null || true)"
+    if [[ -n "$realpath_bin" ]]; then
+        "$realpath_bin" -e -- "$path"
+        return $?
+    fi
+
+    if [[ -d "$path" ]]; then
+        (cd "$path" 2>/dev/null && pwd -P)
+        return $?
+    fi
+
+    case "$path" in
+        */*)
+            dir="${path%/*}"
+            base="${path##*/}"
+            ;;
+        *)
+            dir="."
+            base="$path"
+            ;;
+    esac
+
+    (cd "$dir" 2>/dev/null && printf '%s/%s\n' "$(pwd -P)" "$base")
+}
+
+acfs_offline_pack_artifact_is_contained() {
+    local pack_root="${1:-}"
+    local artifact_file="${2:-}"
+    local pack_root_real=""
+    local artifact_real=""
+
+    pack_root_real="$(acfs_offline_pack_resolve_existing_path "$pack_root" 2>/dev/null || true)"
+    artifact_real="$(acfs_offline_pack_resolve_existing_path "$artifact_file" 2>/dev/null || true)"
+
+    [[ -n "$pack_root_real" && "$pack_root_real" != "/" ]] || return 1
+    [[ -n "$artifact_real" ]] || return 1
+    [[ "$artifact_real" == "$pack_root_real/"* ]]
+}
+
 acfs_offline_pack_validate_manifest() {
     local pack_root="$1"
     local manifest_file="$2"
@@ -792,7 +839,15 @@ acfs_offline_pack_verify_artifact() {
     fi
 
     artifact_file="$pack_root/$rel_path"
-    if [[ ! -f "$artifact_file" || -L "$artifact_file" ]]; then
+    if [[ ! -f "$artifact_file" ]]; then
+        acfs_offline_pack_error "pack_unbundled_required_module" "$name" "artifact file is missing or unsafe: $rel_path"
+        return 1
+    fi
+    if ! acfs_offline_pack_artifact_is_contained "$pack_root" "$artifact_file"; then
+        acfs_offline_pack_error "pack_path_escape" "$name" "artifact path resolves outside the pack: $rel_path"
+        return 1
+    fi
+    if [[ -L "$artifact_file" ]]; then
         acfs_offline_pack_error "pack_unbundled_required_module" "$name" "artifact file is missing or unsafe: $rel_path"
         return 1
     fi
diff --git a/tests/unit/test_offline_artifact_pack_consumer.sh b/tests/unit/test_offline_artifact_pack_consumer.sh
@@ -69,19 +69,25 @@ write_pack() {
     local expires_at="$2"
     local arch="$3"
     local include_artifact="${4:-yes}"
+    local artifact_rel="${5:-artifacts/fixture.module/${TOOL}-install.sh}"
     local output_dir="$TEST_ROOT/$name"
     local pack_root="$output_dir/acfs-offline-pack"
-    local artifact_rel="artifacts/fixture.module/${TOOL}-install.sh"
     local artifact_path="$pack_root/$artifact_rel"
     local artifact_size=""
     local artifacts_json="[]"
 
-    mkdir -p "$pack_root/artifacts/fixture.module"
+    mkdir -p "$pack_root/artifacts"
     write_checksums "$pack_root/checksums.yaml" "$ARTIFACT_SHA"
 
     if [[ "$include_artifact" == "yes" ]]; then
+        mkdir -p "${artifact_path%/*}"
         printf '%s' "$CONTENT" > "$artifact_path"
         artifact_size="$(acfs_security_file_size "$artifact_path")"
+    elif [[ "$include_artifact" == "manifest-only" ]]; then
+        artifact_size="$(printf '%s' "$CONTENT" | wc -c | tr -d '[:space:]')"
+    fi
+
+    if [[ "$include_artifact" == "yes" || "$include_artifact" == "manifest-only" ]]; then
         artifacts_json="$(
             jq -n \
                 --arg id "fixture.module:$TOOL" \
@@ -232,6 +238,19 @@ test_missing_artifact_is_refused() {
     expect_refusal_code "missing_artifact_is_refused" "$pack_root" "pack_unbundled_required_module"
 }
 
+test_symlink_parent_escape_is_refused() {
+    local pack_root=""
+    local outside_dir="$TEST_ROOT/outside-artifacts"
+    local artifact_rel="artifacts/escape-parent/${TOOL}-install.sh"
+
+    pack_root="$(write_pack "symlink-parent-escape" "$FUTURE_EXPIRES" "$CURRENT_ARCH" manifest-only "$artifact_rel")"
+    mkdir -p "$outside_dir"
+    printf '%s' "$CONTENT" > "$outside_dir/${TOOL}-install.sh"
+    ln -s "$outside_dir" "$pack_root/artifacts/escape-parent"
+
+    expect_refusal_code "symlink_parent_escape_is_refused" "$pack_root" "pack_path_escape"
+}
+
 test_unsupported_arch_is_refused() {
     local pack_root=""
 
@@ -301,6 +320,7 @@ run_all_tests() {
     test_stale_pack_is_refused
     test_tampered_artifact_is_refused
     test_missing_artifact_is_refused
+    test_symlink_parent_escape_is_refused
     test_unsupported_arch_is_refused
     test_missing_pack_fails_closed
     test_live_path_still_works_without_pack
