common: fix path containment corner cases in passdriver

caxu-rh · caxu-rh · commit 709c573125b8 · 2026-05-18T14:09:55.000-04:00
With the current implementation of getPath, it's possible
to return a path outside the root directory, matching
a sibling directory instead through a crafted/specific id.

Signed-off-by: Caleb Xu &lt;caxu@redhat.com&gt;
diff --git a/common/pkg/secrets/passdriver/passdriver.go b/common/pkg/secrets/passdriver/passdriver.go
@@ -171,7 +171,7 @@ func (d *Driver) getPath(id string) (string, error) {
 	if err != nil {
 		return "", define.ErrInvalidKey
 	}
-	if !strings.HasPrefix(path, d.Root) {
+	if !strings.HasPrefix(path, d.Root+string(filepath.Separator)) {
 		return "", define.ErrInvalidKey
 	}
 	return path + ".gpg", nil
diff --git a/common/pkg/secrets/passdriver/passdriver_test.go b/common/pkg/secrets/passdriver/passdriver_test.go
@@ -3,6 +3,8 @@ package passdriver
 import (
 	"context"
 	"fmt"
+	"os"
+	"path/filepath"
 	"testing"
 
 	"github.com/stretchr/testify/require"
@@ -11,9 +13,17 @@ import (
 
 const gpgTestID = "testing@passdriver"
 
+// setupDriver configures a driver for tests under a single temp directory, including
+// the root, sibling directory (storex) for testing prefix collisions, and gpg homedir.
 func setupDriver(t *testing.T) *Driver {
-	base := t.TempDir()
-	gpghomedir := t.TempDir()
+	t.Helper()
+	tmpdir := t.TempDir()
+	base := filepath.Join(tmpdir, "store")
+	sibling := filepath.Join(tmpdir, "storex")
+	gpghomedir := filepath.Join(tmpdir, "gpg")
+	require.NoError(t, os.MkdirAll(base, 0o755))
+	require.NoError(t, os.MkdirAll(sibling, 0o755))
+	require.NoError(t, os.MkdirAll(gpghomedir, 0o755))
 
 	driver, err := NewDriver(map[string]string{
 		"root":       base,
@@ -57,6 +67,12 @@ func TestStoreAndLookup(t *testing.T) {
 			value:       []byte("abc"),
 			expStoreErr: define.ErrInvalidKey,
 		},
+		{
+			name:        "storing with root path prefix collision fails",
+			key:         "../storex/marker",
+			value:       []byte("abc"),
+			expStoreErr: define.ErrInvalidKey,
+		},
 	}
 
 	for _, tc := range cases {
@@ -109,6 +125,11 @@ func TestLookup(t *testing.T) {
 			key:    "../../../etc/shadow",
 			expErr: define.ErrInvalidKey,
 		},
+		{
+			name:   "lookup with root path prefix collision fails",
+			key:    "../storex/marker",
+			expErr: define.ErrInvalidKey,
+		},
 	}
 
 	for _, tc := range cases {
@@ -157,6 +178,11 @@ func TestDelete(t *testing.T) {
 			key:    "../../../etc/shadow",
 			expErr: define.ErrInvalidKey,
 		},
+		{
+			name:   "delete with root path prefix collision fails",
+			key:    "../storex/marker",
+			expErr: define.ErrInvalidKey,
+		},
 	}
 
 	for _, tc := range cases {

Original file line number	Diff line number	Diff line change
`@@ -171,7 +171,7 @@ func (d *Driver) getPath(id string) (string, error) {`
`171`	`171`	`if err != nil {`
`172`	`172`	`return "", define.ErrInvalidKey`
`173`	`173`	`}`
`174`		`- if !strings.HasPrefix(path, d.Root) {`
	`174`	`+ if !strings.HasPrefix(path, d.Root+string(filepath.Separator)) {`
`175`	`175`	`return "", define.ErrInvalidKey`
`176`	`176`	`}`
`177`	`177`	`return path + ".gpg", nil`