Merge pull request #27 from curlewlabs-com/fix/restore-target-safety-guard

jeffwall-curlewlabs · web-flow · commit 13aef3b5bb3b · 2026-04-16T16:15:22.000-07:00
fix: refuse restore targets that would wipe the runner
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -370,6 +370,139 @@ jobs:
             || (echo "Expected path to not exist on dash prefix miss" && exit 1)
           echo "Dash prefix safety: OK"
 
+      # Restore-target safety guard. cache-restore.sh does an
+      # unconditional `rm -rf "$path_to_cache"` on a stale-marker
+      # re-sync, so a misconfigured workflow passing path: /, path: $HOME,
+      # or a relative path could wipe the runner. The guard rejects
+      # those targets up-front with exit 2 before any filesystem side
+      # effect. One test per rejection class plus a positive control
+      # confirming a safe sibling path is still accepted.
+      - name: Restore-target guard rejects root
+        run: |
+          set +e
+          out=$(sh lib/cache-restore.sh / any-key /tmp/local-cache "" 2>&1)
+          rc=$?
+          set -e
+          [ "$rc" = "2" ] \
+            || (echo "Expected exit 2 for root path, got $rc. Output: $out" && exit 1)
+          echo "$out" | grep -q 'system root' \
+            || (echo "Expected 'system root' in error, got: $out" && exit 1)
+          echo "Reject /: OK"
+
+      - name: Restore-target guard rejects /.
+        run: |
+          set +e
+          out=$(sh lib/cache-restore.sh /. any-key /tmp/local-cache "" 2>&1)
+          rc=$?
+          set -e
+          [ "$rc" = "2" ] \
+            || (echo "Expected exit 2 for /., got $rc. Output: $out" && exit 1)
+          echo "Reject /.: OK"
+
+      - name: Restore-target guard rejects /..
+        run: |
+          set +e
+          out=$(sh lib/cache-restore.sh /.. any-key /tmp/local-cache "" 2>&1)
+          rc=$?
+          set -e
+          [ "$rc" = "2" ] \
+            || (echo "Expected exit 2 for /.., got $rc. Output: $out" && exit 1)
+          echo "Reject /..: OK"
+
+      - name: Restore-target guard rejects relative paths
+        run: |
+          set +e
+          out=$(sh lib/cache-restore.sh some/relative any-key /tmp/local-cache "" 2>&1)
+          rc=$?
+          set -e
+          [ "$rc" = "2" ] \
+            || (echo "Expected exit 2 for relative path, got $rc. Output: $out" && exit 1)
+          echo "$out" | grep -q 'must be absolute' \
+            || (echo "Expected 'must be absolute' in error, got: $out" && exit 1)
+          echo "Reject relative: OK"
+
+      - name: Restore-target guard rejects whitespace-only paths
+        run: |
+          set +e
+          out=$(sh lib/cache-restore.sh "   " any-key /tmp/local-cache "" 2>&1)
+          rc=$?
+          set -e
+          # cache-restore.sh's empty check runs first for unambiguously
+          # empty strings; tabs/spaces get past it and hit the new
+          # whitespace-only guard. Both produce exit 2, which is the
+          # invariant we're asserting.
+          [ "$rc" = "2" ] \
+            || (echo "Expected exit 2 for whitespace-only path, got $rc. Output: $out" && exit 1)
+          echo "Reject whitespace-only: OK"
+
+      - name: Restore-target guard rejects $HOME
+        run: |
+          set +e
+          out=$(HOME=/tmp/guard-home sh lib/cache-restore.sh /tmp/guard-home any-key /tmp/local-cache "" 2>&1)
+          rc=$?
+          set -e
+          [ "$rc" = "2" ] \
+            || (echo "Expected exit 2 for HOME path, got $rc. Output: $out" && exit 1)
+          echo "$out" | grep -q 'HOME' \
+            || (echo "Expected HOME in error, got: $out" && exit 1)
+          echo "Reject \$HOME: OK"
+
+      - name: Restore-target guard rejects parents of $HOME
+        run: |
+          set +e
+          out=$(HOME=/tmp/guard-parent/home sh lib/cache-restore.sh /tmp/guard-parent any-key /tmp/local-cache "" 2>&1)
+          rc=$?
+          set -e
+          [ "$rc" = "2" ] \
+            || (echo "Expected exit 2 for parent of HOME, got $rc. Output: $out" && exit 1)
+          echo "$out" | grep -q 'HOME' \
+            || (echo "Expected HOME in error, got: $out" && exit 1)
+          echo "Reject parent of \$HOME: OK"
+
+      - name: Restore-target guard rejects $GITHUB_WORKSPACE
+        run: |
+          set +e
+          # Unset HOME so the HOME check doesn't fire first and mask the
+          # GITHUB_WORKSPACE-specific diagnostic we're asserting on. Also
+          # strip the runner's own GITHUB_WORKSPACE and RUNNER_WORKSPACE
+          # from the outer env so we exercise exactly the value we pass.
+          out=$(env -u HOME -u RUNNER_WORKSPACE GITHUB_WORKSPACE=/tmp/guard-ws sh lib/cache-restore.sh /tmp/guard-ws any-key /tmp/local-cache "" 2>&1)
+          rc=$?
+          set -e
+          [ "$rc" = "2" ] \
+            || (echo "Expected exit 2 for GITHUB_WORKSPACE path, got $rc. Output: $out" && exit 1)
+          echo "$out" | grep -q 'GITHUB_WORKSPACE' \
+            || (echo "Expected GITHUB_WORKSPACE in error, got: $out" && exit 1)
+          echo "Reject \$GITHUB_WORKSPACE: OK"
+
+      - name: Restore-target guard rejects parents of $RUNNER_WORKSPACE
+        run: |
+          set +e
+          out=$(env -u HOME -u GITHUB_WORKSPACE RUNNER_WORKSPACE=/tmp/guard-rw/inner sh lib/cache-restore.sh /tmp/guard-rw any-key /tmp/local-cache "" 2>&1)
+          rc=$?
+          set -e
+          [ "$rc" = "2" ] \
+            || (echo "Expected exit 2 for parent of RUNNER_WORKSPACE, got $rc. Output: $out" && exit 1)
+          echo "$out" | grep -q 'RUNNER_WORKSPACE' \
+            || (echo "Expected RUNNER_WORKSPACE in error, got: $out" && exit 1)
+          echo "Reject parent of \$RUNNER_WORKSPACE: OK"
+
+      - name: Restore-target guard accepts a safe sibling path
+        run: |
+          # Positive control: a path under /tmp that is not the root, not
+          # an ancestor of any guarded variable, and has no cache entry
+          # should produce a clean cache miss (exit 0) rather than a
+          # rejection. This confirms the guard is not over-rejecting.
+          set +e
+          out=$(env -u HOME -u GITHUB_WORKSPACE -u RUNNER_WORKSPACE sh lib/cache-restore.sh /tmp/guard-safe-sibling no-such-key /tmp/local-cache "" 2>&1)
+          rc=$?
+          set -e
+          [ "$rc" = "0" ] \
+            || (echo "Expected exit 0 for safe sibling path, got $rc. Output: $out" && exit 1)
+          echo "$out" | grep -q 'Cache miss' \
+            || (echo "Expected 'Cache miss' in output, got: $out" && exit 1)
+          echo "Accept safe sibling: OK"
+
       # Sequential idempotent save: verify that a save against an already-
       # populated entry exits cleanly without touching the existing content.
       # This does NOT exercise parallel mutex contention — real contention is
diff --git a/lib/cache-restore.sh b/lib/cache-restore.sh
@@ -61,6 +61,75 @@ if [ -z "$path_to_cache" ] || [ -z "$cache_key" ] || [ -z "$cache_dir" ]; then
     exit 1
 fi
 
+# cache-restore.sh does an unconditional `rm -rf "$path_to_cache"` on a
+# stale-marker re-sync (see do_restore below). A misconfigured caller
+# passing `path: /` or `path: $HOME` must not be able to wipe the
+# machine, so reject targets that would destroy the system root or a
+# known runner workspace before any filesystem side effects. The check
+# runs up-front so it also fires in --check mode, which keeps the error
+# shape consistent across Phase 1 and Phase 2 and catches bad paths
+# before Phase 2 even acquires the mutex.
+check_not_restore_ancestor() {
+    target_norm="$1"
+    danger_label="$2"
+    danger_raw="$3"
+    [ -z "$danger_raw" ] && return 0
+    # Normalize trailing slashes on the danger path to match target_norm.
+    danger_norm="$danger_raw"
+    while [ "${danger_norm%/}" != "$danger_norm" ]; do
+        danger_norm="${danger_norm%/}"
+    done
+    [ -z "$danger_norm" ] && danger_norm="/"
+    case "$danger_norm" in
+        "$target_norm"|"$target_norm"/*)
+            printf '::error::cache-restore: refusing to restore to %s — rm -rf would delete %s (%s)\n' "$path_to_cache" "$danger_label" "$danger_raw" >&2
+            exit 2
+            ;;
+    esac
+}
+
+# Whitespace-only paths never resolve to a sensible target; they usually
+# indicate an expansion failure in the caller's workflow YAML.
+case "$path_to_cache" in
+    *[![:space:]]*) ;;
+    *)
+        printf '::error::cache-restore: path must not be whitespace-only\n' >&2
+        exit 2
+        ;;
+esac
+
+# Absolute paths only; relative paths resolve against this script's CWD,
+# which varies between Phase 1 and Phase 2 (Phase 2 runs inside
+# local-mutex's working directory), and is therefore unsafe to trust.
+case "$path_to_cache" in
+    /*) ;;
+    *)
+        printf '::error::cache-restore: path must be absolute: %s\n' "$path_to_cache" >&2
+        exit 2
+        ;;
+esac
+
+# Trivially unsafe paths — caught even when HOME/RUNNER_WORKSPACE/
+# GITHUB_WORKSPACE are all unset (e.g. local smoke-testing).
+case "$path_to_cache" in
+    /|/.|/..)
+        printf '::error::cache-restore: refusing to restore to %s — rm -rf would affect the system root\n' "$path_to_cache" >&2
+        exit 2
+        ;;
+esac
+
+# Normalize trailing slashes on the target so "/foo/" and "/foo" hit the
+# ancestor check identically. Preserve root ("/" must stay "/").
+path_to_cache_norm="$path_to_cache"
+while [ "${path_to_cache_norm%/}" != "$path_to_cache_norm" ]; do
+    path_to_cache_norm="${path_to_cache_norm%/}"
+done
+[ -z "$path_to_cache_norm" ] && path_to_cache_norm="/"
+
+check_not_restore_ancestor "$path_to_cache_norm" HOME "${HOME:-}"
+check_not_restore_ancestor "$path_to_cache_norm" RUNNER_WORKSPACE "${RUNNER_WORKSPACE:-}"
+check_not_restore_ancestor "$path_to_cache_norm" GITHUB_WORKSPACE "${GITHUB_WORKSPACE:-}"
+
 # GITHUB_OUTPUT must exist before any output is written. Outside Actions it is
 # unset; a missing path with set -e would abort the script on the first write.
 if [ -z "${GITHUB_OUTPUT:-}" ]; then
