DelegatedRole._is_target_in_pathpattern uses fnmatch.fnmatch to decide
whether a given target path is authorized by a delegation's glob pattern.
Python's fnmatch.fnmatch calls os.path.normcase() on both arguments
before matching. On POSIX hosts normcase is the identity function; on
Windows hosts os.path resolves to ntpath, whose normcase lowercases
its input and replaces / with \.
As a result, python-tuf's delegation path pattern matching is
case-sensitive on Linux/macOS but case-INSENSITIVE on Windows. This makes the
authorization decision for a target dependent on the host operating system
of the client running the updater.
The result on Windows is a TUF specification violation in the python-tuf ngclient implementation.
Vulnerable code
tuf/api/_payload.py (HEAD 7ecb67d):
1183 @staticmethod
1184 def _is_target_in_pathpattern(targetpath: str, pathpattern: str) -> bool:
1185 """Determine whether ``targetpath`` matches the ``pathpattern``."""
1186 # We need to make sure that targetpath and pathpattern are pointing to
1187 # the same directory as fnmatch doesn't threat "/" as a special symbol.
1188 target_parts = targetpath.split("/")
1189 pattern_parts = pathpattern.split("/")
1190 if len(target_parts) != len(pattern_parts):
1191 return False
1192
1193 # Every part in the pathpattern could include a glob pattern, that's why
1194 # each of the target and pathpattern parts should match.
1195 for target, pattern in zip(target_parts, pattern_parts, strict=True):
1196 if not fnmatch.fnmatch(target, pattern):
1197 return False
1198 return Truefnmatch.fnmatch source (Python 3.12, unchanged in current mainline):
def fnmatch(name, pat):
...
name = os.path.normcase(name)
pat = os.path.normcase(pat)
return fnmatchcase(name, pat)Fix
Replace fnmatch.fnmatch with fnmatch.fnmatchcase, which is explicitly documented as "not applying
case normalization", so it behaves identically across platforms.
Attack
- A TUF repository with two path-based delegations whose patterns differ only in case — for example,
Foo/* and foo/*.
- The "attacker" delegation is listed BEFORE the "legit" delegation in the delegation order
- The client searches for
foo/something: on Windows, it will find the "attacker" provided target "Foo/something".
Exploitability caveats
- The attack needs a repository configuration with case-colliding delegation path patterns. The attacker must control one of the delegated roles
- Delegation ordering matters: the attacker-controlled role must be visited BEFORE the legit role in the pre-order walk
- The client must run on Windows. No effect on Linux/macOS.
Credit
Reporter: Koda Reef @kodareef5
Advisory edits: Jussi Kukkonen @jku
DelegatedRole._is_target_in_pathpatternusesfnmatch.fnmatchto decidewhether a given target path is authorized by a delegation's glob pattern.
Python's
fnmatch.fnmatchcallsos.path.normcase()on both argumentsbefore matching. On POSIX hosts
normcaseis the identity function; onWindows hosts
os.pathresolves tontpath, whosenormcaselowercasesits input and replaces
/with\.As a result, python-tuf's delegation path pattern matching is
case-sensitive on Linux/macOS but case-INSENSITIVE on Windows. This makes the
authorization decision for a target dependent on the host operating system
of the client running the updater.
The result on Windows is a TUF specification violation in the python-tuf
ngclientimplementation.Vulnerable code
tuf/api/_payload.py(HEAD7ecb67d):fnmatch.fnmatchsource (Python 3.12, unchanged in current mainline):Fix
Replace
fnmatch.fnmatchwithfnmatch.fnmatchcase, which is explicitly documented as "not applyingcase normalization", so it behaves identically across platforms.
Attack
Foo/*andfoo/*.foo/something: on Windows, it will find the "attacker" provided target "Foo/something".Exploitability caveats
Credit
Reporter: Koda Reef @kodareef5
Advisory edits: Jussi Kukkonen @jku