vault/local.go at main · flowexec/vault · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
package vault

import (
	"fmt"
	"os"
	"path/filepath"
	"strings"
	"time"
)

const (
	vaultFileBase = "vault"
	envSource     = "env"
	fileSource    = "file"
)

var (
	DefaultVaultKeyEnv = "VAULT_KEY"
)

type Metadata struct {
	Created      time.Time `json:"created"`
	LastModified time.Time `json:"lastModified"`
	RawData      string    `json:"data,omitempty"`
}

// validateSecurePath checks if a path is safe to use
func validateSecurePath(path string) error {
	if path == "" {
		return fmt.Errorf("path cannot be empty")
	}

	// Check for directory traversal attempts
	cleanPath := filepath.Clean(path)
	if strings.Contains(cleanPath, "..") {
		return NewVaultPathError(path)
	}

	// Check for null bytes
	if strings.Contains(path, "\x00") {
		return NewVaultPathError(path)
	}

	// Ensure the path is absolute after expansion
	absPath, err := filepath.Abs(cleanPath)
	if err != nil {
		return fmt.Errorf("failed to get absolute path: %w", err)
	}

	// Basic check that we're not accessing sensitive system directories
	systemDirs := []string{"/etc", "/sys", "/proc", "/dev"}
	for _, sysDir := range systemDirs {
		if strings.HasPrefix(absPath, sysDir) {
			return NewVaultPathError(path)
		}
	}

	return nil
}

func expandPath(path string) (string, error) {
	if path == "" {
		return "", nil
	}

	var expandedPath string

	switch path[0] {
	case '~':
		homeDir, err := os.UserHomeDir()
		if err != nil {
			return "", fmt.Errorf("failed to get user home directory: %w", err)
		}
		expandedPath = homeDir + path[1:]
	case '/':
		expandedPath = path
	case '.':
		wd, err := os.Getwd()
		if err != nil {
			return "", fmt.Errorf("failed to get working directory: %w", err)
		}
		expandedPath = wd + "/" + path[1:]
	case '$':
		envVar := path[1:]
		if value, exists := os.LookupEnv(envVar); exists {
			expandedPath = value
		} else {
			return "", fmt.Errorf("environment variable %s not found", envVar)
		}
	default:
		wd, err := os.Getwd()
		if err != nil {
			return "", fmt.Errorf("failed to get working directory: %w", err)
		}
		if wd[len(wd)-1] == '/' {
			expandedPath = wd + path
		} else {
			expandedPath = wd + "/" + path
		}
	}

	if err := validateSecurePath(expandedPath); err != nil {
		return "", err
	}

	return filepath.Clean(expandedPath), nil
}