exarch-core 0.2.9

Memory-safe archive extraction library with security validation
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224

//! File permission validation and sanitization.

use crate::Result;
use crate::SecurityConfig;

/// Sanitizes file permissions by stripping dangerous bits.
///
/// This function removes security-sensitive permission bits that could
/// lead to privilege escalation:
/// - Setuid bit (04000): Allows execution with file owner's privileges
/// - Setgid bit (02000): Allows execution with file group's privileges
/// - World-writable bit (0002): Stripped by default unless
///   `allow_world_writable` is set
///
/// # Performance
///
/// This is a pure computation with no I/O. Typical execution time: <10 ns.
///
/// # Errors
///
/// Returns `ExtractionError::InvalidPermissions` only for truly invalid modes.
///
/// # Examples
///
/// ```
/// use exarch_core::SecurityConfig;
/// use exarch_core::security::sanitize_permissions;
/// use std::path::Path;
///
/// let config = SecurityConfig::default();
///
/// // Setuid bit is stripped
/// let sanitized = sanitize_permissions(Path::new("file.txt"), 0o4755, &config).unwrap();
/// assert_eq!(sanitized, 0o755);
///
/// // Setgid bit is stripped
/// let sanitized = sanitize_permissions(Path::new("file.txt"), 0o2755, &config).unwrap();
/// assert_eq!(sanitized, 0o755);
///
/// // Both setuid and setgid bits stripped
/// let sanitized = sanitize_permissions(Path::new("file.txt"), 0o6755, &config).unwrap();
/// assert_eq!(sanitized, 0o755);
///
/// // World-writable bit is stripped by default
/// let sanitized = sanitize_permissions(Path::new("file.txt"), 0o777, &config).unwrap();
/// assert_eq!(sanitized, 0o775);
/// ```
pub fn sanitize_permissions(
    _path: &std::path::Path,
    mode: u32,
    config: &SecurityConfig,
) -> Result<u32> {
    let mut sanitized = mode;

    // Strip setuid bit (04000)
    sanitized &= !0o4000;

    // Strip setgid bit (02000)
    sanitized &= !0o2000;

    // M-CODE-1: Strip world-writable bit (0002) unless explicitly allowed
    if !config.allowed.world_writable {
        sanitized &= !0o002;
    }

    Ok(sanitized)
}

#[cfg(test)]
#[allow(clippy::unwrap_used)]
mod tests {
    use super::*;

    #[test]
    fn test_sanitize_permissions_normal() {
        let config = SecurityConfig::default();
        let result = sanitize_permissions(std::path::Path::new("file.txt"), 0o644, &config);
        assert_eq!(result.unwrap(), 0o644);
    }

    #[test]
    fn test_sanitize_permissions_executable() {
        let config = SecurityConfig::default();
        let result = sanitize_permissions(std::path::Path::new("file.txt"), 0o755, &config);
        assert_eq!(result.unwrap(), 0o755);
    }

    #[test]
    fn test_sanitize_permissions_strip_setuid() {
        let config = SecurityConfig::default();
        let result = sanitize_permissions(std::path::Path::new("file.txt"), 0o4755, &config);
        assert_eq!(result.unwrap(), 0o755);
    }

    #[test]
    fn test_sanitize_permissions_strip_setgid() {
        let config = SecurityConfig::default();
        let result = sanitize_permissions(std::path::Path::new("file.txt"), 0o2755, &config);
        assert_eq!(result.unwrap(), 0o755);
    }

    #[test]
    fn test_sanitize_permissions_strip_both() {
        let config = SecurityConfig::default();
        let result = sanitize_permissions(std::path::Path::new("file.txt"), 0o6755, &config);
        assert_eq!(result.unwrap(), 0o755);
    }

    #[test]
    fn test_sanitize_permissions_strip_world_writable() {
        let config = SecurityConfig::default();
        let result = sanitize_permissions(std::path::Path::new("file.txt"), 0o777, &config);
        assert_eq!(result.unwrap(), 0o775);
    }

    #[test]
    fn test_sanitize_permissions_world_readable_ok() {
        let config = SecurityConfig::default();
        let result = sanitize_permissions(std::path::Path::new("file.txt"), 0o644, &config);
        assert!(result.is_ok());
    }

    #[test]
    fn test_sanitize_permissions_owner_writable_ok() {
        let config = SecurityConfig::default();
        let result = sanitize_permissions(std::path::Path::new("file.txt"), 0o600, &config);
        assert!(result.is_ok());
    }

    #[test]
    fn test_sanitize_permissions_group_writable_ok() {
        let config = SecurityConfig::default();
        let result = sanitize_permissions(std::path::Path::new("file.txt"), 0o664, &config);
        assert!(result.is_ok());
    }

    #[test]
    fn test_sanitize_permissions_edge_case_zero() {
        let config = SecurityConfig::default();
        let result = sanitize_permissions(std::path::Path::new("file.txt"), 0o000, &config);
        assert_eq!(result.unwrap(), 0o000);
    }

    #[test]
    fn test_sticky_bit_preservation() {
        let config = SecurityConfig::default();

        // Sticky bit (0o1000) should be preserved for directories
        // This is commonly used for /tmp-like directories
        let mode_with_sticky = 0o1755; // rwxr-xr-x with sticky bit
        let result = sanitize_permissions(std::path::Path::new("dir/"), mode_with_sticky, &config);
        assert!(result.is_ok(), "sticky bit should be allowed");

        let sanitized = result.unwrap();
        assert_eq!(sanitized & 0o1000, 0o1000, "sticky bit should be preserved");
        assert_eq!(sanitized, 0o1755, "full mode should be preserved");
    }

    #[test]
    fn test_sticky_bit_with_setuid_stripped() {
        let config = SecurityConfig::default();

        // Sticky bit preserved, but setuid/setgid stripped
        let mode = 0o7755; // All special bits
        let result = sanitize_permissions(std::path::Path::new("dir/"), mode, &config);
        assert!(result.is_ok());

        let sanitized = result.unwrap();
        assert_eq!(sanitized & 0o1000, 0o1000, "sticky bit should remain");
        assert_eq!(sanitized & 0o4000, 0, "setuid should be stripped");
        assert_eq!(sanitized & 0o2000, 0, "setgid should be stripped");
        assert_eq!(sanitized, 0o1755, "result should be sticky + rwxr-xr-x");
    }

    // M-CODE-1: Test world-writable with config flag
    #[test]
    fn test_world_writable_allowed_with_config() {
        let mut config = SecurityConfig::default();
        config.allowed.world_writable = true;

        // World-writable should be allowed when config permits
        let result = sanitize_permissions(std::path::Path::new("file.txt"), 0o777, &config);
        assert!(
            result.is_ok(),
            "world-writable should be allowed with config"
        );

        let sanitized = result.unwrap();
        assert_eq!(
            sanitized & 0o002,
            0o002,
            "world-writable bit should be preserved"
        );
        // setuid/setgid should still be stripped
        assert_eq!(sanitized & 0o4000, 0, "setuid should be stripped");
        assert_eq!(sanitized & 0o2000, 0, "setgid should be stripped");
        assert_eq!(sanitized, 0o777, "result should be rwxrwxrwx");
    }

    #[test]
    fn test_world_writable_stripped_by_default() {
        let config = SecurityConfig::default();

        let result = sanitize_permissions(std::path::Path::new("file.txt"), 0o777, &config);
        assert_eq!(
            result.unwrap(),
            0o775,
            "world-writable bit should be stripped by default"
        );
    }

    #[test]
    fn test_world_writable_bit_only_stripped() {
        let config = SecurityConfig::default();

        // 0o666 = rw-rw-rw-, only other-write (0o002) should be stripped -> 0o664
        let result = sanitize_permissions(std::path::Path::new("file.txt"), 0o666, &config);
        assert_eq!(
            result.unwrap(),
            0o664,
            "only world-writable bit should be stripped, not group-write"
        );
    }
}