1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
//! Additional security tests for edge cases and potential vulnerabilities
#[cfg(target_os = "linux")]
mod additional_security_tests {
use proc_canonicalize::canonicalize;
use std::os::unix::fs::symlink;
use std::path::PathBuf;
#[test]
fn test_symlink_resolution_with_dotdot_normalization_bypass() {
// Vulnerability: "normalize_path" at start of loop blindly removes "component/.."
// If "component" is a symlink to a magic path, we miss it.
//
// Setup:
// /tmp/magic -> /proc/self/root
// /tmp/innocent -> /tmp/magic/subdir
// Path: /tmp/innocent/..
//
// Lexical normalization: /tmp
// Actual resolution: /proc/self/root
let temp_dir = tempfile::TempDir::new().unwrap();
let root = temp_dir.path().to_path_buf();
// 1. Create /tmp/magic -> /proc/self/root
let magic_link = root.join("magic");
symlink("/proc/self/root", &magic_link).unwrap();
// 2. Create /tmp/innocent -> /tmp/magic/etc
// We use "etc" because it exists inside /proc/self/root
let innocent_link = root.join("innocent");
symlink(magic_link.join("etc"), &innocent_link).unwrap();
// 3. Path to test: /tmp/innocent/..
// This should resolve to /proc/self/root/etc/.. -> /proc/self/root
let attack_path = innocent_link.join(std::path::Component::ParentDir.as_os_str());
let result = canonicalize(attack_path).unwrap();
// We expect the result to be /proc/self/root
assert_eq!(result, PathBuf::from("/proc/self/root"));
}
#[test]
fn test_double_symlink_indirection() {
// /tmp/a -> /tmp/b -> /proc/self/root
// Both symlinks should be followed and detected
let temp = tempfile::tempdir().expect("failed to create temp dir");
let link_b = temp.path().join("link_b");
let link_a = temp.path().join("link_a");
symlink("/proc/self/root", &link_b).expect("failed to create link_b");
symlink(&link_b, &link_a).expect("failed to create link_a");
let result = canonicalize(&link_a).expect("canonicalize failed");
assert_ne!(
result,
PathBuf::from("/"),
"Double indirection should not resolve to /"
);
assert!(
result.starts_with("/proc/self/root")
|| result == std::path::Path::new("/proc/self/root")
);
}
#[test]
fn test_triple_symlink_chain() {
// /tmp/a -> /tmp/b -> /tmp/c -> /proc/self/root
let temp = tempfile::tempdir().expect("failed to create temp dir");
let link_c = temp.path().join("link_c");
let link_b = temp.path().join("link_b");
let link_a = temp.path().join("link_a");
symlink("/proc/self/root", &link_c).expect("failed to create link_c");
symlink(&link_c, &link_b).expect("failed to create link_b");
symlink(&link_b, &link_a).expect("failed to create link_a");
let result = canonicalize(&link_a).expect("canonicalize failed");
assert_ne!(
result,
PathBuf::from("/"),
"Triple chain should not resolve to /"
);
assert!(result.starts_with("/proc/self/root"));
}
#[test]
fn test_relative_path_resolving_to_proc() {
// From a temp dir, create a path that when made absolute resolves through /proc
// This is tricky - we need a symlink that when followed lands in /proc
let temp = tempfile::tempdir().expect("failed to create temp dir");
// Create /tmp/.../proc_link -> /proc
let proc_link = temp.path().join("proc_link");
symlink("/proc", &proc_link).expect("failed to create proc_link");
// Now if we're "in" temp dir and access "proc_link/self/root"
// it should still be detected
let relative_ish = proc_link.join("self/root");
let result = canonicalize(relative_ish).expect("canonicalize failed");
assert_ne!(result, PathBuf::from("/"));
assert_eq!(result, PathBuf::from("/proc/self/root"));
}
#[test]
fn test_fd_symlink_to_proc_namespace() {
// /proc/self/fd/N where fd N points to /proc/PID/root
// This is hard to set up without actually opening /proc/PID/root
// But we can test that /proc/self/fd paths themselves aren't mistaken for namespaces
// /proc/self/fd is NOT a namespace boundary (it's a directory of file descriptors)
let result = canonicalize("/proc/self/fd");
// Should succeed (it exists) and NOT be treated as namespace
if let Ok(path) = result {
// fd is a real directory, should resolve normally
// The path might be /proc/self/fd or /proc/<pid>/fd
assert!(path.to_string_lossy().contains("/proc/"));
assert!(path.to_string_lossy().contains("/fd"));
}
// If it errors, that's also fine (permission issues)
}
#[test]
fn test_nested_proc_access() {
// /proc/self/root/proc/self/root - accessing proc inside namespace
// First /proc/self/root is our namespace boundary
// Inside that, /proc/self/root would be the container's view
let result = canonicalize("/proc/self/root/proc/self/root");
// This path may or may not exist depending on whether /proc is mounted inside
// But if it does exist, it should preserve the OUTER namespace prefix
if let Ok(path) = result {
assert!(path.starts_with("/proc/self/root"));
}
// Error is also acceptable (path doesn't exist)
}
#[test]
fn test_symlink_with_dotdot_escaping_to_proc() {
// /tmp/dir/escape -> ../../proc/self/root
// Tricky because the .. must resolve correctly
let temp = tempfile::tempdir().expect("failed to create temp dir");
let subdir = temp.path().join("subdir");
std::fs::create_dir(&subdir).expect("failed to create subdir");
// Calculate how many .. we need to get to /
// From /tmp/xxx/subdir, we need ../../../ to get to /
// Then proc/self/root
let escape = subdir.join("escape");
symlink("../../../proc/self/root", &escape).expect("failed to create escape symlink");
let result = canonicalize(&escape);
// If the symlink resolves to /proc/self/root, we should detect it
if let Ok(path) = result {
assert_ne!(
path,
PathBuf::from("/"),
"Escaped symlink should not resolve to /"
);
// It should either be /proc/self/root or an error
if path != std::path::Path::new("/proc/self/root") {
// Might resolve to something else if .. doesn't land exactly on /
// That's okay as long as it's not /
println!("Resolved to: {:?}", path);
}
}
// Error is acceptable if the path doesn't resolve correctly
}
#[test]
fn test_symlink_to_proc_with_trailing_components() {
// /tmp/link -> /proc
// then access /tmp/link/self/root/etc/passwd
let temp = tempfile::tempdir().expect("failed to create temp dir");
let proc_link = temp.path().join("proc_link");
symlink("/proc", &proc_link).expect("failed to create symlink");
let path = proc_link.join("self/root/etc/passwd");
let result = canonicalize(path);
if let Ok(resolved) = result {
// Should preserve /proc/self/root prefix
assert!(
resolved.starts_with("/proc/self/root"),
"Should preserve namespace: {:?}",
resolved
);
}
// Error is acceptable if file doesn't exist
}
#[test]
fn test_symlink_loop_with_proc() {
// /tmp/a -> /tmp/b
// /tmp/b -> /tmp/a/proc (doesn't exist, but tests loop detection)
// This shouldn't hang
let temp = tempfile::tempdir().expect("failed to create temp dir");
let link_a = temp.path().join("link_a");
let link_b = temp.path().join("link_b");
// Create a loop
symlink(&link_b, &link_a).expect("failed to create link_a");
symlink(&link_a, &link_b).expect("failed to create link_b");
// This should not hang - should either error or return after max iterations
let result = canonicalize(&link_a);
// Should error (loop detected or ELOOP from kernel)
assert!(result.is_err(), "Symlink loop should error, not hang");
}
#[test]
fn test_mixed_symlinks_and_real_dirs() {
// /tmp/real_dir/link -> /proc/self/root
// Ensure we handle mixed real dirs and symlinks
let temp = tempfile::tempdir().expect("failed to create temp dir");
let real_dir = temp.path().join("real_dir");
std::fs::create_dir(&real_dir).expect("failed to create real_dir");
let link = real_dir.join("link");
symlink("/proc/self/root", &link).expect("failed to create symlink");
let result = canonicalize(&link).expect("canonicalize failed");
assert_ne!(result, PathBuf::from("/"));
assert_eq!(result, PathBuf::from("/proc/self/root"));
}
#[test]
fn test_symlink_to_proc_thread_self() {
// Ensure /proc/thread-self paths are also protected via symlinks
let temp = tempfile::tempdir().expect("failed to create temp dir");
let link = temp.path().join("thread_link");
symlink("/proc/thread-self/root", &link).expect("failed to create symlink");
let result = canonicalize(&link).expect("canonicalize failed");
// thread-self/root resolves to / on the host, but we should preserve it
assert_ne!(result, PathBuf::from("/"));
assert!(
result.starts_with("/proc/thread-self/root")
|| result.starts_with("/proc/") && result.to_string_lossy().contains("/root")
);
}
// =========================================================================
// Symlink target resolution edge cases
// =========================================================================
#[test]
fn test_symlink_target_with_dotdot_resolving_to_proc() {
// Setup:
// /tmp/subdir/link -> ../proc_link/self/root
// /tmp/proc_link -> /proc
//
// When we access /tmp/subdir/link:
// 1. Resolve symlink: ../proc_link/self/root (relative to /tmp/subdir)
// 2. Becomes: /tmp/proc_link/self/root
// 3. proc_link is symlink to /proc
// 4. Becomes: /proc/self/root
// 5. Should be detected as magic
let temp = tempfile::tempdir().expect("failed to create temp dir");
let root = temp.path();
// Create /tmp/proc_link -> /proc
let proc_link = root.join("proc_link");
symlink("/proc", proc_link.as_path()).expect("create proc_link");
// Create /tmp/subdir/
let subdir = root.join("subdir");
std::fs::create_dir(&subdir).expect("create subdir");
// Create /tmp/subdir/link -> ../proc_link/self/root
let link = subdir.join("link");
symlink("../proc_link/self/root", &link).expect("create link");
let result = canonicalize(&link).unwrap();
assert_eq!(
result,
PathBuf::from("/proc/self/root"),
"Symlink target with .. should resolve to magic path"
);
}
#[test]
fn test_multiple_dotdot_after_symlink_to_deep_path() {
// Setup:
// /tmp/link -> /proc/self/root/usr/share/doc
// Then access /tmp/link/../../../
// Should resolve to /proc/self/root
let temp = tempfile::tempdir().expect("failed to create temp dir");
let root = temp.path();
// /proc/self/root/usr/share/doc exists on most systems
let link = root.join("link");
symlink("/proc/self/root/usr/share/doc", &link).expect("create link");
// Access link/../../.. -> should be /proc/self/root
let path = link.join("../../..");
let result = canonicalize(path);
if let Ok(resolved) = result {
assert_eq!(
resolved,
PathBuf::from("/proc/self/root"),
"Multiple .. should pop back to namespace root"
);
}
// May error if /usr/share/doc doesn't exist, that's OK
}
#[test]
fn test_directory_symlink_then_dotdot() {
// Setup:
// /tmp/dir_link -> /proc/self/root/etc
// Access: /tmp/dir_link/..
// Should resolve to /proc/self/root (the parent of /etc inside namespace)
let temp = tempfile::tempdir().expect("failed to create temp dir");
let root = temp.path();
let dir_link = root.join("dir_link");
symlink("/proc/self/root/etc", &dir_link).expect("create dir_link");
let path = dir_link.join("..");
let result = canonicalize(path);
if let Ok(resolved) = result {
assert_eq!(
resolved,
PathBuf::from("/proc/self/root"),
".. after symlink to subdir should pop to namespace root"
);
}
}
#[test]
fn test_symlink_chain_with_dotdot_in_middle() {
// Setup:
// /tmp/a/link_a -> ../b/link_b
// /tmp/b/link_b -> /proc/self/root
//
// Access /tmp/a/link_a should resolve to /proc/self/root
let temp = tempfile::tempdir().expect("failed to create temp dir");
let root = temp.path();
let dir_a = root.join("a");
let dir_b = root.join("b");
std::fs::create_dir(&dir_a).expect("create dir_a");
std::fs::create_dir(&dir_b).expect("create dir_b");
let link_b = dir_b.join("link_b");
symlink("/proc/self/root", link_b.as_path()).expect("create link_b");
let link_a = dir_a.join("link_a");
symlink("../b/link_b", &link_a).expect("create link_a");
let result = canonicalize(&link_a).unwrap();
assert_eq!(
result,
PathBuf::from("/proc/self/root"),
"Chain with .. in middle should still detect magic"
);
}
#[test]
fn test_cwd_symlink_with_escape_via_dotdot() {
// /proc/self/cwd points to current working directory
// If cwd is /home/user, then /proc/self/cwd/.. should escape to /home
// We need to return the escaped absolute path, not claim it's inside namespace
let temp = tempfile::tempdir().expect("failed to create temp dir");
let root = temp.path();
let link = root.join("link");
symlink("/proc/self/cwd", &link).expect("create link");
let path = link.join("..");
let result = canonicalize(path);
if let Ok(resolved) = result {
// Get actual parent of cwd for comparison
let cwd = std::env::current_dir().unwrap();
if let Some(parent) = cwd.parent() {
// Either it matches the actual parent, or it's the same as cwd (if cwd is /)
assert!(
resolved == parent
|| resolved == cwd
|| !resolved.starts_with("/proc/self/cwd"),
"Should either resolve to parent or not claim namespace prefix"
);
}
}
}
#[test]
fn test_dot_components_with_symlink_to_proc() {
// /tmp/./link/./self/./root where link -> /proc
// All the . should be ignored
let temp = tempfile::tempdir().expect("failed to create temp dir");
let root = temp.path();
let link = root.join("link");
symlink("/proc", link.as_path()).expect("create link");
// Build path with . components
let path = root
.join(".")
.join("link")
.join(".")
.join("self")
.join(".")
.join("root");
let result = canonicalize(path).unwrap();
assert_eq!(
result,
PathBuf::from("/proc/self/root"),
". components should be ignored"
);
}
#[test]
fn test_innocent_looking_symlink_chain() {
// /tmp/data -> /tmp/storage
// /tmp/storage -> /tmp/backup
// /tmp/backup -> /proc/self/root
//
// The first two symlinks look innocent
let temp = tempfile::tempdir().expect("failed to create temp dir");
let root = temp.path();
let backup = root.join("backup");
symlink("/proc/self/root", &backup).expect("create backup");
let storage = root.join("storage");
symlink(&backup, &storage).expect("create storage");
let data = root.join("data");
symlink(&storage, &data).expect("create data");
let result = canonicalize(&data).unwrap();
assert_eq!(
result,
PathBuf::from("/proc/self/root"),
"Innocent-looking chain should still be detected"
);
}
// =========================================================================
// KNOWN LIMITATIONS (documented, not vulnerabilities per se)
// =========================================================================
// NOTE: Bind mounts are NOT detected by this library.
// If someone does: mount --bind /proc /mnt/proc
// Then /mnt/proc/self/root will NOT be protected.
// This is because:
// 1. Bind mounts are not symlinks - they're mount points
// 2. Detecting bind mounts requires reading /proc/self/mountinfo
// 3. This would add complexity and another TOCTOU window
// 4. Bind mounts require root to create, limiting the attack surface
//
// If your threat model includes malicious bind mounts, you should:
// 1. Restrict mount capabilities in your container/sandbox
// 2. Use mount namespaces
// 3. Audit /proc/self/mountinfo before trusting paths
}