wolfsftp: reject symlink leaf in SFTP_RecvOpen#1014
Conversation
There was a problem hiding this comment.
Pull request overview
This PR hardens the SFTP server’s RecvOpen path against symlink-leaf confused-deputy and final-component TOCTOU issues by ensuring confined sessions do not follow symlinks when checking file type and opening files.
Changes:
- Add a portable
WOLFSSH_O_NOFOLLOWmacro (with a safe0fallback) and apply it to confined SFTP opens. - Factor confinement-prefix length logic into
SFTP_ConfinedPathLen()and use it consistently to gate confined-session behavior. - Extend the SFTP confinement test to include a “leaf is a symlink to an in-jail regular file” case.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
wolfssh/port.h |
Introduces WOLFSSH_O_NOFOLLOW (mapped to O_NOFOLLOW where available, otherwise 0) to support safe flag OR’ing. |
src/wolfsftp.c |
Adds confinement helpers and uses lstat-style attribute checks + O_NOFOLLOW when confined to reject symlink leaves and reduce TOCTOU risk. |
tests/api.c |
Adds a confinement regression test ensuring opening a symlink leaf is rejected while opening the direct regular file still succeeds. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
yosuke-wolfssl
force-pushed
the
fix/f_4792
branch
from
051061b to
d9940ea
Compare
wolfSSL-Fenrir-bot
left a comment
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #1014
Scan targets checked: wolfssh-bugs, wolfssh-src
Findings: 1
1 finding(s) posted as inline comments (see file-level comments below)
This review was generated automatically by Fenrir. Findings are non-blocking.
yosuke-wolfssl
force-pushed
the
fix/f_4792
branch
from
d9940ea to
6a0e68c
Compare
wolfSSL-Fenrir-bot
left a comment
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #1014
Scan targets checked: wolfssh-bugs, wolfssh-src
Findings: 1
1 finding(s) posted as inline comments (see file-level comments below)
This review was generated automatically by Fenrir. Findings are non-blocking.
Description
wolfSSH_SFTP_RecvOpen checked a target's type with stat() (follows symlinks) and then opened it with open() lacking O_NOFOLLOW. A symlink whose leaf points at a regular file passed the FILEATRB_PER_FILE type check, and open() then followed it to the target — a confused-deputy read/write of any file the daemon can reach, plus a TOCTOU race on the final path component.
Addressed by f_4792.
Changes
Harden the open sink, scoped to confined sessions so behavior is unchanged for unconfined servers (which follow symlinks by default):