security: fix enforcement of --restrict-to-path in args processing

ThomasWaldmann · ThomasWaldmann · commit 75854c1243b2 · 2017-12-02T18:13:11.000+01:00
Fixes CVE-2017-15914 (affects releases 1.1.0, 1.1.1, 1.1.2, but not 1.0.x). Thanks to Florian Apolloner for discovering/reporting this! Also: added tests for this. (cherry picked from commit ea0203b)
diff --git a/src/borg/archiver.py b/src/borg/archiver.py
@@ -3806,6 +3806,7 @@ def get_args(self, argv, cmd):
                 return forced_result
             # we only take specific options from the forced "borg serve" command:
             result.restrict_to_paths = forced_result.restrict_to_paths
+            result.restrict_to_repositories = forced_result.restrict_to_repositories
             result.append_only = forced_result.append_only
         return result
 
diff --git a/src/borg/testsuite/archiver.py b/src/borg/testsuite/archiver.py
@@ -3546,10 +3546,22 @@ def test_get_args():
     assert args.restrict_to_paths == ['/p1', '/p2']
     assert args.umask == 0o027
     assert args.log_level == 'info'
+    # similar, but with --restrict-to-repository
+    args = archiver.get_args(['borg', 'serve', '--restrict-to-repository=/r1', '--restrict-to-repository=/r2', ],
+                             'borg serve --info --umask=0027')
+    assert args.restrict_to_repositories == ['/r1', '/r2']
     # trying to cheat - break out of path restriction
     args = archiver.get_args(['borg', 'serve', '--restrict-to-path=/p1', '--restrict-to-path=/p2', ],
                              'borg serve --restrict-to-path=/')
     assert args.restrict_to_paths == ['/p1', '/p2']
+    # trying to cheat - break out of repository restriction
+    args = archiver.get_args(['borg', 'serve', '--restrict-to-repository=/r1', '--restrict-to-repository=/r2', ],
+                             'borg serve --restrict-to-repository=/')
+    assert args.restrict_to_repositories == ['/r1', '/r2']
+    # trying to cheat - break below repository restriction
+    args = archiver.get_args(['borg', 'serve', '--restrict-to-repository=/r1', '--restrict-to-repository=/r2', ],
+                             'borg serve --restrict-to-repository=/r1/below')
+    assert args.restrict_to_repositories == ['/r1', '/r2']
     # trying to cheat - try to execute different subcommand
     args = archiver.get_args(['borg', 'serve', '--restrict-to-path=/p1', '--restrict-to-path=/p2', ],
                              'borg init --encryption=repokey /')
