Block symlink dir traversal for /static

This is in line with how it behaved before, but it was lifted a little for the project mount for Hugo Modules,
but that could create hard-to-detect loops.

1 files changed, 80 insertions, 9 deletions

diff --git a/hugofs/nosymlink_fs.go b/hugofs/nosymlink_fs.go
index 42ab94b5c..409b6f03d 100644
--- a/hugofs/nosymlink_fs.go
+++ b/hugofs/nosymlink_fs.go
@@ -16,6 +16,9 @@ package hugofs
 import (
 	"errors"
 	"os"
+	"path/filepath"
+
+	"github.com/gohugoio/hugo/common/loggers"
 
 	"github.com/spf13/afero"
 )
@@ -24,15 +27,48 @@ var (
 	ErrPermissionSymlink = errors.New("symlinks not allowed in this filesystem")
 )
 
-func NewNoSymlinkFs(fs afero.Fs) afero.Fs {
-	return &noSymlinkFs{Fs: fs}
+// NewNoSymlinkFs creates a new filesystem that prevents symlinks.
+func NewNoSymlinkFs(fs afero.Fs, logger *loggers.Logger, allowFiles bool) afero.Fs {
+	return &noSymlinkFs{Fs: fs, logger: logger, allowFiles: allowFiles}
 }
 
 // noSymlinkFs is a filesystem that prevents symlinking.
 type noSymlinkFs struct {
+	allowFiles bool // block dirs only
+	logger     *loggers.Logger
 	afero.Fs
 }
 
+type noSymlinkFile struct {
+	fs *noSymlinkFs
+	afero.File
+}
+
+func (f *noSymlinkFile) Readdir(count int) ([]os.FileInfo, error) {
+	fis, err := f.File.Readdir(count)
+
+	filtered := fis[:0]
+	for _, x := range fis {
+		filename := filepath.Join(f.Name(), x.Name())
+		if _, err := f.fs.checkSymlinkStatus(filename, x); err != nil {
+			// Log a warning and drop the file from the list
+			logUnsupportedSymlink(filename, f.fs.logger)
+		} else {
+			filtered = append(filtered, x)
+		}
+	}
+
+	return filtered, err
+}
+
+func (f *noSymlinkFile) Readdirnames(count int) ([]string, error) {
+	dirs, err := f.Readdir(count)
+	if err != nil {
+		return nil, err
+	}
+	return fileInfosToNames(dirs), nil
+}
+
 func (fs *noSymlinkFs) LstatIfPossible(name string) (os.FileInfo, bool, error) {
 	return fs.stat(name)
 }
@@ -53,33 +89,68 @@ func (fs *noSymlinkFs) stat(name string) (os.FileInfo, bool, error) {
 	if lstater, ok := fs.Fs.(afero.Lstater); ok {
 		fi, wasLstat, err = lstater.LstatIfPossible(name)
 	} else {
-
 		fi, err = fs.Fs.Stat(name)
 	}
 
+	if err != nil {
+		return nil, false, err
+	}
+
+	fi, err = fs.checkSymlinkStatus(name, fi)
+
+	return fi, wasLstat, err
+}
+
+func (fs *noSymlinkFs) checkSymlinkStatus(name string, fi os.FileInfo) (os.FileInfo, error) {
 	var metaIsSymlink bool
 
 	if fim, ok := fi.(FileMetaInfo); ok {
-		metaIsSymlink = fim.Meta().IsSymlink()
+		meta := fim.Meta()
+		metaIsSymlink = meta.IsSymlink()
 	}
 
-	if metaIsSymlink || isSymlink(fi) {
-		return nil, wasLstat, ErrPermissionSymlink
+	if metaIsSymlink {
+		if fs.allowFiles && !fi.IsDir() {
+			return fi, nil
+		}
+		return nil, ErrPermissionSymlink
 	}
 
-	return fi, wasLstat, err
+	// Also support non-decorated filesystems, e.g. the Os fs.
+	if isSymlink(fi) {
+		// Need to determine if this is a directory or not.
+		_, sfi, err := evalSymlinks(fs.Fs, name)
+		if err != nil {
+			return nil, err
+		}
+		if fs.allowFiles && !sfi.IsDir() {
+			// Return the original FileInfo to get the expected Name.
+			return fi, nil
+		}
+		return nil, ErrPermissionSymlink
+	}
+
+	return fi, nil
 }
 
 func (fs *noSymlinkFs) Open(name string) (afero.File, error) {
 	if _, _, err := fs.stat(name); err != nil {
 		return nil, err
 	}
-	return fs.Fs.Open(name)
+	return fs.wrapFile(fs.Fs.Open(name))
 }
 
 func (fs *noSymlinkFs) OpenFile(name string, flag int, perm os.FileMode) (afero.File, error) {
 	if _, _, err := fs.stat(name); err != nil {
 		return nil, err
 	}
-	return fs.Fs.OpenFile(name, flag, perm)
+	return fs.wrapFile(fs.Fs.OpenFile(name, flag, perm))
+}
+
+func (fs *noSymlinkFs) wrapFile(f afero.File, err error) (afero.File, error) {
+	if err != nil {
+		return nil, err
+	}
+
+	return &noSymlinkFile{File: f, fs: fs}, nil
 }