cli: dbus: inhibit property path traversal in DBus property access#163
Merged
artiepoole merged 8 commits intomainfrom Mar 30, 2026
Merged
cli: dbus: inhibit property path traversal in DBus property access#163artiepoole merged 8 commits intomainfrom
artiepoole merged 8 commits intomainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
This PR closes a path traversal gap in daemon D-Bus property access by introducing a shared validator, and expands automated coverage across daemon (unit + universal integration) and CLI parsing/helpers.
Changes:
- Add
validate_property_path()in the daemon D-Bus module and reuse it in read/write property methods. - Add universal daemon test cases that assert traversal paths are rejected for read/write property operations.
- Refactor CLI status parsing and property-path building into helper functions with new unit tests and CLI parse tests.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
daemon/tests/universal/status/read_property.rs |
Adds a universal integration case asserting traversal paths are rejected for read_property. |
daemon/tests/universal/control/write_property.rs |
Adds a universal integration case asserting traversal paths are rejected for write_property. |
daemon/tests/universal/control/set_bytes.rs |
Adds a universal integration case asserting traversal paths are rejected for write_property_bytes. |
daemon/src/comm/dbus/control_interface.rs |
Switches property writes to use the shared validate_property_path() guard. |
daemon/src/comm/dbus.rs |
Introduces validate_property_path() and unit tests; routes fs_read_property() through the validator. |
cli/src/status.rs |
Extracts string parsing into helpers and adds unit tests for parsing behavior. |
cli/src/set.rs |
Extracts sysfs property path construction into build_property_path() and adds unit tests. |
cli/src/main.rs |
Adds CLI argument parsing tests for several subcommands and error cases. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Collaborator
|
This looks like it solves #162 but it does not address #88 fully. #88 expects all functions in system_io.rs to be tested e.g.
I'll update the issue to reflect this expectation |
Sinan-Karakaya
changed the title
artiepoole
reviewed
Mar 26, 2026
Collaborator
artiepoole
left a comment
artiepoole
left a comment
There was a problem hiding this comment.
Looking good so far, just a few thoughts
Sinan-Karakaya
changed the title
Collaborator
artiepoole
changed the title
artiepoole
changed the title
artiepoole
changed the title
Contributor
Author
Sinan-Karakaya
force-pushed
the
sinan/integration-test-for-system-io
branch
2 times, most recently
from
083537a to
833bbd3
Compare
artiepoole
reviewed
Mar 27, 2026
Collaborator
artiepoole
left a comment
artiepoole
left a comment
There was a problem hiding this comment.
Sorry for not spotting the &Path thing earlier 🫣
Collaborator
|
Note: the failing test is a lab related error, not a problem with the code |
Collaborator
|
Ah I didn't anticipate this. The fpga flags variable is a symlink and therefore the test fails also the snap test isn't running. This is an error which then results in the test showing passed even though it failed. I wonder how long this has been a problem @talhaHavadar 👀 |
Collaborator
|
Attempting to fix the test issues in #165 edit - merged |
…rage
This change hardens property path handling and expands test coverage across daemon integration tests and CLI unit tests.
Security and behavior changes:
- Added shared property path validation in the DBus layer to ensure paths are inside /sys/class/fpga_manager.
- Explicitly rejects any parent traversal segments such as .. in property paths.
Applied the shared validator to:
- read_property
- write_property
- write_property_bytes
Test coverage changes:
- Added daemon integration test cases for traversal attempts in:
- write_property
- write_property_bytes
- read_property
Added daemon unit tests for the new property-path validator.
Added CLI parser tests for representative command forms and invalid invocation.
Added CLI unit tests for:
- platform/overlay line parsing helpers
- property path construction helper
Validation:
cargo test -p cli passed (9 tests).
cargo test --workspace --no-run succeeded.
Signed-off-by: Sinan KARAKAYA <sinan.karakaya.canonical.com>
Revert commit 605af48, removed tests as they were out of scopes for the PR. Signed-off-by: Sinan KARAKAYA <sinan.karakaya.canonical.com>
Refactored build_property_path to return a Result<String, zbus::Error>.
Added sanitize_segment to check that device_handle and attribute are
not containing any illegal statements ('..', root dir etc...).
Added tests containing illegal statements.
Signed-off-by: Sinan KARAKAYA <sinan.karakaya.canonical.com>
Added helper functions and tests in status.rs to ensure that we check that the correct error type is returned and formatted correctly. Signed-off-by: Sinan KARAKAYA <sinan.karakaya.canonical.com>
Added validate_property_path_with_base to canonicalize the property path and reject paths that escape FPGA_MANAGERS_DIR (including symlink escapes). Signed-off-by: Sinan KARAKAYA <sinan.karakaya.canonical.com>
Signed-off-by: Sinan KARAKAYA <sinan.karakaya.canonical.com>
Changed validate_property_path{_with_base} parameter property_path_str to
property_path of type &Path
Signed-off-by: Sinan KARAKAYA <sinan.karakaya.canonical.com>
validate_property_path_with_base switched canonicalize to absolute path resolve, to ignore symlinks. Signed-off-by: Sinan KARAKAYA <sinan.karakaya.canonical.com>
Sinan-Karakaya
force-pushed
the
sinan/integration-test-for-system-io
branch
from
6f54abe to
aff8ba3
Compare
artiepoole
approved these changes
Mar 30, 2026
Collaborator
artiepoole
left a comment
artiepoole
left a comment
There was a problem hiding this comment.
LGTM, thank you Sinan!
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR fixes a path traversal gap in DBus property access, which could lead to execution of unwanted executables. More details can be found in #88
The solution was to forbid the usage of
'..'in paths, by adding the functionvalidate_property_path