v2 hardening effort part 1

cmd/hauler/cli/store/add.go

@@ -36,14 +36,19 @@ func AddFileCmd(ctx context.Context, o *flags.AddFileOpts, s *store.Layout, refe
 	if len(o.Name) > 0 {
 		cfg.Name = o.Name
 	}
-	return storeFile(ctx, s, cfg)
+	var allowInternal bool
+	if o.StoreRootOpts != nil {
+		allowInternal = o.AllowInternalTargets
+	}
+	return storeFile(ctx, s, cfg, allowInternal)
 }
 
-func storeFile(ctx context.Context, s *store.Layout, fi v1.File) error {
+func storeFile(ctx context.Context, s *store.Layout, fi v1.File, allowInternalTargets bool) error {
 	l := log.FromContext(ctx)
 
 	copts := getter.ClientOptions{
-		NameOverride: fi.Name,
+		NameOverride:         fi.Name,
+		AllowInternalTargets: allowInternalTargets,
 	}
 
 	f := file.NewFile(fi.Path, file.WithClient(getter.NewClient(copts)))

cmd/hauler/cli/store/add_test.go

@@ -371,7 +371,7 @@ func TestStoreFile(t *testing.T) {
 		tmp.Close()
 
 		s := newTestStore(t)
-		if err := storeFile(ctx, s, v1.File{Path: tmp.Name()}); err != nil {
+		if err := storeFile(ctx, s, v1.File{Path: tmp.Name()}, false); err != nil {
 			t.Fatalf("storeFile: %v", err)
 		}
 		assertArtifactInStore(t, s, filepath.Base(tmp.Name()))
@@ -380,7 +380,7 @@ func TestStoreFile(t *testing.T) {
 	t.Run("HTTP URL stored under basename", func(t *testing.T) {
 		url := seedFileInHTTPServer(t, "script.sh", "#!/bin/sh\necho ok")
 		s := newTestStore(t)
-		if err := storeFile(ctx, s, v1.File{Path: url}); err != nil {
+		if err := storeFile(ctx, s, v1.File{Path: url}, true); err != nil {
 			t.Fatalf("storeFile: %v", err)
 		}
 		assertArtifactInStore(t, s, "script.sh")
@@ -394,15 +394,15 @@ func TestStoreFile(t *testing.T) {
 		tmp.Close()
 
 		s := newTestStore(t)
-		if err := storeFile(ctx, s, v1.File{Path: tmp.Name(), Name: "custom.sh"}); err != nil {
+		if err := storeFile(ctx, s, v1.File{Path: tmp.Name(), Name: "custom.sh"}, false); err != nil {
 			t.Fatalf("storeFile: %v", err)
 		}
 		assertArtifactInStore(t, s, "custom.sh")
 	})
 
 	t.Run("nonexistent local path returns error", func(t *testing.T) {
 		s := newTestStore(t)
-		err := storeFile(ctx, s, v1.File{Path: "/nonexistent/path/missing-file.txt"})
+		err := storeFile(ctx, s, v1.File{Path: "/nonexistent/path/missing-file.txt"}, false)
 		if err == nil {
 			t.Fatal("expected error for nonexistent path, got nil")
 		}

cmd/hauler/cli/store/copy_test.go

@@ -242,7 +242,7 @@ func TestCopyCmd_Dir_Files(t *testing.T) {
 	url := seedFileInHTTPServer(t, "data.txt", content)
 
 	s := newTestStore(t)
-	if err := storeFile(ctx, s, v1.File{Path: url}); err != nil {
+	if err := storeFile(ctx, s, v1.File{Path: url}, true); err != nil {
 		t.Fatalf("storeFile: %v", err)
 	}
 

cmd/hauler/cli/store/extract_test.go

@@ -31,7 +31,7 @@ func TestExtractCmd_File(t *testing.T) {
 
 	fileContent := "hello extract test"
 	url := seedFileInHTTPServer(t, "extract-me.txt", fileContent)
-	if err := storeFile(ctx, s, v1.File{Path: url}); err != nil {
+	if err := storeFile(ctx, s, v1.File{Path: url}, true); err != nil {
 		t.Fatalf("storeFile: %v", err)
 	}
 
@@ -533,7 +533,7 @@ func TestExtractCmd_SubstringMatch(t *testing.T) {
 
 	fileContent := "substring match content"
 	url := seedFileInHTTPServer(t, "extract-sub.txt", fileContent)
-	if err := storeFile(ctx, s, v1.File{Path: url}); err != nil {
+	if err := storeFile(ctx, s, v1.File{Path: url}, true); err != nil {
 		t.Fatalf("storeFile: %v", err)
 	}
 
@@ -581,7 +581,7 @@ func TestExtractCmd_CosignArtifactsProduceNoContainerImageWarning(t *testing.T)
 	// Seed a real file artifact so ExtractCmd finds something to extract.
 	fileContent := "cosign-filter test file content"
 	url := seedFileInHTTPServer(t, "sigtest.txt", fileContent)
-	if err := storeFile(ctx, s, v1.File{Path: url}); err != nil {
+	if err := storeFile(ctx, s, v1.File{Path: url}, true); err != nil {
 		t.Fatalf("storeFile: %v", err)
 	}
 

cmd/hauler/cli/store/info_test.go

@@ -199,7 +199,7 @@ func TestInfoCmd(t *testing.T) {
 		t.Fatalf("write tmpFile: %v", err)
 	}
 	fi := v1.File{Path: tmpFile}
-	if err := storeFile(ctx, s, fi); err != nil {
+	if err := storeFile(ctx, s, fi, false); err != nil {
 		t.Fatalf("storeFile: %v", err)
 	}
 

cmd/hauler/cli/store/lifecycle_test.go

@@ -31,7 +31,7 @@ func TestLifecycle_FileArtifact_AddSaveLoadCopy(t *testing.T) {
 
 	// Step 2: storeFile into store A.
 	storeA := newTestStore(t)
-	if err := storeFile(ctx, storeA, v1.File{Path: url}); err != nil {
+	if err := storeFile(ctx, storeA, v1.File{Path: url}, true); err != nil {
 		t.Fatalf("storeFile: %v", err)
 	}
 	assertArtifactInStore(t, storeA, "lifecycle.txt")
@@ -252,10 +252,10 @@ func TestLifecycle_Remove_ThenSave(t *testing.T) {
 	url2 := seedFileInHTTPServer(t, "remove-me.txt", "content to remove")
 
 	storeA := newTestStore(t)
-	if err := storeFile(ctx, storeA, v1.File{Path: url1}); err != nil {
+	if err := storeFile(ctx, storeA, v1.File{Path: url1}, true); err != nil {
 		t.Fatalf("storeFile keep-me: %v", err)
 	}
-	if err := storeFile(ctx, storeA, v1.File{Path: url2}); err != nil {
+	if err := storeFile(ctx, storeA, v1.File{Path: url2}, true); err != nil {
 		t.Fatalf("storeFile remove-me: %v", err)
 	}
 

cmd/hauler/cli/store/load.go

@@ -3,6 +3,7 @@ package store
 import (
 	"context"
 	"encoding/json"
+	"fmt"
 	"io"
 	"net/url"
 	"os"
@@ -41,7 +42,7 @@ func LoadCmd(ctx context.Context, o *flags.LoadOpts, rso *flags.StoreRootOpts, r
 	for _, fileName := range o.FileName {
 		resolved := resolveHaulPath(fileName)
 		l.Infof("loading haul [%s] to [%s]", resolved, o.StoreDir)
-		err := unarchiveLayoutTo(ctx, resolved, o.StoreDir, tempDir)
+		err := unarchiveLayoutTo(ctx, resolved, o.StoreDir, tempDir, rso.AllowInternalTargets)
 		if err != nil {
 			return err
 		}
@@ -52,13 +53,13 @@ func LoadCmd(ctx context.Context, o *flags.LoadOpts, rso *flags.StoreRootOpts, r
 }
 
 // accepts an archived OCI layout, extracts the contents to an existing OCI layout, and preserves the index
-func unarchiveLayoutTo(ctx context.Context, haulPath string, dest string, tempDir string) error {
+func unarchiveLayoutTo(ctx context.Context, haulPath string, dest string, tempDir string, allowInternalTargets bool) error {
 	l := log.FromContext(ctx)
 
 	if strings.HasPrefix(haulPath, "http://") || strings.HasPrefix(haulPath, "https://") {
 		l.Debugf("detected remote archive... starting download... [%s]", haulPath)
 
-		h := getter.NewHttp()
+		h := getter.NewHttpWithOptions(getter.HttpOptions{AllowInternalTargets: allowInternalTargets})
 		parsedURL, err := url.Parse(haulPath)
 		if err != nil {
 			return err
@@ -81,9 +82,13 @@ func unarchiveLayoutTo(ctx context.Context, haulPath string, dest string, tempDi
 		}
 		defer out.Close()
 
-		if _, err = io.Copy(out, rc); err != nil {
+		n, err := io.Copy(out, io.LimitReader(rc, consts.MaxDownloadBytes+1))
+		if err != nil {
 			return err
 		}
+		if n > consts.MaxDownloadBytes {
+			return fmt.Errorf("remote archive at %s exceeds maximum allowed size (%d bytes)", haulPath, consts.MaxDownloadBytes)
+		}
 	}
 
 	// reassemble chunk files if haulPath matches the chunk naming pattern
@@ -98,10 +103,18 @@ func unarchiveLayoutTo(ctx context.Context, haulPath string, dest string, tempDi
 	}
 
 	// ensure the incoming index.json has the correct annotations.
-	data, err := os.ReadFile(tempDir + "/index.json")
+	indexFile, err := os.Open(tempDir + "/index.json")
+	if err != nil {
+		return (err)
+	}
+	data, err := io.ReadAll(io.LimitReader(indexFile, consts.MaxManifestBytes+1))
+	indexFile.Close()
 	if err != nil {
 		return (err)
 	}
+	if int64(len(data)) > consts.MaxManifestBytes {
+		return fmt.Errorf("index.json exceeds maximum allowed size (%d bytes)", consts.MaxManifestBytes)
+	}
 
 	var idx ocispec.Index
 	if err := json.Unmarshal(data, &idx); err != nil {

cmd/hauler/cli/store/load_test.go

@@ -71,7 +71,7 @@ func TestUnarchiveLayoutTo(t *testing.T) {
 	destDir := t.TempDir()
 	tempDir := t.TempDir()
 
-	if err := unarchiveLayoutTo(ctx, testHaulArchive, destDir, tempDir); err != nil {
+	if err := unarchiveLayoutTo(ctx, testHaulArchive, destDir, tempDir, false); err != nil {
 		t.Fatalf("unarchiveLayoutTo: %v", err)
 	}
 
@@ -192,12 +192,16 @@ func TestLoadCmd_RemoteArchive(t *testing.T) {
 	destDir := t.TempDir()
 	remoteURL := srv.URL + "/haul.tar.zst"
 
+	// AllowInternalTargets=true because the test server binds to loopback.
+	rso := defaultRootOpts(destDir)
+	rso.AllowInternalTargets = true
+
 	o := &flags.LoadOpts{
-		StoreRootOpts: defaultRootOpts(destDir),
+		StoreRootOpts: rso,
 		FileName:      []string{remoteURL},
 	}
 
-	if err := LoadCmd(ctx, o, defaultRootOpts(destDir), defaultCliOpts()); err != nil {
+	if err := LoadCmd(ctx, o, rso, defaultCliOpts()); err != nil {
 		t.Fatalf("LoadCmd remote: %v", err)
 	}
 
@@ -262,7 +266,7 @@ func TestUnarchiveLayoutTo_AnnotationBackfill(t *testing.T) {
 	// Step 4: Load the stripped archive.
 	destDir := t.TempDir()
 	tempDir := t.TempDir()
-	if err := unarchiveLayoutTo(ctx, strippedArchive, destDir, tempDir); err != nil {
+	if err := unarchiveLayoutTo(ctx, strippedArchive, destDir, tempDir, false); err != nil {
 		t.Fatalf("unarchiveLayoutTo stripped: %v", err)
 	}
 
@@ -354,7 +358,7 @@ func TestUnarchiveLayoutTo_LegacyKindMigration(t *testing.T) {
 	// Step 4: Load the legacy archive.
 	destDir := t.TempDir()
 	tempDir := t.TempDir()
-	if err := unarchiveLayoutTo(ctx, legacyArchive, destDir, tempDir); err != nil {
+	if err := unarchiveLayoutTo(ctx, legacyArchive, destDir, tempDir, false); err != nil {
 		t.Fatalf("unarchiveLayoutTo legacy: %v", err)
 	}
 

cmd/hauler/cli/store/remove_test.go

@@ -81,7 +81,7 @@ func TestRemoveCmd_Force(t *testing.T) {
 	s := newTestStore(t)
 
 	url := seedFileInHTTPServer(t, "removeme.txt", "file-to-remove")
-	if err := storeFile(ctx, s, v1.File{Path: url}); err != nil {
+	if err := storeFile(ctx, s, v1.File{Path: url}, true); err != nil {
 		t.Fatalf("storeFile: %v", err)
 	}
 
@@ -133,10 +133,10 @@ func TestRemoveCmd_Force_MultipleMatches(t *testing.T) {
 	url1 := seedFileInHTTPServer(t, "testfile-alpha.txt", "content-alpha")
 	url2 := seedFileInHTTPServer(t, "testfile-beta.txt", "content-beta")
 
-	if err := storeFile(ctx, s, v1.File{Path: url1}); err != nil {
+	if err := storeFile(ctx, s, v1.File{Path: url1}, true); err != nil {
 		t.Fatalf("storeFile alpha: %v", err)
 	}
-	if err := storeFile(ctx, s, v1.File{Path: url2}); err != nil {
+	if err := storeFile(ctx, s, v1.File{Path: url2}, true); err != nil {
 		t.Fatalf("storeFile beta: %v", err)
 	}
 

cmd/hauler/cli/store/save_test.go

@@ -118,7 +118,7 @@ func TestWriteExportsManifest_SkipsNonImages(t *testing.T) {
 
 	url := seedFileInHTTPServer(t, "skip.sh", "#!/bin/sh\necho skip")
 	s := newTestStore(t)
-	if err := storeFile(ctx, s, v1.File{Path: url}); err != nil {
+	if err := storeFile(ctx, s, v1.File{Path: url}, true); err != nil {
 		t.Fatalf("storeFile: %v", err)
 	}
 

cmd/hauler/cli/store/sync.go

@@ -82,11 +82,14 @@ func SyncCmd(ctx context.Context, o *flags.SyncOpts, s *store.Layout, rso *flags
 			if err != nil {
 				return err
 			}
-			content, err := io.ReadAll(rc)
+			content, err := io.ReadAll(io.LimitReader(rc, consts.MaxManifestBytes+1))
 			rc.Close()
 			if err != nil {
 				return err
 			}
+			if int64(len(content)) > consts.MaxManifestBytes {
+				return fmt.Errorf("product manifest for [%s] exceeds maximum allowed size (%d bytes)", productName, consts.MaxManifestBytes)
+			}
 
 			// Ensure each manifest starts with a YAML document separator.
 			if !strings.HasPrefix(string(content), "---") {
@@ -161,7 +164,7 @@ func SyncCmd(ctx context.Context, o *flags.SyncOpts, s *store.Layout, rso *flags
 			if strings.HasPrefix(haulPath, "http://") || strings.HasPrefix(haulPath, "https://") {
 				l.Debugf("detected remote manifest... starting download... [%s]", haulPath)
 
-				h := getter.NewHttp()
+				h := getter.NewHttpWithOptions(getter.HttpOptions{AllowInternalTargets: rso.AllowInternalTargets})
 				parsedURL, err := url.Parse(haulPath)
 				if err != nil {
 					return err
@@ -184,9 +187,13 @@ func SyncCmd(ctx context.Context, o *flags.SyncOpts, s *store.Layout, rso *flags
 				}
 				defer out.Close()
 
-				if _, err = io.Copy(out, rc); err != nil {
+				n, err := io.Copy(out, io.LimitReader(rc, consts.MaxDownloadBytes+1))
+				if err != nil {
 					return err
 				}
+				if n > consts.MaxDownloadBytes {
+					return fmt.Errorf("remote manifest at %s exceeds maximum allowed size (%d bytes)", haulPath, consts.MaxDownloadBytes)
+				}
 			}
 
 			fi, err := os.Open(haulPath)
@@ -213,7 +220,7 @@ func SyncCmd(ctx context.Context, o *flags.SyncOpts, s *store.Layout, rso *flags
 			if strings.HasPrefix(haulPath, "http://") || strings.HasPrefix(haulPath, "https://") {
 				l.Debugf("detected remote image.txt... starting download... [%s]", haulPath)
 
-				h := getter.NewHttp()
+				h := getter.NewHttpWithOptions(getter.HttpOptions{AllowInternalTargets: rso.AllowInternalTargets})
 				parsedURL, err := url.Parse(haulPath)
 				if err != nil {
 					return err
@@ -236,9 +243,13 @@ func SyncCmd(ctx context.Context, o *flags.SyncOpts, s *store.Layout, rso *flags
 				}
 				defer out.Close()
 
-				if _, err = io.Copy(out, rc); err != nil {
+				n, err := io.Copy(out, io.LimitReader(rc, consts.MaxDownloadBytes+1))
+				if err != nil {
 					return err
 				}
+				if n > consts.MaxDownloadBytes {
+					return fmt.Errorf("remote image.txt at %s exceeds maximum allowed size (%d bytes)", haulPath, consts.MaxDownloadBytes)
+				}
 			}
 
 			fi, err := os.Open(haulPath)
@@ -296,7 +307,7 @@ func processContent(ctx context.Context, fi *os.File, o *flags.SyncOpts, s *stor
 					return err
 				}
 				for _, f := range cfg.Spec.Files {
-					if err := storeFile(ctx, s, f); err != nil {
+					if err := storeFile(ctx, s, f, rso.AllowInternalTargets); err != nil {
 						return err
 					}
 				}

cmd/hauler/cli/store/sync_test.go

@@ -70,6 +70,7 @@ spec:
 
 	fi := writeManifestFile(t, manifest)
 	o := newSyncOpts(s.Root)
+	o.StoreRootOpts.AllowInternalTargets = true // test server is on loopback
 	ro := defaultCliOpts()
 
 	if err := processContent(ctx, fi, o, s, o.StoreRootOpts, ro); err != nil {
@@ -216,6 +217,7 @@ spec:
 
 	fi := writeManifestFile(t, manifest)
 	o := newSyncOpts(s.Root)
+	o.StoreRootOpts.AllowInternalTargets = true // test servers are on loopback
 	ro := defaultCliOpts()
 
 	if err := processContent(ctx, fi, o, s, o.StoreRootOpts, ro); err != nil {
@@ -260,6 +262,7 @@ spec:
 	o := newSyncOpts(s.Root)
 	o.FileName = []string{manifestPath}
 	rso := defaultRootOpts(s.Root)
+	rso.AllowInternalTargets = true // test server is on loopback
 	ro := defaultCliOpts()
 
 	if err := SyncCmd(ctx, o, s, rso, ro); err != nil {
@@ -411,6 +414,7 @@ func TestSyncCmd_ImageTxt_RemoteFile(t *testing.T) {
 	o := newSyncOpts(s.Root)
 	o.ImageTxt = []string{imageSrv.URL + "/images.txt"}
 	rso := defaultRootOpts(s.Root)
+	rso.AllowInternalTargets = true // test server is on loopback
 	ro := defaultCliOpts()
 
 	if err := SyncCmd(ctx, o, s, rso, ro); err != nil {
@@ -444,6 +448,7 @@ spec:
 	o := newSyncOpts(s.Root)
 	o.FileName = []string{manifestSrv.URL + "/manifest.yaml"}
 	rso := defaultRootOpts(s.Root)
+	rso.AllowInternalTargets = true // both manifest server and file server are on loopback
 	ro := defaultCliOpts()
 
 	if err := SyncCmd(ctx, o, s, rso, ro); err != nil {

install.sh

@@ -150,8 +150,8 @@ if [ ! -d "${HAULER_DIR}" ]; then
     mkdir -p "${HAULER_DIR}" || fatal "Failed to Create Hauler Directory: ${HAULER_DIR}"
 fi
 
-# ensure hauler directory is writable (by user or root privileges)
-chmod -R 777 "${HAULER_DIR}" || fatal "Failed to Update Permissions of Hauler Directory: ${HAULER_DIR}"
+# ensure hauler directory is only accessible by the owner
+chmod -R 0700 "${HAULER_DIR}" || fatal "Failed to Update Permissions of Hauler Directory: ${HAULER_DIR}"
 
 # change to hauler directory
 cd "${HAULER_DIR}" || fatal "Failed to Change Directory to Hauler Directory: ${HAULER_DIR}"