Security: Fix path traversal vulnerability in host-agent download endpoint

CRITICAL SECURITY FIX: The /download/pulse-host-agent endpoint was directly
concatenating user-supplied platform and arch query parameters into file paths
without validation, allowing path traversal attacks.

An attacker could request:
  /download/pulse-host-agent?platform=../../etc/passwd
to read arbitrary files from the container filesystem.

Fix: Add input validation to only allow alphanumeric characters and hyphens
in platform/arch parameters before using them in file paths.

Related: Codex security audit identified this during pre-release review
This commit is contained in:
rcourtman 2025-11-12 16:27:11 +00:00
parent 775bf99a96
commit 946e2e455f

View file

@ -3326,6 +3326,18 @@ func (r *Router) handleDownloadHostAgent(w http.ResponseWriter, req *http.Reques
platformParam := strings.TrimSpace(req.URL.Query().Get("platform"))
archParam := strings.TrimSpace(req.URL.Query().Get("arch"))
// Validate platform and arch to prevent path traversal attacks
// Only allow alphanumeric characters and hyphens
validPattern := regexp.MustCompile(`^[a-zA-Z0-9\-]+$`)
if platformParam != "" && !validPattern.MatchString(platformParam) {
http.Error(w, "Invalid platform parameter", http.StatusBadRequest)
return
}
if archParam != "" && !validPattern.MatchString(archParam) {
http.Error(w, "Invalid arch parameter", http.StatusBadRequest)
return
}
searchPaths := make([]string, 0, 12)
strictMode := platformParam != "" && archParam != ""