use os.Root to mitigate fs security issues

Author: evict

cmd/src/servegit.go

@@ -58,11 +58,17 @@ Documentation at https://sourcegraph.com/docs/admin/code_hosts/src_serve_git
 			dbug = log.New(os.Stderr, "DBUG serve-git: ", log.LstdFlags)
 		}
 
+		root, err := os.OpenRoot(repoDir)
+		if err != nil {
+			return err
+		}
+
 		s := &servegit.Serve{
-			Addr:  *addrFlag,
-			Root:  repoDir,
-			Info:  log.New(os.Stderr, "serve-git: ", log.LstdFlags),
-			Debug: dbug,
+			Addr:   *addrFlag,
+			Root:   repoDir,
+			RootFS: root,
+			Info:   log.New(os.Stderr, "serve-git: ", log.LstdFlags),
+			Debug:  dbug,
 		}
 
 		if *listFlag {

internal/servegit/gitservice.go

@@ -65,6 +65,10 @@ type Handler struct {
 	// call the returned function when done executing. If the executation
 	// failed, it will pass in a non-nil error.
 	Trace func(ctx context.Context, svc, repo, protocol string) func(error)
+
+	// RootFS is a traversal safe API that ensures file outside of the
+	// root cannot be opened.
+	RootFS *os.Root
 }
 
 func (s *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
@@ -93,7 +97,7 @@ func (s *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if _, err = os.Stat(dir); os.IsNotExist(err) {
+	if _, err = s.RootFS.Stat(dir); os.IsNotExist(err) {
 		http.Error(w, "repository not found", http.StatusNotFound)
 		return
 	} else if err != nil {
@@ -104,6 +108,7 @@ func (s *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	body := r.Body
 	defer body.Close()
 
+	// TODO(@evict) max filereader
 	if r.Header.Get("Content-Encoding") == "gzip" {
 		gzipReader, err := gzip.NewReader(body)
 		if err != nil {

internal/servegit/serve.go

@@ -9,6 +9,7 @@ import (
 	"log"
 	"net"
 	"net/http"
+	"os"
 	"os/exec"
 	pathpkg "path"
 	"path/filepath"
@@ -19,10 +20,11 @@ import (
 )
 
 type Serve struct {
-	Addr  string
-	Root  string
-	Info  *log.Logger
-	Debug *log.Logger
+	Addr   string
+	Root   string
+	RootFS *os.Root
+	Info   *log.Logger
+	Debug  *log.Logger
 }
 
 func (s *Serve) Start() error {
@@ -69,7 +71,7 @@ func (s *Serve) handler() http.Handler {
 
 	mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Content-Type", "text/html; charset=utf-8")
-		err := indexHTML.Execute(w, map[string]interface{}{
+		err := indexHTML.Execute(w, map[string]any{
 			"Explain": explainAddr(s.Addr),
 			"Links": []string{
 				"/v1/list-repos",
@@ -100,7 +102,8 @@ func (s *Serve) handler() http.Handler {
 		_ = enc.Encode(&resp)
 	})
 
-	fs := http.FileServer(http.Dir(s.Root))
+	safeFS := http.FS(s.RootFS.FS())
+	fs := http.FileServer(safeFS)
 	svc := &Handler{
 		Dir: func(_ context.Context, name string) (string, error) {
 			return filepath.Join(s.Root, filepath.FromSlash(name)), nil
@@ -117,6 +120,7 @@ func (s *Serve) handler() http.Handler {
 				}
 			}
 		},
+		RootFS: s.RootFS,
 	}
 	mux.Handle("/repos/", http.StripPrefix("/repos/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		// Use git service if git is trying to clone. Otherwise show http.FileServer for convenience