[Sidrops] Manifest entry filename validation
Erik Rozendaal <erozendaal@ripe.net> Thu, 19 November 2020 09:03 UTC
Return-Path: <erozendaal@ripe.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F16C03A1245 for <sidrops@ietfa.amsl.com>; Thu, 19 Nov 2020 01:03:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ripe.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h8uanhbrvet5 for <sidrops@ietfa.amsl.com>; Thu, 19 Nov 2020 01:03:56 -0800 (PST)
Received: from molamola.ripe.net (molamola.ripe.net [IPv6:2001:67c:2e8:11::c100:1371]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE9963A1246 for <sidrops@ietf.org>; Thu, 19 Nov 2020 01:03:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ripe.net; s=s1-ripe-net; h=To:Date:Message-Id:Subject:Mime-Version:Content-Type:From: CC; bh=WPWHfFEX3Kkp68YIvvye7haARg+p1Mv5dc5Bl5EN08o=; b=Mh5GOgFEz6xJGXcubGKIkP 7cALGeNP5JmVyQXT7bvOgCVOTSpytA5UKwC7hFsa5c8P+k9yU0yHY4MJEws9yfsCCq+RDro5ezMby rdRYKu/gM0cZdhpEhQeTGjNZEIeE2oKTjBc/kFv+TIXxpLy4PUuqrXVEsw3zR3LtVMWMUAWcvdROW AwLtzeIKUempJDgkWAXOHJ4xD+kJd+9Wtc4fa4qibBGrUMQBd5nByMO6pPn2g6v1lR9XXhDOoycUN TFs7U2ru1faqlbEBvT1DPhLhhuvT2RCbtsCA32sZtYWhQkKhFsmpijPQhLXeACZU/zj5wXCYsTgqr v94DyHSM8q2Q==;
Received: from bufobufo.ripe.net ([193.0.23.13]:43432) by molamola.ripe.net with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94) (envelope-from <erozendaal@ripe.net>) id 1kffr8-0003YW-KB for sidrops@ietf.org; Thu, 19 Nov 2020 10:03:54 +0100
Received: from sslvpn.ipv6.ripe.net ([2001:67c:2e8:9::c100:14e6] helo=[IPv6:2001:67c:2e8:1200::346]) by bufobufo.ripe.net with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94) (envelope-from <erozendaal@ripe.net>) id 1kffr8-0007il-BM for sidrops@ietf.org; Thu, 19 Nov 2020 10:03:54 +0100
From: Erik Rozendaal <erozendaal@ripe.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_48EB6C8D-C09A-4473-936B-8E802C97C0E2"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
Message-Id: <18CC986C-97FA-41F6-A530-F782D3104A31@ripe.net>
Date: Thu, 19 Nov 2020 10:03:53 +0100
To: sidrops@ietf.org
X-Mailer: Apple Mail (2.3608.120.23.2.4)
X-ACL-Warn: Delaying message
X-RIPE-Signature: 3081e9bfa2e75d9dc8fe5e8110458a383f50b0a5e24c6ca4d1ae405cb3115ed6
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/vHQU6jV08Sgee1wuDxT0_UQsaGs>
Subject: [Sidrops] Manifest entry filename validation
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Nov 2020 09:03:58 -0000
Hi all, During the past months we've been working on improving the RPKI validator to track the 6468bis RFC. As part of that effort we've also been finding and fixing various other mismatches with the current RPKI RFCs. One part of this is validating manifest entry file names. Currently the various validator implementations handle manifest filename entries differently, potentially resulting in different validation results. Summary: We think the manifest RFC 6486 should define rules used for the filename entries in a manifest. Our proposal is to only allow a minimal set of characters from the ASN.1 IA5String type: a-z, A-Z, 0-9, . (dot), - (dash), _ (underscore). Furthermore blank entries, ".", and ".." must not be allowed. Filename extensions should be matched in a case insensitive manner when determining object type (ROA, CRL, etc). These rules validate all current objects from the major trust anchors (all RIRs and APNIc AS0). They avoid special URI characters and characters that may be used to navigate file system directories. We may also want to add rules such as: - Avoid illegal (Windows) filenames such as PRN, NUL, or CON (see https://docs.microsoft.com/en-us/windows/win32/fileio/naming-a-file <https://docs.microsoft.com/en-us/windows/win32/fileio/naming-a-file>). - Require that all entries have a three letter filename extension. - Prohibit entries that only differ by upper or lower case (FOO.CER vs foo.cer). Background: Manifest entry filename validation Currently the different RPKI validators use different rules to validate the filename of a manifest entry. The RFC says (section 4.2.1 under "fileList"): "Each FileAndHash is an ordered pair consisting of the name of the file in the repository publication point (directory) that contains the object in question and a hash of the file's contents." Unfortunately it is not exactly clear what is allowed as the filename. The three validators that I investigated use different strategies: rpki-validator-3: anything goes. Filename is resolved using the base repository URI and the `resolve` method on the Java URI class. This allows subdirectories, escaping to parent directories, etc. This will be fixed by https://github.com/RIPE-NCC/rpki-commons/pull/30 <https://github.com/RIPE-NCC/rpki-commons/pull/30> where a filename must: - only have characters a-z, A-Z, 0-9, <dot>, (, ), +, -, ', :, =, or _. - not be blank - not be "." - not be ".." All currently published objects pass these test. rpki-client: filename entries must be at least four characters and the filename should not contain a forward slash (/). See https://cvsweb.openbsd.org/src/usr.sbin/rpki-client/mft.c?rev=1.14.4.1&content-type=text/x-cvsweb-markup <https://cvsweb.openbsd.org/src/usr.sbin/rpki-client/mft.c?rev=1.14.4.1&content-type=text/x-cvsweb-markup> in the `mft_parse_filehash` function. routinator: filename cannot have control characters or spaces, ", #, <, >, ?, [, \, ], ^, `, {, |, } or have value >= 0x7f (see https://github.com/NLnetLabs/rpki-rs/blob/b3b0eb6b0c524d1bdd8de23acc6cf3988386b3b0/src/uri.rs#L682 <https://github.com/NLnetLabs/rpki-rs/blob/b3b0eb6b0c524d1bdd8de23acc6cf3988386b3b0/src/uri.rs#L682>). Furthermore "." and ".." are not allowed as segment anywhere in a complete rsync URI (see https://github.com/NLnetLabs/rpki-rs/blob/b3b0eb6b0c524d1bdd8de23acc6cf3988386b3b0/src/uri.rs#L95 <https://github.com/NLnetLabs/rpki-rs/blob/b3b0eb6b0c524d1bdd8de23acc6cf3988386b3b0/src/uri.rs#L95>). Kind regards, Erik
- [Sidrops] Manifest entry filename validation Erik Rozendaal
- Re: [Sidrops] Manifest entry filename validation Stephen Kent
- Re: [Sidrops] Manifest entry filename validation Erik Rozendaal
- Re: [Sidrops] Manifest entry filename validation Job Snijders
- Re: [Sidrops] Manifest entry filename validation Tim Bruijnzeels
- Re: [Sidrops] Manifest entry filename validation Stephen Kent
- Re: [Sidrops] Manifest entry filename validation Job Snijders
- Re: [Sidrops] Manifest entry filename validation Job Snijders
- Re: [Sidrops] Manifest entry filename validation Stephen Kent
- Re: [Sidrops] Manifest entry filename validation Ties de Kock
- Re: [Sidrops] Manifest entry filename validation Job Snijders
- Re: [Sidrops] Manifest entry filename validation Russ Housley
- Re: [Sidrops] Manifest entry filename validation Di Ma
- Re: [Sidrops] Manifest entry filename validation Tim Bruijnzeels
- Re: [Sidrops] Manifest entry filename validation Ties de Kock
- Re: [Sidrops] Manifest entry filename validation Robert Kisteleki
- Re: [Sidrops] Manifest entry filename validation Stephen Kent
- Re: [Sidrops] Manifest entry filename validation Job Snijders
- Re: [Sidrops] Manifest entry filename validation Russ Housley
- Re: [Sidrops] Manifest entry filename validation Tim Bruijnzeels
- Re: [Sidrops] Manifest entry filename validation Stephen Kent
- Re: [Sidrops] Manifest entry filename validation Tim Bruijnzeels