[release-branch.go1.17] path/filepath: fix stack exhaustion in Glob

A limit is added to the number of path separators allowed by an input to Glob, to prevent stack exhaustion issues. Thanks to Juho Nurminen of Mattermost who reported the issue. Fixes golang#53713 Updates golang#53416 Fixes CVE-2022-30632 Change-Id: I1b9fd4faa85411a05dbc91dceae1c0c8eb021f07 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1498176 Reviewed-by: Roland Shoemaker <[email protected]> (cherry picked from commit d182a6d1217fd0d04c9babfa9a7ccd3515435c39) Reviewed-on: https://go-review.googlesource.com/c/go/+/417073 Reviewed-by: Heschi Kreinick <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: Michael Knyszek <[email protected]>
danbudris · Sep 14, 2022 · 7781521 · 7781521
1 parent a966897
commit 7781521
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 1 deletion.
diff --git a/src/path/filepath/match.go b/src/path/filepath/match.go
@@ -232,6 +232,20 @@ func getEsc(chunk string) (r rune, nchunk string, err error) {
 // The only possible returned error is ErrBadPattern, when pattern
 // is malformed.
 func Glob(pattern string) (matches []string, err error) {
+	return globWithLimit(pattern, 0)
+}
+
+func globWithLimit(pattern string, depth int) (matches []string, err error) {
+	// This limit is used prevent stack exhaustion issues. See CVE-2022-30632.
+	const pathSeparatorsLimit = 10000
+	if depth == pathSeparatorsLimit {
+		return nil, ErrBadPattern
+	}
+
+	// Check pattern is well-formed.
+	if _, err := Match(pattern, ""); err != nil {
+		return nil, err
+	}
 	if !hasMeta(pattern) {
 		if _, err = os.Lstat(pattern); err != nil {
 			return nil, nil
@@ -257,7 +271,7 @@ func Glob(pattern string) (matches []string, err error) {
 	}
 
 	var m []string
-	m, err = Glob(dir)
+	m, err = globWithLimit(dir, depth+1)
 	if err != nil {
 		return
 	}

diff --git a/src/path/filepath/match_test.go b/src/path/filepath/match_test.go
@@ -154,6 +154,16 @@ func TestGlob(t *testing.T) {
 	}
 }
 
+func TestCVE202230632(t *testing.T) {
+	// Prior to CVE-2022-30632, this would cause a stack exhaustion given a
+	// large number of separators (more than 4,000,000). There is now a limit
+	// of 10,000.
+	_, err := Glob("/*" + strings.Repeat("/", 10001))
+	if err != ErrBadPattern {
+		t.Fatalf("Glob returned err=%v, want ErrBadPattern", err)
+	}
+}
+
 func TestGlobError(t *testing.T) {
 	_, err := Glob("[]")
 	if err == nil {