TASK-014: Add log path validation to prevent arbitrary file access

Restrict monitored log paths to a configurable allowlist of safe directories to prevent authenticated users from instructing fail2ban to monitor arbitrary files on the system, which could leak contents via fail2ban logging. Changes: - Add 'allowed_log_dirs' setting to Settings (defaults to /var/log, /config/log) - Add @field_validator to AddLogPathRequest to validate log paths at request time - Validator resolves paths to canonical form and checks against allowed prefixes - Use Path.is_relative_to() to prevent prefix bypass attacks like /var/log_evil - Add comprehensive tests for valid/invalid paths and symlink handling - Update Features.md and Backend-Development.md with security documentation Security improvements: - Blocks access to sensitive files (/etc/shadow, /etc/passwd, etc.) - Resolves symlinks before validation to prevent escape routes - Uses proper path comparison instead of string prefix matching - Configurable via BANGUI_ALLOWED_LOG_DIRS environment variable Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-04-26 13:49:04 +02:00
parent 2331567bd7
commit 308cf680a7
5 changed files with 223 additions and 4 deletions
--- a/backend/tests/test_models.py
+++ b/backend/tests/test_models.py
@@ -0,0 +1,141 @@
+"""Unit tests for Pydantic models and their validators."""
+
+import tempfile
+from pathlib import Path
+
+import pytest
+from pydantic import ValidationError
+
+from app.config import Settings
+from app.models.config import AddLogPathRequest
+
+
+@pytest.fixture
+def _mock_allowed_dirs(monkeypatch: pytest.MonkeyPatch) -> None:
+    """Mock get_settings to return test settings with default allowed directories."""
+    def mock_get_settings() -> Settings:
+        return Settings(
+            database_path=":memory:",
+            fail2ban_socket="/tmp/fake.sock",
+            fail2ban_config_dir="/tmp/fail2ban",
+            session_secret="test-secret-key-do-not-use",
+        )
+
+    monkeypatch.setattr("app.models.config.get_settings", mock_get_settings)
+
+
+def test_add_log_path_request_valid_in_var_log(_mock_allowed_dirs: None) -> None:
+    """Valid log paths in /var/log are accepted."""
+    req = AddLogPathRequest(log_path="/var/log/auth.log", tail=True)
+    assert req.log_path == "/var/log/auth.log"
+    assert req.tail is True
+
+
+def test_add_log_path_request_valid_in_config_log(_mock_allowed_dirs: None) -> None:
+    """Valid log paths in /config/log are accepted."""
+    req = AddLogPathRequest(log_path="/config/log/app.log", tail=False)
+    assert req.log_path == "/config/log/app.log"
+    assert req.tail is False
+
+
+def test_add_log_path_request_valid_with_subdirectory(_mock_allowed_dirs: None) -> None:
+    """Log paths in subdirectories of allowed paths are accepted."""
+    req = AddLogPathRequest(log_path="/var/log/syslog/auth.log", tail=True)
+    assert req.log_path == "/var/log/syslog/auth.log"
+
+
+def test_add_log_path_request_rejects_path_outside_allowed(_mock_allowed_dirs: None) -> None:
+    """Paths outside allowed directories are rejected."""
+    with pytest.raises(ValidationError) as exc_info:
+        AddLogPathRequest(log_path="/etc/passwd", tail=True)
+    error_msg = str(exc_info.value)
+    assert "outside allowed directories" in error_msg
+    assert "/etc/passwd" in error_msg
+
+
+def test_add_log_path_request_rejects_home_directory(_mock_allowed_dirs: None) -> None:
+    """Paths in home directories are rejected."""
+    with pytest.raises(ValidationError) as exc_info:
+        AddLogPathRequest(log_path="/home/user/app.log", tail=True)
+    error_msg = str(exc_info.value)
+    assert "outside allowed directories" in error_msg
+
+
+def test_add_log_path_request_rejects_shadow_file(_mock_allowed_dirs: None) -> None:
+    """Paths to sensitive files like /etc/shadow are rejected."""
+    with pytest.raises(ValidationError) as exc_info:
+        AddLogPathRequest(log_path="/etc/shadow", tail=True)
+    error_msg = str(exc_info.value)
+    assert "outside allowed directories" in error_msg
+
+
+def test_add_log_path_request_rejects_symlink_escape(monkeypatch: pytest.MonkeyPatch) -> None:
+    """Symlinks that escape allowed directories are rejected."""
+    with tempfile.TemporaryDirectory() as tmpdir:
+        allowed_dir = Path(tmpdir) / "allowed"
+        escape_dir = Path(tmpdir) / "escape"
+        allowed_dir.mkdir()
+        escape_dir.mkdir()
+
+        symlink = allowed_dir / "escape_link"
+        symlink.symlink_to(escape_dir)
+
+        def mock_get_settings() -> Settings:
+            return Settings(
+                database_path=":memory:",
+                fail2ban_socket="/tmp/fake.sock",
+                fail2ban_config_dir="/tmp/fail2ban",
+                session_secret="test-secret-key-do-not-use",
+                allowed_log_dirs=[str(allowed_dir)],
+            )
+
+        monkeypatch.setattr("app.models.config.get_settings", mock_get_settings)
+
+        with pytest.raises(ValidationError) as exc_info:
+            AddLogPathRequest(log_path=str(symlink / "evil.log"), tail=True)
+        error_msg = str(exc_info.value)
+        assert "outside allowed directories" in error_msg
+
+
+def test_add_log_path_request_validates_startswith_bypass(_mock_allowed_dirs: None) -> None:
+    """Paths like /var/log_evil that bypass startswith() are rejected."""
+    with pytest.raises(ValidationError) as exc_info:
+        AddLogPathRequest(log_path="/var/log_evil/somefile.log", tail=True)
+    error_msg = str(exc_info.value)
+    assert "outside allowed directories" in error_msg
+
+
+def test_add_log_path_request_default_tail_is_true(_mock_allowed_dirs: None) -> None:
+    """Tail defaults to True."""
+    req = AddLogPathRequest(log_path="/var/log/app.log")
+    assert req.tail is True
+
+
+def test_add_log_path_request_error_message_lists_allowed_dirs(_mock_allowed_dirs: None) -> None:
+    """Error message includes the list of allowed directories."""
+    with pytest.raises(ValidationError) as exc_info:
+        AddLogPathRequest(log_path="/root/secret.log", tail=True)
+    error_msg = str(exc_info.value)
+    assert "/var/log" in error_msg
+    assert "/config/log" in error_msg
+
+
+def test_add_log_path_request_custom_allowed_dirs(monkeypatch: pytest.MonkeyPatch) -> None:
+    """Custom allowed directories from settings are respected."""
+    def mock_get_settings() -> Settings:
+        return Settings(
+            database_path=":memory:",
+            fail2ban_socket="/tmp/fake.sock",
+            fail2ban_config_dir="/tmp/fail2ban",
+            session_secret="test-secret-key-do-not-use",
+            allowed_log_dirs=["/custom/logs", "/another/path"],
+        )
+
+    monkeypatch.setattr("app.models.config.get_settings", mock_get_settings)
+
+    req = AddLogPathRequest(log_path="/custom/logs/app.log", tail=True)
+    assert req.log_path == "/custom/logs/app.log"
+
+    with pytest.raises(ValidationError):
+        AddLogPathRequest(log_path="/var/log/app.log", tail=True)
+