yggdrasil-network/yggdrasil-go
1
0
Fork 0
mirror of https://github.com/yggdrasil-network/yggdrasil-go.git synced 2025-08-24 16:05:07 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

Remove safe file operation wrappers from configuration handling to streamline code. Update SECURITY.md to reflect the removal of these functions and adjust the section numbering accordingly.

Browse source
This commit is contained in:
Andy Oknen 2025-08-15 20:15:57 +00:00
parent 443f9d0afd
commit 2180e12b73
2 changed files with 2 additions and 37 deletions
Download patch file Download diff file Expand all files Collapse all files

12
src/config/SECURITY.md
View file

@ -34,22 +34,14 @@ Multiple layers of protection:
## Additional Security Measures ## Additional Security Measures
### 4. Safe File Operation Wrappers ### 4. System Directory Protection
Additional wrapper functions provide extra safety:
- `safeReadFile()` - Validates paths before reading
- `safeWriteFile()` - Validates paths before writing
- `safeStat()` - Validates paths before stat operations
### 5. System Directory Protection
Restricted access to sensitive system directories: Restricted access to sensitive system directories:
- Blocks access to `/etc/` (except `/etc/yggdrasil/`) - Blocks access to `/etc/` (except `/etc/yggdrasil/`)
- Blocks access to `/root/`, `/var/` (except `/var/lib/yggdrasil/`) - Blocks access to `/root/`, `/var/` (except `/var/lib/yggdrasil/`)
- Blocks access to `/sys/`, `/proc/`, `/dev/` - Blocks access to `/sys/`, `/proc/`, `/dev/`
### 6. Path Depth Limiting ### 5. Path Depth Limiting
Maximum path depth of 10 levels to prevent deeply nested attacks. Maximum path depth of 10 levels to prevent deeply nested attacks.

27
src/config/config.go
View file

@ -370,33 +370,6 @@ func validateConfigPath(path string) (string, error) {
return absPath, nil return absPath, nil
} }
// safeReadFile safely reads a file after validating the path
func safeReadFile(path string) ([]byte, error) {
validatedPath, err := validateConfigPath(path)
if err != nil {
return nil, fmt.Errorf("invalid file path: %v", err)
}
return os.ReadFile(validatedPath)
}
// safeWriteFile safely writes a file after validating the path
func safeWriteFile(path string, data []byte, perm os.FileMode) error {
validatedPath, err := validateConfigPath(path)
if err != nil {
return fmt.Errorf("invalid file path: %v", err)
}
return os.WriteFile(validatedPath, data, perm)
}
// safeStat safely stats a file after validating the path
func safeStat(path string) (os.FileInfo, error) {
validatedPath, err := validateConfigPath(path)
if err != nil {
return nil, fmt.Errorf("invalid file path: %v", err)
}
return os.Stat(validatedPath)
}
// SetCurrentConfig sets the current configuration data and path // SetCurrentConfig sets the current configuration data and path
func SetCurrentConfig(path string, cfg *NodeConfig) { func SetCurrentConfig(path string, cfg *NodeConfig) {
// Validate the path before setting it // Validate the path before setting it