all: add permcheck, client fix; imp chlog

AdguardTeam · Oct 2, 2024 · e8fd4b1 · e8fd4b1
1 parent 8cb5781
commit e8fd4b1
Show file tree

Hide file tree

Showing 40 changed files with 885 additions and 91 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -1,7 +1,7 @@
 'name': 'build'
 
 'env':
-  'GO_VERSION': '1.23.1'
+  'GO_VERSION': '1.23.2'
   'NODE_VERSION': '16'
 
 'on':

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -1,7 +1,7 @@
 'name': 'lint'
 
 'env':
-  'GO_VERSION': '1.23.1'
+  'GO_VERSION': '1.23.2'
 
 'on':
   'push':

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -18,19 +18,43 @@ TODO(a.garipov): Use the common markdown formatting tools.
 <!--
 ## [v0.108.0] - TBA
 
-## [v0.107.53] - 2024-07-24 (APPROX.)
+## [v0.107.54] - 2024-10-03 (APPROX.)
 
-See also the [v0.107.53 GitHub milestone][ms-v0.107.53].
+See also the [v0.107.54 GitHub milestone][ms-v0.107.54].
 
-[ms-v0.107.53]: https://github.com/AdguardTeam/AdGuardHome/milestone/88?closed=1
+[ms-v0.107.54]: https://github.com/AdguardTeam/AdGuardHome/milestone/89?closed=1
 
 NOTE: Add new changes BELOW THIS COMMENT.
 -->
 
+<!--
+NOTE: Add new changes ABOVE THIS COMMENT.
+-->
+
+
+
+## [v0.107.53] - 2024-10-03
+
+See also the [v0.107.53 GitHub milestone][ms-v0.107.53].
+
 ### Security
 
+- Previous versions of AdGuard Home allowed users to add any system it had
+  access to as filters, exposing them to be world-readable.  To prevent this,
+  AdGuard Home now allows adding filtering-rule list files only from files
+  matching the patterns enumerated in the `filtering.safe_fs_patterns` property
+  in the configuration file.
+
+  We thank @itz-d0dgy for reporting this vulnerability, designated
+  CVE-2024-36814, to us.
+- Additionally, AdGuard Home will now try to change the permissions of its files
+  and directories to more restrictive ones to prevent similar vulnerabilities
+  as well as limit the access to the configuration.
+
+  We thank @go-compile for reporting this vulnerability, designated
+  CVE-2024-36586, to us.
 - Go version has been updated to prevent the possibility of exploiting the Go
-  vulnerabilities fixed in [1.23.1][go-1.23.1].
+  vulnerabilities fixed in [1.23.2][go-1.23.2].
 
 ### Added
 
@@ -42,6 +66,15 @@ NOTE: Add new changes BELOW THIS COMMENT.
 - Upstream server URL domain names requirements has been relaxed and now follow
   the same rules as their domain specifications.
 
+#### Configuration changes
+
+In this release, the schema version has changed from 28 to 29.
+
+- The new array `filtering.safe_fs_patterns` contains glob patterns for paths of
+  files that can be added as local filtering-rule lists.  The migration should
+  add list files that have already been added, as well as the default value,
+  `$DATA_DIR/userfilters/*`.
+
 ### Fixed
 
 - Property `clients.runtime_sources.dhcp` in the configuration file not taking
@@ -50,17 +83,30 @@ NOTE: Add new changes BELOW THIS COMMENT.
 - Enforce Bing safe search from Edge sidebar ([#7154]).
 - Text overflow on the query log page ([#7119]).
 
+### Known issues
+
+- Due to the complexity of the Windows permissions architecture and poor support
+  from the standard Go library, we have to postpone the proper automated Windows
+  fix until the next release.
+
+  **Temporary workaround:**  Set the permissions of the `AdGuardHome` directory
+  to more restrictive ones manually.  To do that:
+
+  1. Locate the `AdGuardHome` directory.
+  2. Right-click on it and navigate to *Properties → Security → Advanced.*
+  3. (You might need to disable permission inheritance to make them more
+     restricted.)
+  4. Adjust to give the `Full control` access to only the user which runs
+     AdGuard Home.  Typically, `Administrator`.
+
 [#5009]: https://github.com/AdguardTeam/AdGuardHome/issues/5009
 [#5704]: https://github.com/AdguardTeam/AdGuardHome/issues/5704
 [#7119]: https://github.com/AdguardTeam/AdGuardHome/issues/7119
 [#7154]: https://github.com/AdguardTeam/AdGuardHome/pull/7154
 [#7155]: https://github.com/AdguardTeam/AdGuardHome/pull/7155
 
-[go-1.23.1]: https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc
-
-<!--
-NOTE: Add new changes ABOVE THIS COMMENT.
--->
+[go-1.23.2]:    https://groups.google.com/g/golang-announce/c/NKEc8VT7Fz0
+[ms-v0.107.53]: https://github.com/AdguardTeam/AdGuardHome/milestone/88?closed=1
 
 
 
@@ -3098,11 +3144,12 @@ See also the [v0.104.2 GitHub milestone][ms-v0.104.2].
 
 
 <!--
-[Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.53...HEAD
-[v0.107.53]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.52...v0.107.53
+[Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.54...HEAD
+[v0.107.54]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.53...v0.107.54
 -->
 
-[Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.52...HEAD
+[Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.53...HEAD
+[v0.107.53]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.52...v0.107.53
 [v0.107.52]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.51...v0.107.52
 [v0.107.51]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.50...v0.107.51
 [v0.107.50]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.49...v0.107.50

diff --git a/Makefile b/Makefile
@@ -27,8 +27,7 @@ DEPLOY_SCRIPT_PATH = not/a/real/path
 DIST_DIR = dist
 GOAMD64 = v1
 GOPROXY = https://proxy.golang.org|direct
-GOSUMDB = sum.golang.google.cn
-GOTOOLCHAIN = go1.23.1
+GOTOOLCHAIN = go1.23.2
 GOTELEMETRY = off
 GPG_KEY = [email protected]
 GPG_KEY_PASSPHRASE = not-a-real-password
@@ -67,7 +66,6 @@ ENV = env\
 	GO="$(GO.MACRO)"\
 	GOAMD64='$(GOAMD64)'\
 	GOPROXY='$(GOPROXY)'\
-	GOSUMDB='$(GOSUMDB)'\
 	GOTELEMETRY='$(GOTELEMETRY)'\
 	GOTOOLCHAIN='$(GOTOOLCHAIN)'\
 	GPG_KEY='$(GPG_KEY)'\

diff --git a/bamboo-specs/release.yaml b/bamboo-specs/release.yaml
@@ -8,7 +8,7 @@
 'variables':
     'channel': 'edge'
     'dockerFrontend': 'adguard/home-js-builder:2.0'
-    'dockerGo': 'adguard/go-builder:1.23.1--1'
+    'dockerGo': 'adguard/go-builder:1.23.2--1'
 
 'stages':
   - 'Build frontend':
@@ -276,7 +276,7 @@
         'variables':
             'channel': 'beta'
             'dockerFrontend': 'adguard/home-js-builder:2.0'
-            'dockerGo': 'adguard/go-builder:1.23.1--1'
+            'dockerGo': 'adguard/go-builder:1.23.2--1'
     # release-vX.Y.Z branches are the branches from which the actual final
     # release is built.
   - '^release-v[0-9]+\.[0-9]+\.[0-9]+':
@@ -292,4 +292,4 @@
         'variables':
             'channel': 'release'
             'dockerFrontend': 'adguard/home-js-builder:2.0'
-            'dockerGo': 'adguard/go-builder:1.23.1--1'
+            'dockerGo': 'adguard/go-builder:1.23.2--1'
diff --git a/bamboo-specs/test.yaml b/bamboo-specs/test.yaml
@@ -6,7 +6,7 @@
     'name': 'AdGuard Home - Build and run tests'
 'variables':
     'dockerFrontend': 'adguard/home-js-builder:2.0'
-    'dockerGo': 'adguard/go-builder:1.23.1--1'
+    'dockerGo': 'adguard/go-builder:1.23.2--1'
     'channel': 'development'
 
 'stages':
@@ -196,5 +196,5 @@
         # may need to build a few of these.
         'variables':
             'dockerFrontend': 'adguard/home-js-builder:2.0'
-            'dockerGo': 'adguard/go-builder:1.23.1--1'
+            'dockerGo': 'adguard/go-builder:1.23.2--1'
             'channel': 'candidate'
diff --git a/go.mod b/go.mod
@@ -1,10 +1,10 @@
 module github.com/AdguardTeam/AdGuardHome
 
-go 1.23.1
+go 1.23.2
 
 require (
-	github.com/AdguardTeam/dnsproxy v0.73.0
-	github.com/AdguardTeam/golibs v0.26.0
+	github.com/AdguardTeam/dnsproxy v0.73.2
+	github.com/AdguardTeam/golibs v0.27.0
 	github.com/AdguardTeam/urlfilter v0.19.0
 	github.com/NYTimes/gziphandler v1.1.1
 	github.com/ameshkov/dnscrypt/v2 v2.3.0

diff --git a/go.sum b/go.sum
@@ -1,7 +1,7 @@
-github.com/AdguardTeam/dnsproxy v0.73.0 h1:E1fxzosMqExZH8h7OJnKXLxyktcAFRJapLF4+nKULms=
-github.com/AdguardTeam/dnsproxy v0.73.0/go.mod h1:ZcvmyQY2EiX5B0yCTkiYTgtm+1lBWA0lajbEI9dOhW4=
-github.com/AdguardTeam/golibs v0.26.0 h1:uLL0XggEjB+87lL1tPpEAQNoKAlHDq5AyBUVWEgf63E=
-github.com/AdguardTeam/golibs v0.26.0/go.mod h1:iWdjXPCwmK2g2FKIb/OwEPnovSXeMqRhI8FWLxF5oxE=
+github.com/AdguardTeam/dnsproxy v0.73.2 h1:O6wRXzHsnWL5TkhYcuLWCShVFF0X5RFI6qUmq1ZFVsQ=
+github.com/AdguardTeam/dnsproxy v0.73.2/go.mod h1:zD5WfTctbRvYYk8PS39h6/OT84NTu6QxKbAiBN5PUcI=
+github.com/AdguardTeam/golibs v0.27.0 h1:YxCFK6HBGp/ZXp3bv5uei+oLH12UfIYB8u2rh1B6nnU=
+github.com/AdguardTeam/golibs v0.27.0/go.mod h1:iWdjXPCwmK2g2FKIb/OwEPnovSXeMqRhI8FWLxF5oxE=
 github.com/AdguardTeam/urlfilter v0.19.0 h1:q7eH13+yNETlpD/VD3u5rLQOripcUdEktqZFy+KiQLk=
 github.com/AdguardTeam/urlfilter v0.19.0/go.mod h1:+N54ZvxqXYLnXuvpaUhK2exDQW+djZBRSb6F6j0rkBY=
 github.com/NYTimes/gziphandler v1.1.1 h1:ZUDjpQae29j0ryrS0u/B8HZfJBtBQHjqw2rQ2cqUQ3I=

diff --git a/internal/aghos/os.go b/internal/aghos/os.go
@@ -19,6 +19,12 @@ import (
 	"github.com/AdguardTeam/golibs/log"
 )
 
+// Default file and directory permissions.
+const (
+	DefaultPermDir  = 0o700
+	DefaultPermFile = 0o600
+)
+
 // Unsupported is a helper that returns a wrapped [errors.ErrUnsupported].
 func Unsupported(op string) (err error) {
 	return fmt.Errorf("%s: not supported on %s: %w", op, runtime.GOOS, errors.ErrUnsupported)

diff --git a/internal/configmigrate/configmigrate.go b/internal/configmigrate/configmigrate.go
@@ -2,4 +2,4 @@
 package configmigrate
 
 // LastSchemaVersion is the most recent schema version.
-const LastSchemaVersion uint = 28
+const LastSchemaVersion uint = 29
diff --git a/internal/configmigrate/migrations_internal_test.go b/internal/configmigrate/migrations_internal_test.go
@@ -19,6 +19,7 @@ func TestUpgradeSchema1to2(t *testing.T) {
 
 	m := New(&Config{
 		WorkingDir: "",
+		DataDir:    "",
 	})
 
 	err := m.migrateTo2(diskConf)

diff --git a/internal/configmigrate/migrator.go b/internal/configmigrate/migrator.go
@@ -10,20 +10,24 @@ import (
 
 // Config is a the configuration for initializing a [Migrator].
 type Config struct {
-	// WorkingDir is an absolute path to the working directory of AdGuardHome.
+	// WorkingDir is the absolute path to the working directory of AdGuardHome.
 	WorkingDir string
+
+	// DataDir is the absolute path to the data directory of AdGuardHome.
+	DataDir string
 }
 
 // Migrator performs the YAML configuration file migrations.
 type Migrator struct {
-	// workingDir is an absolute path to the working directory of AdGuardHome.
 	workingDir string
+	dataDir    string
 }
 
 // New creates a new Migrator.
-func New(cfg *Config) (m *Migrator) {
+func New(c *Config) (m *Migrator) {
 	return &Migrator{
-		workingDir: cfg.WorkingDir,
+		workingDir: c.WorkingDir,
+		dataDir:    c.DataDir,
 	}
 }
 
@@ -120,6 +124,7 @@ func (m *Migrator) upgradeConfigSchema(current, target uint, diskConf yobj) (err
 		25: migrateTo26,
 		26: migrateTo27,
 		27: migrateTo28,
+		28: m.migrateTo29,
 	}
 
 	for i, migrate := range upgrades[current:target] {

diff --git a/internal/configmigrate/migrator_test.go b/internal/configmigrate/migrator_test.go
@@ -4,6 +4,7 @@ import (
 	"io/fs"
 	"os"
 	"path"
+	"path/filepath"
 	"testing"
 
 	"github.com/AdguardTeam/AdGuardHome/internal/configmigrate"
@@ -190,6 +191,10 @@ func TestMigrateConfig_Migrate(t *testing.T) {
 		yamlEqFunc:    require.YAMLEq,
 		name:          "v27",
 		targetVersion: 27,
+	}, {
+		yamlEqFunc:    require.YAMLEq,
+		name:          "v29",
+		targetVersion: 29,
 	}}
 
 	for _, tc := range testCases {
@@ -202,6 +207,7 @@ func TestMigrateConfig_Migrate(t *testing.T) {
 
 			migrator := configmigrate.New(&configmigrate.Config{
 				WorkingDir: t.Name(),
+				DataDir:    filepath.Join(t.Name(), "data"),
 			})
 			newBody, upgraded, err := migrator.Migrate(body, tc.targetVersion)
 			require.NoError(t, err)