-
Notifications
You must be signed in to change notification settings - Fork 907
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
(#3281) Add validation for cache folder permissions
These changes introduces a new validation check to ensure that the system cache folder that is used for storing NuGet responses have been properly locked down to administrators. When the directory exists, and allows modifications or creations of files by normal user this will output a validation warning about steps that can be taken to lock down the directory. When the directory does not exist, this same validation check ensure that the directory is created while only allowing Administrators to modify, create or delete anything in the folder.
- Loading branch information
1 parent
18bacb8
commit 367319a
Showing
6 changed files
with
265 additions
and
21 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
127 changes: 127 additions & 0 deletions
127
src/chocolatey/infrastructure.app/validations/CacheFolderValidationLockdown.cs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,127 @@ | ||
// Copyright © 2017 - 2023 Chocolatey Software, Inc | ||
// Copyright © 2011 - 2017 RealDimensions Software, LLC | ||
// | ||
// Licensed under the Apache License, Version 2.0 (the "License"); | ||
// you may not use this file except in compliance with the License. | ||
// | ||
// You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, software | ||
// distributed under the License is distributed on an "AS IS" BASIS, | ||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
// See the License for the specific language governing permissions and | ||
// limitations under the License. | ||
|
||
namespace chocolatey.infrastructure.app.validations | ||
{ | ||
using System; | ||
using System.Collections.Generic; | ||
using chocolatey.infrastructure.app.configuration; | ||
using chocolatey.infrastructure.filesystem; | ||
using chocolatey.infrastructure.information; | ||
using chocolatey.infrastructure.validations; | ||
|
||
public sealed class CacheFolderLockdownValidation : IValidation | ||
{ | ||
private readonly IFileSystem _fileSystem; | ||
|
||
public CacheFolderLockdownValidation(IFileSystem fileSystem) | ||
{ | ||
_fileSystem = fileSystem; | ||
} | ||
|
||
public ICollection<ValidationResult> Validate(ChocolateyConfiguration config) | ||
{ | ||
this.Log().Debug("Cache Folder Lockdown Checks:"); | ||
|
||
var result = new List<ValidationResult>(); | ||
|
||
if (!ProcessInformation.IsElevated() && !string.IsNullOrEmpty(Environment.GetFolderPath(Environment.SpecialFolder.UserProfile, Environment.SpecialFolderOption.DoNotVerify))) | ||
{ | ||
this.Log().Debug(" - Elevated State = Failed"); | ||
|
||
result.Add(new ValidationResult | ||
{ | ||
ExitCode = 0, | ||
Message = "User Cache directory is valid.", | ||
Status = ValidationStatus.Success | ||
}); | ||
|
||
return result; | ||
} | ||
|
||
this.Log().Debug(" - Elevated State = Checked"); | ||
|
||
var cacheFolderPath = ApplicationParameters.HttpCacheLocation; | ||
|
||
if (_fileSystem.DirectoryExists(cacheFolderPath)) | ||
{ | ||
this.Log().Debug(" - Folder Exists = Checked"); | ||
|
||
if (_fileSystem.IsLockedDirectory(cacheFolderPath)) | ||
{ | ||
this.Log().Debug(" - Folder lockdown = Checked"); | ||
|
||
result.Add(new ValidationResult | ||
{ | ||
ExitCode = 0, | ||
Message = "System Cache directory is locked down to administrators.", | ||
Status = ValidationStatus.Success | ||
}); | ||
} | ||
else | ||
{ | ||
this.Log().Debug(" - Folder lockdown = Failed"); | ||
|
||
result.Add(new ValidationResult | ||
{ | ||
ExitCode = 0, | ||
Message = "System Cache directory is not locked down to administrators. Remove the directory '{0}' to have Chocolatey CLI create it with the proper permissions.".FormatWith(cacheFolderPath), | ||
Status = ValidationStatus.Warning | ||
}); | ||
} | ||
|
||
return result; | ||
} | ||
|
||
this.Log().Debug(" - Folder Exists = Failed"); | ||
|
||
if (_fileSystem.LockDirectory(cacheFolderPath)) | ||
{ | ||
this.Log().Debug(" - Folder lockdown update = Success"); | ||
|
||
result.Add(new ValidationResult | ||
{ | ||
ExitCode = 0, | ||
Message = "System Cache directory successfullly created and locked down to administrators.", | ||
Status = ValidationStatus.Success, | ||
}); | ||
} | ||
else | ||
{ | ||
this.Log().Debug(" - Folder lockdown update = Failed"); | ||
|
||
result.Add(new ValidationResult | ||
{ | ||
ExitCode = 1, // Should we error? | ||
Message = "System Cache directory was not created, or could not be locked down to administrators.", | ||
Status = ValidationStatus.Error | ||
}); | ||
} | ||
|
||
return result; | ||
} | ||
|
||
#pragma warning disable IDE1006 | ||
|
||
[Obsolete("This overload is deprecated and will be removed in v3.")] | ||
public ICollection<ValidationResult> validate(ChocolateyConfiguration config) | ||
{ | ||
return Validate(config); | ||
} | ||
|
||
#pragma warning restore IDE1006 | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters