sanitize-dont-refuse: strip dangerous symlinks via tar --exclude
All checks were successful
cpanel-importer Build and Push / Build-and-Push (push) Successful in 1m10s
All checks were successful
cpanel-importer Build and Push / Build-and-Push (push) Successful in 1m10s
Shifts the sandbox's symlink handling from "refuse the whole tarball"
to "drop the dangerous entries from extraction and record them as
quarantine actions". This is what sandbox mode is supposed to do —
make malicious cpmoves safe to import rather than gate-keeping them.
Three coordinated changes:
1. scan-symlinks.php — exit 0 even when DANGEROUS findings exist. The
JSON report is the source of truth; the caller decides what to do
with it. Usage/IO errors still exit 2. STDERR still names each
finding (now "STRIP X -> Y" instead of "refusing tarball") so the
streamed [container] log on the panel side surfaces them.
2. extract.sh — reads the scan-symlinks report, builds a
newline-delimited exclude list of DANGEROUS archive_paths, and
passes it to `tar --exclude-from=`. The stripped entries never
reach the filesystem; tar skips them silently. Also writes a small
JSON sidecar at $EXTRACT_DIR/.cpanel-importer-stripped-symlinks.json
describing each strip-action so the merge step can surface them in
report.json without re-parsing scan-symlinks output.
3. entrypoint.sh write_report — reads the sidecar, prepends each
stripped_dangerous_symlink action to the actions[] list, bumps
files_quarantined by the strip-count, and rewrites
summary_for_panel.alert_message to call them out distinctly:
"N dangerous symlink(s) stripped during extract; M files
quarantined; K cleaned in place. Customer site may have been
compromised at the source — recommend review."
Result on darkside: instead of the import failing on the ALFA
alfasymlink/root entry, that entry is silently skipped during
extract, recorded as `stripped_dangerous_symlink path=... target=/
reason=absolute target is root /`, and the rest of the tarball
extracts normally. Subsequent ClamAV scan + DB sanitization run
to completion; panel sees a verdict-completed import with the
stripped symlinks visible in the Sanitization Sandbox panel on the
results page.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Claude (bootstrap)
@@ -9,9 +9,13 @@
|
||||
* gate without dragging in the rest of the importer.
|
||||
*
|
||||
* Exit codes:
|
||||
* 0 — clean (no DANGEROUS findings)
|
||||
* 1 — one or more DANGEROUS findings; tarball MUST NOT be extracted
|
||||
* 2 — usage / I/O error
|
||||
* 0 — scan completed successfully (with or without DANGEROUS findings).
|
||||
* Findings are recorded in --report; extract.sh inspects the report
|
||||
* to decide which entries to --exclude from `tar -xzf`. Sandbox-mode
|
||||
* posture is "sanitize, don't refuse" — the container drops the
|
||||
* dangerous symlinks from extraction and records the actions in
|
||||
* report.json instead of aborting the whole import.
|
||||
* 2 — usage / I/O error (couldn't read tarball, couldn't write report).
|
||||
*
|
||||
* Always writes a JSON report to --report describing every absolute-target
|
||||
* symlink seen and the classification verdict.
|
||||
@@ -181,15 +185,17 @@ $report = [
|
||||
|
||||
@file_put_contents($reportPath, json_encode($report, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES) . "\n");
|
||||
|
||||
// Sandbox-mode posture: never refuse. Log every DANGEROUS finding to
|
||||
// stderr so the panel sees them in the streamed [container] log, and let
|
||||
// extract.sh inspect --report to decide which entries to exclude from
|
||||
// the tar untar. Caller treats exit 0 as "scan completed; consult report".
|
||||
if ($dangerousCount > 0) {
|
||||
fwrite(STDERR, "scan-symlinks: $dangerousCount DANGEROUS finding(s); refusing tarball\n");
|
||||
fwrite(STDERR, "scan-symlinks: $dangerousCount DANGEROUS finding(s) will be stripped during extract\n");
|
||||
foreach ($findings as $f) {
|
||||
if ($f['type'] === 'DANGEROUS') {
|
||||
fwrite(STDERR, sprintf(" %s -> %s (%s)\n", $f['archive_path'], $f['target'], $f['reason']));
|
||||
fwrite(STDERR, sprintf(" STRIP %s -> %s (%s)\n", $f['archive_path'], $f['target'], $f['reason']));
|
||||
}
|
||||
}
|
||||
exit(1);
|
||||
}
|
||||
|
||||
fwrite(STDERR, "scan-symlinks: clean (uncertain=$uncertainCount, dangerous=0)\n");
|
||||
fwrite(STDERR, "scan-symlinks: scan complete (uncertain=$uncertainCount, dangerous=$dangerousCount)\n");
|
||||
exit(0);
|
||||
|
||||
Reference in New Issue
Block a user