Validate untrusted user input

[sergepetrenko]

As seen in error reports from TNT-601, getopt_long, getopt and realpath are subject to internal buffer overflows (at least they used to be some time ago).
The suggestion is to either not use them, or provide them with correct input.

Speaking of realpath, we have 2 places that use it:

sergey@sergey-pc:~/Source/sptnt$ grep -rn realpath ./src --include *.c --include *.h --include *.cc --include *.cpp --include *.hpp --exclude *.lua.c --include *.lua
./src/box/module_cache.c:119:	if (realpath(lua_tostring(L, -1), resolved) == NULL) {
./src/box/module_cache.c:120:		diag_set(SystemError, "realpath");
./src/box/module_cache.c:126:	 * is guaranteed by realpath call.
./src/find_path.c:79:	if (realpath(buf, path) == NULL)

Both these places provide a valid input buffer of size PATH_MAX, which should be fine: https://stackoverflow.com/questions/4109638/what-is-the-safe-alternative-to-realpath

Speaking of getopt:

grep -rn getopt ./src --include *.c --include *.h --include *.cc --include *.cpp --include *.hpp --exclude *.lua.c --include *.lua
./src/lua/init.c:911:			unreachable(); /* checked by getopt() in main() */
./src/main.cc:39:#include <getopt.h>
./src/main.cc:672:	while ((ch = getopt_long(argc, argv, opts, longopts, NULL)) != -1) {
./src/main.cc:695:			/* "invalid option" is printed by getopt */

Some googling reveals that one has to limit argc and all of the argv[i] lengths to some "sane" value. What value is considered sane remains unknown. After some discussion in this PR (see below), it was decided to not try and patch getopt usage, since the only buggy getopt implementation known belongs to Solaris 2.5 from 1997.

The problem with getenv is of other nature: it might return string of arbitrary length and content, which can't be trusted. The relevant CWE (not CVE) is CWE-807 and CWE-20.
Here are our getenv usages:

sergey@sergey-pc:~/Source/sptnt$ grep -rn getenv ./src --include *.c --include *.h --include *.cc --include *.cpp --include *.hpp --exclude *.lua.c --include *.lua
./src/lib/core/coio_file.c:509:	const char *tmpdir = getenv("TMPDIR");
./src/lib/core/errinj.c:75:		const char *env_value = getenv(inj->name);
./src/proc_title.c:202: * that might try to hang onto a getenv() result.)
./src/proc_title.c:241:	 * is mandatory to flush internal libc caches on getenv/setenv
./src/systemd.c:54:	sd_unix_path = getenv("NOTIFY_SOCKET");
./src/box/module_cache.c:300:	const char *tmpdir = getenv("TMPDIR");
./src/box/sql/os_unix.c:1441:		azDirs[0] = getenv("SQL_TMPDIR");
./src/box/sql/os_unix.c:1446:		azDirs[1] = getenv("TMPDIR");
./src/box/lua/console.c:394:	const char *envvar = getenv("TT_CONSOLE_HIDE_SHOW_PROMPT");
./src/box/lua/console.lua:771:    local home_dir = os.getenv('HOME')
./src/box/lua/load_cfg.lua:1007:    local raw_value = os.getenv(env_var_name)
./src/lua/init.c:575:	const char *path = getenv(envname);
./src/lua/init.c:592:	const char *home = getenv("HOME");
./src/find_path.c:77:			snprintf(buf, sizeof(buf) - 1, "%s", getenv("_"));

Most of them are already treated correctly (that is, getenv output is either passed to snprintf or strcmp-ed to a static fixed size string). The ones, that weren't treated correctly are fixed in this patchset, including the ones in src/lua/* and src/box/lua*.

Please note, that TNT-601 also reports some findings in extra/* folder. There are extra/lemon.c, extra/bin2c.c and extra/txt2c.c. AFAICS these are all our building utilities and we are not concerned with their security. Please, correct me if I'm wrong.

Closes #7797

[sergepetrenko]

I'm not sure we need the last commit.
Suppose there's a system with a buggy getopt_long. I suppose (no evidence here) that it would fail on 100kb arguments. Regardless of ARG_MAX value on that system. On the other hand, if there was a bug on that system, it must be triggered by arguments shorter than ARG_MAX, otherwise the OS wouldn't let the user to pass such long arguments.

I'm trying to say that neither fixed boundary (100kb) nor a boundary depending on ARG_MAX actually fix the problem which's being reported. So maybe it would be better to say that we don't run on systems with buggy getopt (which must be quite old ones), and ignore this "error".

[Totktonada]

In reflection of several compromises we agreed upon, the patchset looks okay for me.

[sergepetrenko]

Please backport to 2.10 and 1.10 as well

[locker]

Please backport to 2.10 and 1.10 as well

Why 1.10? We backport fixes needed for the security certification only to 2.10 AFAIK.

[sergepetrenko]

Why 1.10? We backport fixes needed for the security certification only to 2.10 AFAIK.

I thought we backport security fixes everywhere where bugfixes go. This is not only for certification, this is a real problem, which's getting fixed. But ok, up to you.

[locker]

Why 1.10? We backport fixes needed for the security certification only to 2.10 AFAIK.

I thought we backport security fixes everywhere where bugfixes go. This is not only for certification, this is a real problem, which's getting fixed. But ok, up to you.

To the best of my knowledge, we don't backport all fixes to 1.10 - only those that were specifically requested by our customers.

[sergepetrenko]

To the best of my knowledge, we don't backport all fixes to 1.10 - only those that were specifically requested by our customers.

I see, thanks.