colin
/
nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

qdrant: add patch for CVE-2024-3078

This commit is contained in:
Robert Scott 2024-04-15 22:39:26 +01:00
parent b025595eb9
commit 2666e17d3f
2 changed files with 146 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

142
pkgs/servers/search/qdrant/1.7.4-CVE-2024-3078.patch Normal file
View File

@ -0,0 +1,142 @@
Based on upstream 3ab5172e9c8f14fa1f7b24e7147eac74e2412b62 with minor
adjustments to apply to 1.7.4
diff --git a/lib/collection/src/collection/snapshots.rs b/lib/collection/src/collection/snapshots.rs
index e5a8be9c..ca48fb9e 100644
--- a/lib/collection/src/collection/snapshots.rs
+++ b/lib/collection/src/collection/snapshots.rs
@@ -241,35 +241,35 @@ impl Collection {
.await
}
+ /// Get full file path for a collection snapshot by name
+ ///
+ /// This enforces the file to be inside the snapshots directory
pub async fn get_snapshot_path(&self, snapshot_name: &str) -> CollectionResult<PathBuf> {
- let snapshot_path = self.snapshots_path.join(snapshot_name);
-
- let absolute_snapshot_path =
- snapshot_path
- .canonicalize()
- .map_err(|_| CollectionError::NotFound {
- what: format!("Snapshot {snapshot_name}"),
- })?;
-
- let absolute_snapshot_dir =
- self.snapshots_path
- .canonicalize()
- .map_err(|_| CollectionError::NotFound {
- what: format!("Snapshot directory: {}", self.snapshots_path.display()),
- })?;
+ let absolute_snapshot_dir = self.snapshots_path.canonicalize().map_err(|_| {
+ CollectionError::not_found(format!(
+ "Snapshot directory: {}",
+ self.snapshots_path.display()
+ ))
+ })?;
+
+ let absolute_snapshot_path = absolute_snapshot_dir
+ .join(snapshot_name)
+ .canonicalize()
+ .map_err(|_| CollectionError::not_found(format!("Snapshot {snapshot_name}")))?;
if !absolute_snapshot_path.starts_with(absolute_snapshot_dir) {
- return Err(CollectionError::NotFound {
- what: format!("Snapshot {snapshot_name}"),
- });
+ return Err(CollectionError::not_found(format!(
+ "Snapshot {snapshot_name}"
+ )));
}
- if !snapshot_path.exists() {
- return Err(CollectionError::NotFound {
- what: format!("Snapshot {snapshot_name}"),
- });
+ if !absolute_snapshot_path.exists() {
+ return Err(CollectionError::not_found(format!(
+ "Snapshot {snapshot_name}"
+ )));
}
- Ok(snapshot_path)
+
+ Ok(absolute_snapshot_path)
}
pub async fn list_shard_snapshots(
diff --git a/lib/collection/src/operations/types.rs b/lib/collection/src/operations/types.rs
index afc38d0f..63eae16e 100644
--- a/lib/collection/src/operations/types.rs
+++ b/lib/collection/src/operations/types.rs
@@ -906,6 +906,10 @@ impl CollectionError {
CollectionError::BadInput { description }
}
+ pub fn not_found(what: impl Into<String>) -> CollectionError {
+ CollectionError::NotFound { what: what.into() }
+ }
+
pub fn bad_request(description: String) -> CollectionError {
CollectionError::BadRequest { description }
}
diff --git a/lib/storage/src/content_manager/errors.rs b/lib/storage/src/content_manager/errors.rs
index 1ad8d413..4528e485 100644
--- a/lib/storage/src/content_manager/errors.rs
+++ b/lib/storage/src/content_manager/errors.rs
@@ -46,6 +46,12 @@ impl StorageError {
}
}
+ pub fn not_found(description: impl Into<String>) -> StorageError {
+ StorageError::NotFound {
+ description: description.into(),
+ }
+ }
+
/// Used to override the `description` field of the resulting `StorageError`
pub fn from_inconsistent_shard_failure(
err: CollectionError,
diff --git a/lib/storage/src/content_manager/snapshots/mod.rs b/lib/storage/src/content_manager/snapshots/mod.rs
index 8a417377..9965006a 100644
--- a/lib/storage/src/content_manager/snapshots/mod.rs
+++ b/lib/storage/src/content_manager/snapshots/mod.rs
@@ -24,17 +24,33 @@ pub struct SnapshotConfig {
pub collections_aliases: HashMap<String, String>,
}
+/// Get full file path for a full snapshot by name
+///
+/// This enforces the file to be inside the snapshots directory
pub async fn get_full_snapshot_path(
toc: &TableOfContent,
snapshot_name: &str,
) -> Result<PathBuf, StorageError> {
- let snapshot_path = Path::new(toc.snapshots_path()).join(snapshot_name);
- if !snapshot_path.exists() {
- return Err(StorageError::NotFound {
- description: format!("Full storage snapshot {snapshot_name} not found"),
- });
+ let snapshots_path = toc.snapshots_path();
+
+ let absolute_snapshot_dir = Path::new(snapshots_path)
+ .canonicalize()
+ .map_err(|_| StorageError::not_found(format!("Snapshot directory: {snapshots_path}")))?;
+
+ let absolute_snapshot_path = absolute_snapshot_dir
+ .join(snapshot_name)
+ .canonicalize()
+ .map_err(|_| StorageError::not_found(format!("Snapshot {snapshot_name}")))?;
+
+ if !absolute_snapshot_path.starts_with(absolute_snapshot_dir) {
+ return Err(StorageError::not_found(format!("Snapshot {snapshot_name}")));
}
- Ok(snapshot_path)
+
+ if !absolute_snapshot_path.exists() {
+ return Err(StorageError::not_found(format!("Snapshot {snapshot_name}")));
+ }
+
+ Ok(absolute_snapshot_path)
}
pub async fn do_delete_full_snapshot(

4
pkgs/servers/search/qdrant/default.nix
View File

@ -22,6 +22,10 @@ rustPlatform.buildRustPackage rec {
sha256 = "sha256-BgsLmE50mGmB5fcUjov8wcAHRTKMYaoyoXjSUyIddlc=";
};
patches = [
./1.7.4-CVE-2024-3078.patch
];
cargoLock = {
lockFile = ./Cargo.lock;
outputHashes = {