CDRIVER-5511 disable loading Cyrus plugins on Windows by default (#1561)

kevinAlbs · eramongodb · kevinAlbs · commit e69dbac8b037 · 2024-03-22T13:42:28.000-04:00
* CDRIVER-5511 disable loading Cyrus plugins on Windows by default adds the CMake option `CYRUS_PLUGIN_PATH_PREFIX` to opt-in to loading plug-ins --------- Co-authored-by: Ezra Chung <88335979+eramongodb@users.noreply.github.com>
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -150,6 +150,11 @@ mongo_setting(
    ]]
 )
 
+mongo_setting(CYRUS_PLUGIN_PATH_PREFIX "An absolute path prefix to enable loading Cyrus SASL plugins on Windows"
+   TYPE STRING
+   VISIBLE_IF [[ENABLE_SASL STREQUAL "CYRUS" AND WIN32]]
+)
+
 mongo_setting(ENABLE_CLIENT_SIDE_ENCRYPTION "Enable In-Use Encryption support. Requires additional support libraries."
               OPTIONS ON OFF AUTO
               DEFAULT VALUE AUTO)
diff --git a/NEWS b/NEWS
@@ -1,3 +1,10 @@
+libmongoc 1.26.2 (unreleased)
+=============================
+
+Cyrus SASL:
+
+  * Disable plugin loading with Cyrus SASL on Windows by default. To re-enable, set the CMake option `CYRUS_PLUGIN_PATH_PREFIX` to the absolute path prefix of the Cyrus SASL plugins.
+
 libmongoc 1.26.1
 ================
 
diff --git a/src/libmongoc/CMakeLists.txt b/src/libmongoc/CMakeLists.txt
@@ -814,6 +814,12 @@ if (MONGOC_ENABLE_STATIC_BUILD)
    set_target_properties (mcd_rpc PROPERTIES OUTPUT_NAME "mcd-rpc")
 endif ()
 
+set_property(
+   SOURCE ${PROJECT_SOURCE_DIR}/src/mongoc/mongoc-cyrus.c
+   APPEND PROPERTY COMPILE_DEFINITIONS
+   "MONGOC_CYRUS_PLUGIN_PATH_PREFIX=$<IF:$<STREQUAL:${CYRUS_PLUGIN_PATH_PREFIX},>,NULL,\"${CYRUS_PLUGIN_PATH_PREFIX}\">"
+)
+
 if (ENABLE_SHARED)
    add_library (mongoc_shared SHARED ${SOURCES} ${HEADERS} ${HEADERS_FORWARDING})
    if(WIN32)
diff --git a/src/libmongoc/doc/authentication.rst b/src/libmongoc/doc/authentication.rst
@@ -79,9 +79,10 @@ GSSAPI (Kerberos) Authentication
 
 .. note::
 
-  On UNIX-like environments, Kerberos support requires compiling the driver against ``cyrus-sasl``.
+  On UNIX-like environments, Kerberos support requires compiling the driver against `Cyrus SASL <https://www.cyrusimap.org/sasl/>`_.
 
-  On Windows, Kerberos support requires compiling the driver against Windows Native SSPI or ``cyrus-sasl``. The default configuration of the driver will use Windows Native SSPI.
+  On Windows, Kerberos support requires compiling the driver against Windows Native SSPI or Cyrus SASL. The default configuration of the driver will use Windows Native SSPI.
+  Using Cyrus SASL on Windows requires configuring the CMake option ``CYRUS_PLUGIN_PATH_PREFIX`` to the absolute path prefix of the ``GSSAPI`` plugin to enable loading the plugin.
 
   To modify the default configuration, use the cmake option ``ENABLE_SASL``.
 
diff --git a/src/libmongoc/src/mongoc/mongoc-cyrus-private.h b/src/libmongoc/src/mongoc/mongoc-cyrus-private.h
@@ -46,6 +46,8 @@ struct _mongoc_cyrus_t {
 #define SASL_CALLBACK_FN(_f) ((int (*) (void)) (_f))
 #endif
 
+int
+_mongoc_cyrus_verifyfile_cb (void *context, const char *file, sasl_verify_type_t type);
 void
 _mongoc_cyrus_init (mongoc_cyrus_t *sasl);
 bool
diff --git a/src/libmongoc/src/mongoc/mongoc-cyrus.c b/src/libmongoc/src/mongoc/mongoc-cyrus.c
@@ -138,16 +138,59 @@ _mongoc_cyrus_get_user (mongoc_cyrus_t *sasl,
    return (sasl->credentials.user != NULL) ? SASL_OK : SASL_FAIL;
 }
 
+static const char *
+sasl_verify_type_to_str (sasl_verify_type_t type)
+{
+   switch (type) {
+   case SASL_VRFY_PLUGIN:
+      return "SASL_VRFY_PLUGIN";
+   case SASL_VRFY_CONF:
+      return "SASL_VRFY_CONF";
+   case SASL_VRFY_PASSWD:
+      return "SASL_VRFY_PASSWD";
+   case SASL_VRFY_OTHER:
+      return "SASL_VRFY_OTHER";
+   default:
+      return "Unknown";
+   }
+}
+
+int
+_mongoc_cyrus_verifyfile_cb (void *context, const char *file, sasl_verify_type_t type)
+{
+   TRACE ("Attempting to load file: `%s`. Type is %s\n", file, sasl_verify_type_to_str (type));
+
+#ifdef _WIN32
+   // On Windows, Cyrus SASL hard-codes the plugin path.
+   // Only permit loading plugin from user configured path to prevent unintentional library loading.
+   if (type == SASL_VRFY_PLUGIN) {
+      const char *path_prefix = MONGOC_CYRUS_PLUGIN_PATH_PREFIX;
+      bool has_valid_prefix = (path_prefix && file == strstr (file, path_prefix));
+      // Check if `file` has necessary prefix.
+      if (has_valid_prefix) {
+         return SASL_OK;
+      }
+      MONGOC_WARNING ("Refusing to load Cyrus SASL plugin at: '%s'. If needed, set CYRUS_PLUGIN_PATH_PREFIX (currently "
+                      "'%s') to the absolute path prefix of the plugin during build configuration of the C Driver.",
+                      file,
+                      path_prefix ? path_prefix : "(unset)");
+      return SASL_CONTINUE;
+   }
+#endif
+
+   return SASL_OK;
+}
+
 
 void
 _mongoc_cyrus_init (mongoc_cyrus_t *sasl)
 {
-   sasl_callback_t callbacks[] = {
-      {SASL_CB_AUTHNAME, SASL_CALLBACK_FN (_mongoc_cyrus_get_user), sasl},
-      {SASL_CB_USER, SASL_CALLBACK_FN (_mongoc_cyrus_get_user), sasl},
-      {SASL_CB_PASS, SASL_CALLBACK_FN (_mongoc_cyrus_get_pass), sasl},
-      {SASL_CB_CANON_USER, SASL_CALLBACK_FN (_mongoc_cyrus_canon_user), sasl},
-      {SASL_CB_LIST_END}};
+   sasl_callback_t callbacks[] = {{SASL_CB_AUTHNAME, SASL_CALLBACK_FN (_mongoc_cyrus_get_user), sasl},
+                                  {SASL_CB_USER, SASL_CALLBACK_FN (_mongoc_cyrus_get_user), sasl},
+                                  {SASL_CB_PASS, SASL_CALLBACK_FN (_mongoc_cyrus_get_pass), sasl},
+                                  {SASL_CB_CANON_USER, SASL_CALLBACK_FN (_mongoc_cyrus_canon_user), sasl},
+                                  {SASL_CB_VERIFYFILE, SASL_CALLBACK_FN (_mongoc_cyrus_verifyfile_cb), NULL},
+                                  {SASL_CB_LIST_END}};
 
    BSON_ASSERT (sasl);
 
diff --git a/src/libmongoc/src/mongoc/mongoc-init.c b/src/libmongoc/src/mongoc/mongoc-init.c
@@ -53,6 +53,7 @@
 
 #ifdef MONGOC_ENABLE_SASL_CYRUS
 #include <sasl/sasl.h>
+#include <mongoc-cyrus-private.h> // _mongoc_cyrus_verifyfile_cb
 
 static void *
 mongoc_cyrus_mutex_alloc (void)
@@ -113,7 +114,11 @@ static BSON_ONCE_FUN (_mongoc_do_init)
                    mongoc_cyrus_mutex_unlock,
                    mongoc_cyrus_mutex_free);
 
-   status = sasl_client_init (NULL);
+   sasl_callback_t callbacks[] = {// Include callback to disable loading plugins.
+                                  {SASL_CB_VERIFYFILE, SASL_CALLBACK_FN (_mongoc_cyrus_verifyfile_cb), NULL},
+                                  {SASL_CB_LIST_END}};
+
+   status = sasl_client_init (callbacks);
    BSON_ASSERT (status == SASL_OK);
 #endif
 
