Symlinks and Security

[Stebalien]

Currently, you can add any arbitrary symlink to IPFS. Now, the gateway won't traverse a random symlink into the filesystem but any tool that simply downloads a directory out of IPFS to the local disk might. This could turn into a security foot gun.

Unfortunately, symlinks are kind of important. The naive solution would be to require that symlinks only point to other files on IPFS or other files within the same archive. However, the former won't work without /ipfs mounted as a fuse filesystem (unless we resolve them on ipfs get which'll remove the symlink) and the latter precludes many valid use-cases for symlinks.

One solution is to add a flag to ipfs get that restricts symlinks. Currently, I'm thinking: --symlinks={all,relative,resolve}. That is:

• all is the default and allows all symlinks
• relative only allows symlinks relative to the root of the IPFS directory.
• resolve resolves symlinks before extracting the files from IPFS (only allowing them to point to other files in IPFS).

Many tools will actually want to use --symlinks=resolve.

[iacore]

Maybe just disallow symlink altogether. Having potentially cyclic graph supported in DAG is weird. IMO linking should be handled in a higher layer.

Currently there is no way to tell symlink apart from common file. ipfs cat works on symlink that points nowhere.

Applications need to use their own link format. HTML has <a>. Having on symlink in proclaimed "immutable" storage - IPFS - in a footgun.