From 625b79e3b3bdc3c13e3a966cd72d80708b1e77e0 Mon Sep 17 00:00:00 2001
From: Daniel <dhaavi@users.noreply.github.com>
Date: Fri, 5 Jun 2020 14:00:44 +0200
Subject: [PATCH] Detect PID loops in api auth

---
 firewall/api.go | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/firewall/api.go b/firewall/api.go
index b156d020..30557050 100644
--- a/firewall/api.go
+++ b/firewall/api.go
@@ -112,6 +112,7 @@ func authenticateAPIRequest(ctx context.Context, pktInfo *packet.Info) (retry bo
 		return true, fmt.Errorf("failed to get process: %s", err)
 	}
 	originalPid := proc.Pid
+	var previousPid int
 
 	// go up up to two levels, if we don't match
 	for i := 0; i < 5; i++ {
@@ -130,11 +131,20 @@ func authenticateAPIRequest(ctx context.Context, pktInfo *packet.Info) (retry bo
 		procsChecked = append(procsChecked, proc.Path)
 
 		if i < 4 {
+			// save previous PID
+			previousPid = proc.Pid
+
 			// get parent process
 			proc, err = process.GetOrFindProcess(ctx, proc.ParentPid)
 			if err != nil {
 				return true, fmt.Errorf("failed to get process: %s", err)
 			}
+
+			// abort if we are looping
+			if proc.Pid == previousPid {
+				// this also catches -1 pid loops
+				break
+			}
 		}
 	}