Fix Path Traversal Vulnerabilities (CWE-23) in raw_write.py – Arbitrary file read/write as root

[rgfegegeegege]

This PR fixes a critical path traversal vulnerability in raw_write.py that allowed arbitrary file read and device overwrite as root when using pkexec.

Vulnerabilities fixed:

• Unsanitized --source (-s) allowed reading arbitrary files via open(source, 'rb')
• Unsanitized --target (-t) allowed writing to arbitrary block devices/files
• Potential command injection risk in mountutils.py (recommended to change to shell=False there too)

Changes:

• Use os.path.realpath() to resolve path traversal
• Validate source ends with common image extensions (.iso, .img, etc.)
• Validate target is a real block device using stat.S_ISBLK
• Use shutil.copyfileobj for efficient and clean file copy
• Better error messages and logging

Full reproducible PoC (original vulnerable behavior):

1. Create a dummy block device with size:
   truncate -s 1G big_dummy.img
   sudo losetup -f --show big_dummy.img
   ... Note the device, e.g. /dev/loop1

2. Run the vulnerable write:
   pkexec python3 /usr/lib/mintstick/raw_write.py -s /etc/passwd -t /dev/loop1

3. Expected result (vulnerable):

   • Script prints "1.0"
   • It reads the entire /etc/passwd as root
   • It writes the content of /etc/passwd to /dev/loop1

4. Verify the content was written:
   sudo dd if=/dev/loop1 bs=4096 count=10 | strings | head -n 20
   → You will see the lines of /etc/passwd (root:x:0:0:root... etc.)

Cleanup:
sudo losetup -d /dev/loop1
rm big_dummy.img

With this PR applied: the command above will fail with a clear error message ("Invalid source file" or "Source path not allowed"), preventing the read and write.

Tested on Linux Mint with dummy.img and loop devices works as expected with valid .iso files, rejects invalid paths.

Thanks for reviewing

[rgfegegeegege]

Additional commit: Mitigated potential command injection risk in mountutils.py by changing shell=True to shell=False with list argument.

While upstream validation in raw_write.py already prevents malicious target strings from reaching do_umount(), this change follows best practices and eliminates any potential risk (CWE-78).