Mirrors/flux2
1
0
Fork 0
mirror of synced 2026-06-10 16:40:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

Validate plugin binary path

Browse Source 
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
This commit is contained in:
Stefan Prodan
2026-06-04 21:23:56 +03:00
parent d78d406a52
commit 0afcda1a50
4 changed files with 216 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/plugin/install.go
+6
View File
@@ -84,7 +84,13 @@ func (inst *Installer) Install(pluginDir string, manifest *plugintypes.Manifest,
// name (e.g. "flux-validate"). On Windows we always append ".exe".
// For archives it's also the entry name we look up; for raw binaries
// it's the rename target regardless of the URL's filename.
//
// Bin is remote-controlled and joined to pluginDir below, so it must be a
// plain filename: reject separators and traversal so the write can't escape.
binName := manifest.Bin
if binName == "" || binName != filepath.Base(binName) || !filepath.IsLocal(binName) {
return fmt.Errorf("invalid plugin binary name %q: must be a plain filename", manifest.Bin)
}
if runtime.GOOS == "windows" {
binName += ".exe"
}