Mirrors/flux2
1
0
Fork 0
mirror of synced 2026-02-06 19:05:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add safe guards for relative paths

Browse Source 
This commit adds multiple safe guards for relative paths, ensuring they
never traverse outside the working directory.

The `SafeRelativePath` flag calculates the safe relative path based on a
relative base dir, which results in a flattened path.

The write methods of `manifestgen` make use of the `SecureJoin` as well,
to ensure writes are never outside of the given directory when used as
a lib outside of the CLI.

Signed-off-by: Hidde Beydals <hello@hidde.co>
This commit is contained in:
Hidde Beydals
2020-12-14 14:21:41 +01:00
parent 008b3b8408
commit 5ea4e814f5
13 changed files with 180 additions and 71 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
pkg/manifestgen/install/install.go
View File

@@ -24,6 +24,8 @@ import (
"path"
"strings"
securejoin "github.com/cyphar/filepath-securejoin"
"github.com/fluxcd/flux2/pkg/manifestgen"
)
@@ -40,7 +42,10 @@ func Generate(options Options) (*manifestgen.Manifest, error) {
}
defer os.RemoveAll(tmpDir)
output := path.Join(tmpDir, options.ManifestFile)
output, err := securejoin.SecureJoin(tmpDir, options.ManifestFile)
if err != nil {
return nil, err
}
if !strings.HasPrefix(options.BaseURL, "http") {
if err := build(options.BaseURL, output); err != nil {

16
pkg/manifestgen/manifest.go
View File

@@ -20,8 +20,9 @@ import (
"fmt"
"io/ioutil"
"os"
"path"
"path/filepath"
securejoin "github.com/cyphar/filepath-securejoin"
)
// Manifest holds the data of a multi-doc YAML
@@ -36,14 +37,17 @@ type Manifest struct {
// If the file does not exist, WriteFile creates it with permissions perm,
// otherwise WriteFile overwrites the file, without changing permissions.
func (m *Manifest) WriteFile(rootDir string) (string, error) {
if err := os.MkdirAll(path.Join(rootDir, filepath.Dir(m.Path)), os.ModePerm); err != nil {
output, err := securejoin.SecureJoin(rootDir, m.Path)
if err != nil {
return "", err
}
if err := os.MkdirAll(filepath.Dir(output), os.ModePerm); err != nil {
return "", fmt.Errorf("unable to create dir, error: %w", err)
}
filePath := path.Join(rootDir, m.Path)
if err := ioutil.WriteFile(filePath, []byte(m.Content), os.ModePerm); err != nil {
if err := ioutil.WriteFile(output, []byte(m.Content), os.ModePerm); err != nil {
return "", fmt.Errorf("unable to write file, error: %w", err)
}
return filePath, nil
return output, nil
}