Ensuring the file paths are clean prior to passing to securejoin

securejoin v0.4.0 made a possibly breaking change. Only clean paths are safe to pass to SecureJoin or they could return an error or have the wrong path. The details are in the release notes for v0.4.0. This change ensures the paths are clean prior to passing to SecureJoin. Signed-off-by: Matt Farina <matt.farina@suse.com>
8 months ago · 35a9ead998
parent fb54996b00
commit 35a9ead998
2 changed files with 6 additions and 0 deletions
--- a/pkg/chartutil/expand.go
+++ b/pkg/chartutil/expand.go
@ -52,6 +52,9 @@ func Expand(dir string, r io.Reader) error {
 	}

 	// Find the base directory
+	// The directory needs to be cleaned prior to passing to SecureJoin or the location may end up
+	// being wrong or returning an error. This was introduced in v0.4.0.
+	dir = filepath.Clean(dir)
 	chartdir, err := securejoin.SecureJoin(dir, chartName)
 	if err != nil {
 		return err
--- a/pkg/plugin/installer/http_installer.go
+++ b/pkg/plugin/installer/http_installer.go
@ -206,6 +206,9 @@ func cleanJoin(root, dest string) (string, error) {
 	}

 	// SecureJoin will do some cleaning, as well as some rudimentary checking of symlinks.
+	// The directory needs to be cleaned prior to passing to SecureJoin or the location may end up
+	// being wrong or returning an error. This was introduced in v0.4.0.
+	root = filepath.Clean(root)
 	newpath, err := securejoin.SecureJoin(root, dest)
 	if err != nil {
 		return "", err