Merge pull request #13633 from mattfarina/cleanup-securejoin

Ensuring the file paths are clean prior to passing to securejoin
8 months ago · ba467525ab
parent 3af4e57675 35a9ead998
commit ba467525ab
2 changed files with 6 additions and 0 deletions
--- a/pkg/chartutil/expand.go
+++ b/pkg/chartutil/expand.go
@ -52,6 +52,9 @@ func Expand(dir string, r io.Reader) error {
 	}

 	// Find the base directory
+	// The directory needs to be cleaned prior to passing to SecureJoin or the location may end up
+	// being wrong or returning an error. This was introduced in v0.4.0.
+	dir = filepath.Clean(dir)
 	chartdir, err := securejoin.SecureJoin(dir, chartName)
 	if err != nil {
 		return err
--- a/pkg/plugin/installer/http_installer.go
+++ b/pkg/plugin/installer/http_installer.go
@ -206,6 +206,9 @@ func cleanJoin(root, dest string) (string, error) {
 	}

 	// SecureJoin will do some cleaning, as well as some rudimentary checking of symlinks.
+	// The directory needs to be cleaned prior to passing to SecureJoin or the location may end up
+	// being wrong or returning an error. This was introduced in v0.4.0.
+	root = filepath.Clean(root)
 	newpath, err := securejoin.SecureJoin(root, dest)
 	if err != nil {
 		return "", err