From 35a9ead99872f2cbee84922f2538e687fe14d8a9 Mon Sep 17 00:00:00 2001 From: Matt Farina Date: Tue, 14 Jan 2025 15:30:44 -0500 Subject: [PATCH] Ensuring the file paths are clean prior to passing to securejoin securejoin v0.4.0 made a possibly breaking change. Only clean paths are safe to pass to SecureJoin or they could return an error or have the wrong path. The details are in the release notes for v0.4.0. This change ensures the paths are clean prior to passing to SecureJoin. Signed-off-by: Matt Farina --- pkg/chartutil/expand.go | 3 +++ pkg/plugin/installer/http_installer.go | 3 +++ 2 files changed, 6 insertions(+) diff --git a/pkg/chartutil/expand.go b/pkg/chartutil/expand.go index ebe27843a..a9943252d 100644 --- a/pkg/chartutil/expand.go +++ b/pkg/chartutil/expand.go @@ -52,6 +52,9 @@ func Expand(dir string, r io.Reader) error { } // Find the base directory + // The directory needs to be cleaned prior to passing to SecureJoin or the location may end up + // being wrong or returning an error. This was introduced in v0.4.0. + dir = filepath.Clean(dir) chartdir, err := securejoin.SecureJoin(dir, chartName) if err != nil { return err diff --git a/pkg/plugin/installer/http_installer.go b/pkg/plugin/installer/http_installer.go index 758e6039c..b900fa401 100644 --- a/pkg/plugin/installer/http_installer.go +++ b/pkg/plugin/installer/http_installer.go @@ -206,6 +206,9 @@ func cleanJoin(root, dest string) (string, error) { } // SecureJoin will do some cleaning, as well as some rudimentary checking of symlinks. + // The directory needs to be cleaned prior to passing to SecureJoin or the location may end up + // being wrong or returning an error. This was introduced in v0.4.0. + root = filepath.Clean(root) newpath, err := securejoin.SecureJoin(root, dest) if err != nil { return "", err