From fba9d08dced3583ef88fc235b307995830173aa9 Mon Sep 17 00:00:00 2001 From: Matt Farina Date: Tue, 14 Jan 2025 15:30:44 -0500 Subject: [PATCH] Ensuring the file paths are clean prior to passing to securejoin securejoin v0.4.0 made a possibly breaking change. Only clean paths are safe to pass to SecureJoin or they could return an error or have the wrong path. The details are in the release notes for v0.4.0. This change ensures the paths are clean prior to passing to SecureJoin. Signed-off-by: Matt Farina (cherry picked from commit 35a9ead99872f2cbee84922f2538e687fe14d8a9) --- pkg/chartutil/expand.go | 3 +++ pkg/plugin/installer/http_installer.go | 3 +++ 2 files changed, 6 insertions(+) diff --git a/pkg/chartutil/expand.go b/pkg/chartutil/expand.go index 7ae1ae6fa..ac59f2575 100644 --- a/pkg/chartutil/expand.go +++ b/pkg/chartutil/expand.go @@ -52,6 +52,9 @@ func Expand(dir string, r io.Reader) error { } // Find the base directory + // The directory needs to be cleaned prior to passing to SecureJoin or the location may end up + // being wrong or returning an error. This was introduced in v0.4.0. + dir = filepath.Clean(dir) chartdir, err := securejoin.SecureJoin(dir, chartName) if err != nil { return err diff --git a/pkg/plugin/installer/http_installer.go b/pkg/plugin/installer/http_installer.go index 49274f83c..56a930836 100644 --- a/pkg/plugin/installer/http_installer.go +++ b/pkg/plugin/installer/http_installer.go @@ -206,6 +206,9 @@ func cleanJoin(root, dest string) (string, error) { } // SecureJoin will do some cleaning, as well as some rudimentary checking of symlinks. + // The directory needs to be cleaned prior to passing to SecureJoin or the location may end up + // being wrong or returning an error. This was introduced in v0.4.0. + root = filepath.Clean(root) newpath, err := securejoin.SecureJoin(root, dest) if err != nil { return "", err