Ensuring the file paths are clean prior to passing to securejoin

securejoin v0.4.0 made a possibly breaking change. Only clean paths are safe to pass to SecureJoin or they could return an error or have the wrong path. The details are in the release notes for v0.4.0. This change ensures the paths are clean prior to passing to SecureJoin. Signed-off-by: Matt Farina <matt.farina@suse.com> (cherry picked from commit 35a9ead998)
8 months ago · fba9d08dce
parent 20db22293f
commit fba9d08dce
2 changed files with 6 additions and 0 deletions
--- a/pkg/chartutil/expand.go
+++ b/pkg/chartutil/expand.go
@ -52,6 +52,9 @@ func Expand(dir string, r io.Reader) error {
 	}

 	// Find the base directory
+	// The directory needs to be cleaned prior to passing to SecureJoin or the location may end up
+	// being wrong or returning an error. This was introduced in v0.4.0.
+	dir = filepath.Clean(dir)
 	chartdir, err := securejoin.SecureJoin(dir, chartName)
 	if err != nil {
 		return err
--- a/pkg/plugin/installer/http_installer.go
+++ b/pkg/plugin/installer/http_installer.go
@ -206,6 +206,9 @@ func cleanJoin(root, dest string) (string, error) {
 	}

 	// SecureJoin will do some cleaning, as well as some rudimentary checking of symlinks.
+	// The directory needs to be cleaned prior to passing to SecureJoin or the location may end up
+	// being wrong or returning an error. This was introduced in v0.4.0.
+	root = filepath.Clean(root)
 	newpath, err := securejoin.SecureJoin(root, dest)
 	if err != nil {
 		return "", err