From 5ebf4b8ec7ed7224991ed07de9c76482b178670a Mon Sep 17 00:00:00 2001 From: Aanand Prasad Date: Mon, 16 May 2016 15:45:35 +0100 Subject: [PATCH] Resolve path traversal in .dockerignore patterns Signed-off-by: Aanand Prasad --- docker/utils/utils.py | 3 +++ tests/unit/utils_test.py | 8 ++++++++ 2 files changed, 11 insertions(+) diff --git a/docker/utils/utils.py b/docker/utils/utils.py index 3926e540..98cbd61f 100644 --- a/docker/utils/utils.py +++ b/docker/utils/utils.py @@ -199,6 +199,9 @@ def get_paths(root, exclude_patterns, include_patterns, has_exceptions=False): def match_path(path, pattern): pattern = pattern.rstrip('/') + if pattern: + pattern = os.path.relpath(pattern) + pattern_components = pattern.split('/') path_components = path.split('/')[:len(pattern_components)] return fnmatch('/'.join(path_components), pattern) diff --git a/tests/unit/utils_test.py b/tests/unit/utils_test.py index 12179348..47c43ee2 100644 --- a/tests/unit/utils_test.py +++ b/tests/unit/utils_test.py @@ -802,6 +802,9 @@ class ExcludePathsTest(base.BaseTestCase): def test_single_filename(self): assert self.exclude(['a.py']) == self.all_paths - set(['a.py']) + def test_single_filename_leading_dot_slash(self): + assert self.exclude(['./a.py']) == self.all_paths - set(['a.py']) + # As odd as it sounds, a filename pattern with a trailing slash on the # end *will* result in that file being excluded. def test_single_filename_trailing_slash(self): @@ -831,6 +834,11 @@ class ExcludePathsTest(base.BaseTestCase): def test_single_subdir_single_filename(self): assert self.exclude(['foo/a.py']) == self.all_paths - set(['foo/a.py']) + def test_single_subdir_with_path_traversal(self): + assert self.exclude(['foo/whoops/../a.py']) == self.all_paths - set([ + 'foo/a.py', + ]) + def test_single_subdir_wildcard_filename(self): assert self.exclude(['foo/*.py']) == self.all_paths - set([ 'foo/a.py', 'foo/b.py',