Add safe guards for relative paths

This commit ensures that relative (user configurable) paths never traverse outside their working directory. It does _not_ provide protection against path traversal within `kustomization.yaml` files. Signed-off-by: Hidde Beydals <hello@hidde.co>
2020-12-16 11:38:08 +01:00 · 2020-12-16 11:38:08 +01:00 · 6a4bf74cf3
parent 8296b8e1f1
commit 6a4bf74cf3
4 changed files with 23 additions and 6 deletions
--- a/controllers/kustomization_controller.go
+++ b/controllers/kustomization_controller.go
@ -24,11 +24,11 @@ import (
 	"net/http"
 	"os"
 	"os/exec"
-	"path"
 	"path/filepath"
 	"strings"
 	"time"

+	securejoin "github.com/cyphar/filepath-securejoin"
 	"github.com/go-logr/logr"
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@ -306,8 +306,16 @@ func (r *KustomizationReconciler) reconcile(
 		), err
 	}

-	dirPath := path.Join(tmpDir, kustomization.Spec.Path)
 	// check build path exists
+	dirPath, err := securejoin.SecureJoin(tmpDir, kustomization.Spec.Path)
+	if err != nil {
+		return kustomizev1.KustomizationNotReady(
+			kustomization,
+			source.GetArtifact().Revision,
+			kustomizev1.ArtifactFailedReason,
+			err.Error(),
+		), err
+	}
 	if _, err := os.Stat(dirPath); err != nil {
 		err = fmt.Errorf("kustomization path not found: %w", err)
 		return kustomizev1.KustomizationNotReady(
@ -606,12 +614,15 @@ func (r *KustomizationReconciler) writeKubeConfig(kustomization kustomizev1.Kust
 		return "", err
 	}

-	kubeConfigPath := path.Join(dirPath, secretName.Name)
+	kubeConfigPath, err := securejoin.SecureJoin(dirPath, secretName.Name)
+	if err != nil {
+		return "", err
+	}
 	if err := ioutil.WriteFile(kubeConfigPath, kubeConfig, os.ModePerm); err != nil {
 		return "", fmt.Errorf("unable to write KubeConfig secret '%s' to storage: %w", secretName.String(), err)
 	}

-	return secretName.Name, nil
+	return kubeConfigPath, nil
 }

 func (r *KustomizationReconciler) getKubeConfig(kustomization kustomizev1.Kustomization) ([]byte, error) {
--- a/controllers/kustomization_decryptor.go
+++ b/controllers/kustomization_decryptor.go
@ -23,8 +23,8 @@ import (
 	"io/ioutil"
 	"os"
 	"os/exec"
-	"path"

+	securejoin "github.com/cyphar/filepath-securejoin"
 	"go.mozilla.org/sops/v3/aes"
 	"go.mozilla.org/sops/v3/cmd/sops/common"
 	"go.mozilla.org/sops/v3/cmd/sops/formats"
@ -133,7 +133,10 @@ func (kd *KustomizeDecryptor) ImportKeys(ctx context.Context) error {
 		defer os.RemoveAll(tmpDir)

 		for name, key := range secret.Data {
-			keyPath := path.Join(tmpDir, name)
+			keyPath, err := securejoin.SecureJoin(tmpDir, name)
+			if err != nil {
+				return err
+			}
 			if err := ioutil.WriteFile(keyPath, key, os.ModePerm); err != nil {
 				return fmt.Errorf("unable to write key to storage: %w", err)
 			}
--- a/go.mod
+++ b/go.mod
@ -5,6 +5,7 @@ go 1.15
 replace github.com/fluxcd/kustomize-controller/api => ./api

 require (
+	github.com/cyphar/filepath-securejoin v0.2.2
 	github.com/fluxcd/kustomize-controller/api v0.5.1
 	github.com/fluxcd/pkg/apis/meta v0.5.0
 	github.com/fluxcd/pkg/runtime v0.4.0
--- a/go.sum
+++ b/go.sum
@ -120,6 +120,8 @@ github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfc
 github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE=
 github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
 github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
+github.com/cyphar/filepath-securejoin v0.2.2 h1:jCwT2GTP+PY5nBz3c/YL5PAIbusElVrPujOBSCj8xRg=
+github.com/cyphar/filepath-securejoin v0.2.2/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2G9VLXONKD9G7QGMM+4=
 github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=