blackroad-os/backroad
9
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(filesystem): harden the filesystem service to avoid path traversal attacks EE-1922 (#5957)

Browse Source 
fix(filesystem): harden the filesystem service to avoid path traversal attacks EE-1922
This commit is contained in:
andres-portainer
2021-11-01 08:01:03 -03:00
committed by GitHub
parent c763219f74
commit 28f71e486a
21 changed files with 292 additions and 176 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
api/http/handler/stacks/create_compose_stack.go
View File

@@ -3,7 +3,6 @@ package stacks
import (
"fmt"
"net/http"
"path"
"strconv"
"time"
@@ -389,10 +388,9 @@ func (handler *Handler) deployComposeStack(config *composeStackDeploymentConfig)
!isAdminOrEndpointAdmin {
for _, file := range append([]string{config.stack.EntryPoint}, config.stack.AdditionalFiles...) {
path := path.Join(config.stack.ProjectPath, file)
stackContent, err := handler.FileService.GetFileContent(path)
stackContent, err := handler.FileService.GetFileContent(config.stack.ProjectPath, file)
if err != nil {
return errors.Wrapf(err, "failed to get stack file content `%q`", path)
return errors.Wrapf(err, "failed to get stack file content `%q`", file)
}
err = handler.isValidStackFile(stackContent, securitySettings)