blackroad-os/backroad
9
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(filesystem): harden the filesystem service to avoid path traversal attacks EE-1922 (#5957)

Browse Source 
fix(filesystem): harden the filesystem service to avoid path traversal attacks EE-1922
This commit is contained in:
andres-portainer
2021-11-01 08:01:03 -03:00
committed by GitHub
parent c763219f74
commit 28f71e486a
21 changed files with 292 additions and 176 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
api/internal/stackutils/stackutils.go
View File

@@ -3,7 +3,6 @@ package stackutils
import (
"fmt"
"io/ioutil"
"path"
"github.com/pkg/errors"
portainer "github.com/portainer/portainer/api"
@@ -20,7 +19,7 @@ func ResourceControlID(endpointID portainer.EndpointID, name string) string {
func GetStackFilePaths(stack *portainer.Stack) []string {
var filePaths []string
for _, file := range append([]string{stack.EntryPoint}, stack.AdditionalFiles...) {
filePaths = append(filePaths, path.Join(stack.ProjectPath, file))
filePaths = append(filePaths, filesystem.JoinPaths(stack.ProjectPath, file))
}
return filePaths
}
@@ -37,8 +36,8 @@ func CreateTempK8SDeploymentFiles(stack *portainer.Stack, kubeDeployer portainer
}
for _, fileName := range fileNames {
manifestFilePath := path.Join(tmpDir, fileName)
manifestContent, err := ioutil.ReadFile(path.Join(stack.ProjectPath, fileName))
manifestFilePath := filesystem.JoinPaths(tmpDir, fileName)
manifestContent, err := ioutil.ReadFile(filesystem.JoinPaths(stack.ProjectPath, fileName))
if err != nil {
return nil, "", errors.Wrap(err, "failed to read manifest file")
}