github assets cannot write files to absolute or parent dirs

Signed-off-by: Andrew Lavery <laverya@umich.edu>
replicatedhq · Feb 23, 2019 · 0a989d0 · 0a989d0
1 parent 8ca05ba
commit 0a989d0
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 1 deletion.
diff --git a/pkg/lifecycle/render/github/render.go b/pkg/lifecycle/render/github/render.go
@@ -251,6 +251,10 @@ func getDestPath(githubPath string, asset api.GitHubAsset, builder *templates.Bu
 		return "", errors.Wrapf(err, "get destination directory from %q", asset.Dest)
 	}
 
+	if filepath.IsAbs(destDir) {
+		return "", fmt.Errorf("cannot write to an absolute path: %s", destDir)
+	}
+
 	if stripPath {
 		// remove asset.Path's directory from the beginning of githubPath
 		sourcePathDir := filepath.ToSlash(filepath.Dir(asset.Path)) + "/"
@@ -263,7 +267,18 @@ func getDestPath(githubPath string, asset api.GitHubAsset, builder *templates.Bu
 		}
 	}
 
-	return filepath.Join(destDir, githubPath), nil
+	combinedPath := filepath.Join(destDir, githubPath)
+
+	relPath, err := filepath.Rel(".", combinedPath)
+	if err != nil {
+		return "", errors.Wrap(err, "find relative path to dest")
+	}
+
+	if strings.Contains(relPath, "..") {
+		return "", fmt.Errorf("cannot write to a path that is a parent of the working dir: %s", relPath)
+	}
+
+	return combinedPath, nil
 }
 
 func (r *LocalRenderer) getDestPathNoProxy(asset api.GitHubAsset, builder *templates.Builder, renderRoot string) (string, error) {

diff --git a/pkg/lifecycle/render/github/render_test.go b/pkg/lifecycle/render/github/render_test.go
@@ -206,6 +206,36 @@ func Test_getDestPath(t *testing.T) {
 			want:    "",
 			wantErr: true,
 		},
+		{
+			name: "file in root",
+			args: args{
+				githubPath: "subdir/README.md",
+				asset: api.GitHubAsset{
+					Path:      "",
+					StripPath: "",
+					AssetShared: api.AssetShared{
+						Dest: "/bin/runc",
+					},
+				},
+			},
+			want:    "",
+			wantErr: true,
+		},
+		{
+			name: "file in parent dir",
+			args: args{
+				githubPath: "subdir/README.md",
+				asset: api.GitHubAsset{
+					Path:      "abc/",
+					StripPath: "",
+					AssetShared: api.AssetShared{
+						Dest: "../../../bin/runc",
+					},
+				},
+			},
+			want:    "",
+			wantErr: true,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {