Skip to content

Commit

Permalink
bug fix
Browse files Browse the repository at this point in the history
Signed-off-by: Jordan Dubrick <[email protected]>
  • Loading branch information
Jdubrick committed Feb 5, 2024
1 parent 35722ec commit 10b01bc
Show file tree
Hide file tree
Showing 2 changed files with 88 additions and 1 deletion.
9 changes: 8 additions & 1 deletion registry-library/library/util.go
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,7 @@ func decompress(targetDir string, tarFile string, excludeFiles []string) error {
continue
}

target := path.Join(targetDir, filepath.Clean(header.Name))
target := CleanFilepath(targetDir, header.Name)
switch header.Typeflag {
case tar.TypeDir:
err = os.MkdirAll(target, os.FileMode(header.Mode))
Expand Down Expand Up @@ -192,3 +192,10 @@ func getHTTPClient(options RegistryOptions) *http.Client {
Timeout: overriddenTimeout,
}
}

// Cleans a child path to ensure that there is no escaping from the parent directory with the use of ../ escape methods
// Ensures that the child path is always contained and absolutely pathed from the parent
func CleanFilepath(parent string, child string)string{
target := path.Join(parent, filepath.Clean("/"+child))
return target
}
80 changes: 80 additions & 0 deletions registry-library/library/util_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ package library
import (
"reflect"
"testing"
"strings"
)

func TestValidateStackVersionTag(t *testing.T) {
Expand Down Expand Up @@ -130,3 +131,82 @@ func TestSplitVersionFromStack(t *testing.T) {
})
}
}

func TestCleanFilepath(t *testing.T) {
tests := []struct {
name string
parentPath string
childPath string
expectedPath string
}{
{
name: "Absolute child path with leading slash",
parentPath: ".",
childPath: "/test/tmp",
expectedPath: "test/tmp",
},
{
name: "Absolute child path without leading slash",
parentPath: ".",
childPath: "test/tmp",
expectedPath: "test/tmp",
},
{
name: "Relative child path without leading slash",
parentPath: ".",
childPath: "../../../../test/tmp",
expectedPath: "test/tmp",
},
{
name: "Relative child path with leading slash",
parentPath: ".",
childPath: "/../../../../test/tmp",
expectedPath: "test/tmp",
},
{
name: "Absolute child path with leading slash and escape capabilities",
parentPath: ".",
childPath: "/home/../../../../test/tmp",
expectedPath: "test/tmp",
},
{
name: "Absolute child path with leading slash and escape capabilities (parent path not current dir)",
parentPath: "newHome/dir",
childPath: "/home/../../../../test/tmp",
expectedPath: "newHome/dir/test/tmp",
},
{
name: "Relative child path without leading slash and escape capabilities (parent path not current dir)",
parentPath: "newHome/dir",
childPath: "../home/../../../../test/tmp",
expectedPath: "newHome/dir/test/tmp",
},
{
name: "Blank child path",
parentPath: "dir",
childPath: "",
expectedPath: "dir",
},
{
name: "Child path only escape characters",
parentPath: "dir",
childPath: "../../../../../",
expectedPath: "dir",
},
{
name: "Single file as child path",
parentPath: "dir",
childPath: "test.txt",
expectedPath: "dir/test.txt",
},
}

for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
path:= CleanFilepath(test.parentPath, test.childPath)
if !strings.EqualFold(test.expectedPath, path) {
t.Errorf("Expected: %s, Got: %s", test.expectedPath, path)
}
})
}
}

0 comments on commit 10b01bc

Please sign in to comment.