Open Zebradil opened 5 months ago
In the community meeting, we agreed that the fix is to disallow paths outside the current working directory (CWD). Defining the CWD is important here. If I remember correctly, this is the logic (in the order of priority):
--chdir
argument is supplied, its value is CWD;$PWD
) is CWD.@joaopapereira I'm not entirely sure about the last two points. Could you confirm or correct this? Are there more cases?
- if the vendir configuration file is on the disk, its location is CWD;
I assume that all paths will have to start in the vendir configuration file, so CWD is where that file is
- if the vendir configuration is passed via stdin, the current directory ($PWD) is CWD.
In this scenario, we have to assume that CWD is the current directory.
I think these are all the scenarios, @neil-hickey @cppforlife do you think we might have any other scenarios?
This issue was initially discussed in Slack.
What steps did you take:
Here is a shell script to reproduce the issue. It runs commands during
docker build
, so you can safely run it, as it doesn't change any files on the host system.What happened:
Here is the important part of the output of the script. I added comments to explain the steps.
The same can be achieved by targeting the
/usr
directory via../../../usr
path in the vendir configuration.What did you expect:
Vendir should not allow targeting directories via absolute paths or via traversing up the directory tree.
Anything else you would like to add:
There is a list of disallowed file paths in the current code: https://github.com/carvel-dev/vendir/blob/9d3b17c6c586ace945af11c4acf2df53a51898e1/pkg/vendir/config/directory.go#L25 But it is limited to these exact values:
/
,..
,.
and ``.Environment:
Vote on this request
This is an invitation to the community to vote on issues, to help us prioritize our backlog. Use the "smiley face" up to the right of this comment to vote.
👍 "I would like to see this addressed as soon as possible" 👎 "There are other more important things to focus on right now"
We are also happy to receive and review Pull Requests if you want to help working on this issue.