Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RFE] Use SecureJoin in PATHs and sanitize input #14

Open
rata opened this issue Jul 23, 2021 · 0 comments
Open

[RFE] Use SecureJoin in PATHs and sanitize input #14

rata opened this issue Jul 23, 2021 · 0 comments

Comments

@rata
Copy link
Member

rata commented Jul 23, 2021

Current situation

We don't use https://github.com/cyphar/filepath-securejoin nor any alternative to minimize possible attacks when joining strings for a path. As some strings might be supplied by a user (so far is trusted, though), we might end up writing to an unexpected location if what we expect to be a suffix is something like "/../../etc/passwd".

Impact

We can inadvertently create files in other places of the filesystem rather than the expected ones. As we run as root, there are lot of places we can write to.

Ideal future situation

Use some helper to minimize chances of writing files to unexpected locations when joining strings for the name of the file we will create. Specially, for files that take user input.

**Implementation options

Use https://github.com/cyphar/filepath-securejoin and filepath.Base to sanitize input, as done in the example agent in this PR: opencontainers/runc#2682
@rata rata changed the title [RFE] Use SecureJoin in PATHs and sanitize [RFE] Use SecureJoin in PATHs and sanitize input Jul 23, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rata