cri-o/vendor/github.com/cyphar/filepath-securejoin
Mrunal Patel 970b8d61a7 test: Bump up runc to 9f9c96235cc97674e935002fc3d78361b696a69e
This brings in a fix for a cgroups setup race condition
that we hit sometimes in the tests.

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2018-01-23 11:06:21 -08:00
..
join.go test: Bump up runc to 9f9c96235cc97674e935002fc3d78361b696a69e 2018-01-23 11:06:21 -08:00
LICENSE test: Bump up runc to 9f9c96235cc97674e935002fc3d78361b696a69e 2018-01-23 11:06:21 -08:00
README.md test: Bump up runc to 9f9c96235cc97674e935002fc3d78361b696a69e 2018-01-23 11:06:21 -08:00
vendor.conf test: Bump up runc to 9f9c96235cc97674e935002fc3d78361b696a69e 2018-01-23 11:06:21 -08:00
vfs.go test: Bump up runc to 9f9c96235cc97674e935002fc3d78361b696a69e 2018-01-23 11:06:21 -08:00

filepath-securejoin

Build Status

An implementation of SecureJoin, a candidate for inclusion in the Go standard library. The purpose of this function is to be a "secure" alternative to filepath.Join, and in particular it provides certain guarantees that are not provided by filepath.Join.

This is the function prototype:

func SecureJoin(root, unsafePath string) (string, error)

This library guarantees the following:

  • If no error is set, the resulting string must be a child path of SecureJoin and will not contain any symlink path components (they will all be expanded).

  • When expanding symlinks, all symlink path components must be resolved relative to the provided root. In particular, this can be considered a userspace implementation of how chroot(2) operates on file paths. Note that these symlinks will not be expanded lexically (filepath.Clean is not called on the input before processing).

  • Non-existant path components are unaffected by SecureJoin (similar to filepath.EvalSymlinks's semantics).

  • The returned path will always be filepath.Cleaned and thus not contain any .. components.

A (trivial) implementation of this function on GNU/Linux systems could be done with the following (note that this requires root privileges and is far more opaque than the implementation in this library, and also requires that readlink is inside the root path):

package securejoin

import (
	"os/exec"
	"path/filepath"
)

func SecureJoin(root, unsafePath string) (string, error) {
	unsafePath = string(filepath.Separator) + unsafePath
	cmd := exec.Command("chroot", root,
		"readlink", "--canonicalize-missing", "--no-newline", unsafePath)
	output, err := cmd.CombinedOutput()
	if err != nil {
		return "", err
	}
	expanded := string(output)
	return filepath.Join(root, expanded), nil
}

License

The license of this project is the same as Go, which is a BSD 3-clause license available in the LICENSE file.