HubSpot · ssalinas · Apr 12, 2018 · Apr 4, 2018 · ssalinas · Apr 5, 2018
diff --git a/...rc/main/java/com/hubspot/singularity/executor/task/SingularityExecutorTaskLogManager.java b/...rc/main/java/com/hubspot/singularity/executor/task/SingularityExecutorTaskLogManager.java
@@ -69,6 +69,12 @@ private boolean writeS3MetadataFileForRotatedFiles(boolean finished) {
 
     for (SingularityS3UploaderFile additionalFile : taskDefinition.getExecutorData().getS3UploaderAdditionalFiles()) {
       Path directory = additionalFile.getDirectory().isPresent() ? taskDefinition.getTaskDirectoryPath().resolve(additionalFile.getDirectory().get()) : taskDefinition.getTaskDirectoryPath();
+
+      if (!directory.toAbsolutePath().startsWith(taskDefinition.getTaskDirectoryPath())) {
+        log.warn("Received request to upload files in directory outside task sandbox; these will not be uploaded ({})", directory);
+        continue;
+      }
+
       String fileGlob = additionalFile.getFilename() != null && additionalFile.getFilename().contains("*") ? additionalFile.getFilename() : String.format("%s*.[gb]z*", additionalFile.getFilename());
       result = result && writeS3MetadataFile(additionalFile.getS3UploaderFilenameHint().or(String.format("file%d", index)), directory, fileGlob, additionalFile.getS3UploaderBucket(), additionalFile.getS3UploaderKeyPattern(), finished,
           additionalFile.getS3StorageClass().or(taskDefinition.getExecutorData().getS3StorageClass()), additionalFile.getApplyS3StorageClassAfterBytes().or(taskDefinition.getExecutorData().getApplyS3StorageClassAfterBytes()),