-
Notifications
You must be signed in to change notification settings - Fork 592
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Remove colons in VOLUME mappings on Windows.
Attempting to run Windows images with VOLUME declarations which are absolute paths would lead to `securejoin.SecureJoin()` concatenating two absolute paths when determining the host mount dir and then failing to `os.Lstat()` the resulting path, as it contained an illegal second `:`. Signed-off-by: Nashwan Azhari <nazhari@cloudbasesolutions.com>
- Loading branch information
Showing
3 changed files
with
72 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| //go:build !windows | ||
|
|
||
| /* | ||
| Copyright The containerd Authors. | ||
| Licensed under the Apache License, Version 2.0 (the "License"); | ||
| you may not use this file except in compliance with the License. | ||
| You may obtain a copy of the License at | ||
| http://www.apache.org/licenses/LICENSE-2.0 | ||
| Unless required by applicable law or agreed to in writing, software | ||
| distributed under the License is distributed on an "AS IS" BASIS, | ||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| See the License for the specific language governing permissions and | ||
| limitations under the License. | ||
| */ | ||
|
|
||
| package main | ||
|
|
||
| import ( | ||
| securejoin "github.com/cyphar/filepath-securejoin" | ||
| ) | ||
|
|
||
| // Joins the given host path with the given guest path while guaranteeing the provided | ||
| // path is scoped within the host path. (i.e. joining with `../..` or symlinks cannot | ||
| // lead to a higher level path than the provided hostPath, and are simply ignored) | ||
| func joinHostPath(hostPath string, guestPath string) (string, error) { | ||
| return securejoin.SecureJoin(hostPath, guestPath) | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| /* | ||
| Copyright The containerd Authors. | ||
| Licensed under the Apache License, Version 2.0 (the "License"); | ||
| you may not use this file except in compliance with the License. | ||
| You may obtain a copy of the License at | ||
| http://www.apache.org/licenses/LICENSE-2.0 | ||
| Unless required by applicable law or agreed to in writing, software | ||
| distributed under the License is distributed on an "AS IS" BASIS, | ||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| See the License for the specific language governing permissions and | ||
| limitations under the License. | ||
| */ | ||
|
|
||
| package main | ||
|
|
||
| import ( | ||
| "path/filepath" | ||
| "strings" | ||
|
|
||
| securejoin "github.com/cyphar/filepath-securejoin" | ||
| ) | ||
|
|
||
| // Joins the given host path with the given guest path while guaranteeing the provided | ||
| // path is scoped within the host path. (i.e. joining with `../..` or symlinks cannot | ||
| // lead to a higher level path than the provided hostPath, and are simply ignored) | ||
| // Any colons in the guest path will be removed completely in order to have a valid | ||
| // host path while maining the guest path's drive letter. | ||
| func joinHostPath(hostPath string, guestPath string) (string, error) { | ||
| if filepath.IsAbs(guestPath) { | ||
| // NOTE: both `filepath.Join()` and `securepath.SecureJoin()` concatenate | ||
| // absolute paths on Windows, so we must check and substitute the imfVol drive. | ||
| // This will lead to SecureJoin("C:\c1\c2", "D\d1\d2") => "C:\c1\c2\D\d1\d2". | ||
| guestPath = strings.ReplaceAll(guestPath, ":", "") | ||
| } | ||
|
|
||
| return securejoin.SecureJoin(hostPath, guestPath) | ||
| } |