fix: properly resolve relative syminks

enix · May 23, 2023 · a59a7ab · a59a7ab
1 parent c8395dd
commit a59a7ab
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 5 deletions.
diff --git a/internal/certificate.go b/internal/certificate.go
@@ -5,6 +5,8 @@ import (
 	"encoding/base64"
 	"encoding/pem"
 	"fmt"
+	"io"
+	"io/fs"
 	"os"
 	"path"
 	"path/filepath"
@@ -231,23 +233,33 @@ func readFile(file string) ([]byte, error) {
 		return contents, err
 	}
 
-	realPath, err := resolveSymlink(file)
+	realPath, err := resolveSymlink(os.DirFS("/"), file)
 	if err != nil {
 		return nil, err
 	}
 
 	return os.ReadFile(realPath)
 }
 
-func resolveSymlink(link string) (string, error) {
-	realPath, err := os.Readlink(link)
+func resolveSymlink(fsys fs.FS, link string) (string, error) {
+	symlink, err := fsys.Open(link)
+	if err != nil {
+		return "", err
+	}
+
+	realPath, err := io.ReadAll(symlink)
+	if err != nil {
+		return "", err
+	}
+
+	err = symlink.Close()
 	if err != nil {
 		return "", err
 	}
 
 	// only resolve the symlink filename, and not its full path, to stay compatible with k8s volume mounts
 	// see https://github.com/enix/x509-certificate-exporter/tree/main/deploy/charts/x509-certificate-exporter#watching-symbolic-links
-	return path.Join(path.Dir(link), path.Base(realPath)), nil
+	return path.Join(path.Dir(link), path.Base(string(realPath))), nil
 }
 
 func parsePEM(data []byte) ([]*x509.Certificate, error) {

diff --git a/internal/exporter.go b/internal/exporter.go
@@ -434,7 +434,7 @@ func stat(fsys fs.FS, name string, beforeMeta bool) (fs.FileInfo, bool, error) {
 
 	info, err := fs.Stat(fsys, name)
 	if errors.Is(err, fs.ErrNotExist) {
-		realPath, err := resolveSymlink(name)
+		realPath, err := resolveSymlink(fsys, name)
 		if err != nil {
 			return nil, false, err
 		}