New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
not allow backsteps in local volume plugin #47236
not allow backsteps in local volume plugin #47236
Conversation
Hi @dixudx. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
6937333
to
c339a06
Compare
pkg/volume/util/util.go
Outdated
// 3. start with '..' | ||
// 4. contain filename larger than 255 characters | ||
// 5. be longer than 4096 characters | ||
func ValidateLocalPath(targetPath string) error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should also probably be used for the host volume plugin, so perhaps a different name?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is this check different from
https://github.com/kubernetes/kubernetes/blob/master/pkg/api/validation/validation.go#L947
It seems weird to me to have different validation here than every where else.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jhorwit2 Yeah, you're right. Thanks for pointing out.
These two functions are nearly the same. But https://github.com/kubernetes/kubernetes/blob/master/pkg/api/validation/validation.go#L947 may not be suitable to be called in pkg/volume/local/local.go.
pkg/api/validation/validation.go
Outdated
@@ -51,6 +51,7 @@ import ( | |||
"k8s.io/kubernetes/pkg/capabilities" | |||
"k8s.io/kubernetes/pkg/features" | |||
"k8s.io/kubernetes/pkg/security/apparmor" | |||
"k8s.io/kubernetes/pkg/volume/util" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't really think the api package should be importing the volume package... I'd rather see the validation function stay in the validation package
pkg/volume/util/util.go
Outdated
if item == ".." { | ||
return fmt.Errorf("invalid path: must not contain '..': %s", targetPath) | ||
} | ||
if len(item) > maxFileNameLength { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is maxFileNameLength the max of all platforms' max, or the min of all platforms' max?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Isn't this already covered on each node when the mounts are provisioned, which would be platform specific?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@liggitt Linux has a maximum filename length of 255 characters for most filesystems (including EXT4), and a maximum path of 4096 characters. On windows, the maximum length for a path is defined as 260 characters and a maximum total path length is 32,767 characters. Here maxFileNameLength
is the min value. Also for maxPathLength
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since there are differences between platforms, I don't think we should be enforcing this this way. Let's limit this to the backstep path segment prevention for now
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, good advice. Function validateLocalNonReservedPath is quite similar with this function. Shall we abstract the core part to a common function?
Local volumes would still allow backsteps in the |
pkg/volume/util/util.go
Outdated
// 5. be longer than 4096 characters | ||
func ValidateLocalPath(targetPath string) error { | ||
if targetPath == "" { | ||
return fmt.Errorf("invalid path: must not be empty: %q", targetPath) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- if it's empty then I don't see a reason of showing it in quotes
- I don't think that we should add "invalid path:" prefix to each error message. We're using
field.Invalid()
and it also adds similar prefix to the error AFAIR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@php-coder Actually function validateLocalNonReservedPath is exactly like what you said. But I think it is not quite suitable to be called by other functions.
pkg/volume/util/util_test.go
Outdated
} | ||
|
||
if !tc.valid && err == nil { | ||
t.Errorf("%v: unexpected success", tc.name) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"%v: unexpected success for the path %q"
?
pkg/volume/util/util_test.go
Outdated
for _, tc := range cases { | ||
err := ValidateLocalPath(tc.path) | ||
if tc.valid && err != nil { | ||
t.Errorf("%v: unexpected failure: %v", tc.name, err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I suggest to include path in the error msg, WDYT?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, will update it.
pkg/volume/util/util.go
Outdated
} | ||
} | ||
if strings.HasPrefix(items[0], "..") && len(items[0]) > 2 { | ||
return fmt.Errorf("invalid path: must not start with '..': %s", targetPath) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is reserved paths and why we don't allow them? How they're dangerous? Is it something Windows-specific?
Do we want local and hostpath path validations to use the same function? |
@jhorwit2 Local volumes does not allow backsteps in the |
03dd60c
to
50b233d
Compare
50b233d
to
5262a37
Compare
@@ -1134,6 +1134,8 @@ func validateLocalVolumeSource(ls *api.LocalVolumeSource, fldPath *field.Path) f | |||
if ls.Path == "" { | |||
allErrs = append(allErrs, field.Required(fldPath.Child("path"), "")) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return early
@@ -192,6 +193,11 @@ func (m *localVolumeMounter) SetUpAt(dir string, fsGroup *types.UnixGroupID) err | |||
return err | |||
} | |||
|
|||
err := validation.ValidatePathNoBacksteps(m.globalPath) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should this be validating m.globalPath
or dir
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
validating m.globalPath
.
e56d032
to
aa23ed5
Compare
@k8s-bot ok to test |
/lgtm |
@dixudx Need to add release note to remove the label |
/lgtm |
/approve Thanks! |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dchen1107, dixudx, liggitt, msau42 Associated issue: 47207 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
Automatic merge from submit-queue (batch tested with PRs 34515, 47236, 46694, 47819, 47792) |
Which issue this PR fixes : fixes #47207
Special notes for your reviewer:
cc @msau42 @ddysher
Just follow @liggitt commented.
Release note: