Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix a bug where malformed paths don't get written to the destination dir #61298

Merged
merged 1 commit into from Mar 18, 2018
Merged

Fix a bug where malformed paths don't get written to the destination dir #61298

merged 1 commit into from Mar 18, 2018

Conversation

brendandburns
Copy link
Contributor

@k8s-ci-robot
Copy link
Contributor

@brendandburns: Adding do-not-merge/release-note-label-needed because the release note process has not been followed.

One of the following labels is required "release-note", "release-note-action-required", or "release-note-none".
Please see: https://git.k8s.io/community/contributors/devel/pull-requests.md#write-release-notes-if-needed.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Mar 16, 2018
@cjcullen
Copy link
Member

/test pull-kubernetes-e2e-gce

@cjcullen
Copy link
Member

/release-note-none

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Mar 16, 2018
@liggitt
Copy link
Member

liggitt commented Mar 16, 2018

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 16, 2018
@jessfraz
Copy link
Contributor

/lgtm

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: brendandburns, jessfraz, liggitt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@cjcullen
Copy link
Member

cjcullen commented Mar 16, 2018
edited

I would have assumed that a srcdir/../../somefile in the tar would cause an error instead of silently getting flattened into destdir/somefile. But if this is canonical, I'm fine with it.

@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel comment for consistent failures.

@brendandburns
Copy link
Contributor Author

@cjcullen I'm not sure what is canonical or not, this seems to me to be fine, but I can also return an error if that is the preferred approach.

@brendandburns brendandburns added this to the v1.10 milestone Mar 17, 2018
dims
dims reviewed Mar 17, 2018
View reviewed changes
pkg/kubectl/cmd/cp.go
// clean prevents path traversals by stripping them out.
// This is adapted from https://golang.org/src/net/http/fs.go#L74
func clean(fileName string) string {
return path.Clean(string(os.PathSeparator) + fileName)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@brendanburns will prefixing os.PathSeparator work for you on windows? (is fileName likely to be c:/abc)?

Copy link
Member

@liggitt liggitt Mar 17, 2018
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(is fileName likely to be c:/abc)?

Not with any legitimate response from the container (since we're invoking the tar command and not building tar files with absolute paths).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ack @liggitt thanks!

@dims
Copy link
Member

dims commented Mar 17, 2018

LGTM 👍

@k8s-github-robot
Copy link

[MILESTONENOTIFIER] Milestone Pull Request Labels Incomplete

@brendandburns @jessfraz @liggitt

Action required: This pull request requires label changes. If the required changes are not made within 2 days, the pull request will be moved out of the v1.10 milestone.

kind: Must specify exactly one of kind/bug, kind/cleanup or kind/feature.
priority: Must specify exactly one of priority/critical-urgent, priority/important-longterm or priority/important-soon.
sig owner: Must specify at least one label prefixed with sig/.

Help

@k8s-github-robot
Copy link

/test all [submit-queue is verifying that this PR is safe to merge]

@k8s-github-robot
Copy link

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here.

@k8s-github-robot k8s-github-robot merged commit b9a8938 into kubernetes:master Mar 18, 2018
@brendandburns brendandburns mentioned this pull request Mar 19, 2018
Merged
k8s-github-robot pushed a commit that referenced this pull request Mar 19, 2018
Merge pull request #61331 from brendandburns/automated-cherry-pick-of…
919140e 
…-#61298-upstream-release-1.9

Automatic merge from submit-queue.

Automated cherry pick of #61298: Fix a bug where malformed paths don't get written to the

Cherry pick of #61298 on release-1.9.

#61298: Fix a bug where malformed paths don't get written to the
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dims dims dims left review comments

@liggitt liggitt liggitt left review comments

@ghodss ghodss Awaiting requested review from ghodss

@soltysh soltysh Awaiting requested review from soltysh

Assignees

@liggitt liggitt

@jessfraz jessfraz

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. milestone/incomplete-labels release-note-none Denotes a PR that doesn't merit a release note. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
v1.10
Development

Successfully merging this pull request may close these issues.

None yet
9 participants
@brendandburns @k8s-ci-robot @cjcullen @liggitt @jessfraz @fejta-bot @dims @k8s-github-robot @jdumars