Don't use securejoin(templateDir, templateName)

jandubois · jandubois · commit a887af71bafe · 2025-05-14T11:40:27.000-07:00
The final filename might be a symlink to somewhere outside `templateDir`
(homebrew). Instead make sure that `templateName` is not using `../`
path references.

Signed-off-by: Jan Dubois &lt;jan.dubois@suse.com&gt;
diff --git a/cmd/limactl/start.go b/cmd/limactl/start.go
@@ -12,6 +12,7 @@ import (
 	"strings"
 
 	"github.com/containerd/containerd/identifiers"
+	securejoin "github.com/cyphar/filepath-securejoin"
 	"github.com/lima-vm/lima/cmd/limactl/editflags"
 	"github.com/lima-vm/lima/pkg/editutil"
 	"github.com/lima-vm/lima/pkg/instance"
@@ -118,8 +119,10 @@ func loadOrCreateInstance(cmd *cobra.Command, args []string, createOnly bool) (*
 		return nil, err
 	}
 	if isTemplateURL, templateURL := limatmpl.SeemsTemplateURL(arg); isTemplateURL {
-		// No need to use SecureJoin here. https://github.com/lima-vm/lima/pull/805#discussion_r853411702
-		templateName := filepath.Join(templateURL.Host, templateURL.Path)
+		templateName, err := securejoin.SecureJoin(templateURL.Host, templateURL.Path)
+		if err != nil {
+			return nil, err
+		}
 		switch templateName {
 		case "experimental/vz":
 			logrus.Warn("template://experimental/vz was merged into the default template in Lima v1.0. See also <https://lima-vm.io/docs/config/vmtype/>.")
diff --git a/pkg/limatmpl/locator.go b/pkg/limatmpl/locator.go
@@ -18,6 +18,7 @@ import (
 	"unicode"
 
 	"github.com/containerd/containerd/identifiers"
+	securejoin "github.com/cyphar/filepath-securejoin"
 	"github.com/lima-vm/lima/pkg/ioutilx"
 	"github.com/lima-vm/lima/pkg/limayaml"
 	"github.com/lima-vm/lima/pkg/templatestore"
@@ -40,8 +41,10 @@ func Read(ctx context.Context, name, locator string) (*Template, error) {
 	isTemplateURL, templateURL := SeemsTemplateURL(locator)
 	switch {
 	case isTemplateURL:
-		// No need to use SecureJoin here. https://github.com/lima-vm/lima/pull/805#discussion_r853411702
-		templateName := filepath.Join(templateURL.Host, templateURL.Path)
+		templateName, err := securejoin.SecureJoin(templateURL.Host, templateURL.Path)
+		if err != nil {
+			return nil, err
+		}
 		logrus.Debugf("interpreting argument %q as a template name %q", locator, templateName)
 		if tmpl.Name == "" {
 			// e.g., templateName = "deprecated/centos-7.yaml" , tmpl.Name = "centos-7"
diff --git a/pkg/templatestore/templatestore.go b/pkg/templatestore/templatestore.go
@@ -14,7 +14,6 @@ import (
 	"strings"
 	"unicode"
 
-	securejoin "github.com/cyphar/filepath-securejoin"
 	"github.com/lima-vm/lima/pkg/store/dirnames"
 	"github.com/lima-vm/lima/pkg/usrlocalsharelima"
 )
@@ -54,10 +53,7 @@ func Read(name string) ([]byte, error) {
 		name += ".yaml"
 	}
 	for _, templatesDir := range paths {
-		filePath, err := securejoin.SecureJoin(templatesDir, name)
-		if err != nil {
-			return nil, err
-		}
+		filePath := filepath.Join(templatesDir, name)
 		if b, err := os.ReadFile(filePath); !errors.Is(err, os.ErrNotExist) {
 			return b, err
 		}

Original file line number	Diff line number	Diff line change
`@@ -14,7 +14,6 @@ import (`
`14`	`14`	`"strings"`
`15`	`15`	`"unicode"`
`16`	`16`
`17`		`- securejoin "github.com/cyphar/filepath-securejoin"`
`18`	`17`	`"github.com/lima-vm/lima/pkg/store/dirnames"`
`19`	`18`	`"github.com/lima-vm/lima/pkg/usrlocalsharelima"`
`20`	`19`	`)`
`@@ -54,10 +53,7 @@ func Read(name string) ([]byte, error) {`
`54`	`53`	`name += ".yaml"`
`55`	`54`	`}`
`56`	`55`	`for _, templatesDir := range paths {`
`57`		`- filePath, err := securejoin.SecureJoin(templatesDir, name)`
`58`		`- if err != nil {`
`59`		`- return nil, err`
`60`		`- }`
	`56`	`+ filePath := filepath.Join(templatesDir, name)`
`61`	`57`	`if b, err := os.ReadFile(filePath); !errors.Is(err, os.ErrNotExist) {`
`62`	`58`	`return b, err`
`63`	`59`	`}`