Skip to content

Don't use SecureJoin(templateDir, templateName) #3542

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 19, 2025
Merged

Don't use SecureJoin(templateDir, templateName) #3542

merged 1 commit into from
May 19, 2025
+18 −12

Conversation

jandubois
Copy link
Member

@jandubois jandubois commented May 14, 2025
edited
Loading

The final template path may be a symlink that points somewhere outside the templateDir (e.g. when installed by Homebrew).

Also use path instead of filepath functions to join host and path of template:// URLs; they are not native filepaths and always uses slashes as path delimiters.

Fixes #3540

@jandubois jandubois marked this pull request as ready for review May 14, 2025 18:48
@jandubois jandubois changed the title Don't use securejoin(templateDir, templateName) Don't use SecureJoin(templateDir, templateName) May 14, 2025
AkihiroSuda
AkihiroSuda reviewed May 15, 2025
View reviewed changes
pkg/templatestore/templatestore.go Outdated
if err != nil {
return nil, err
}
filePath := filepath.Join(templatesDir, name)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs a code comment to explain why SecureJoin is not needed

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also name needs to be validated

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure what that means? You want to drop SecureJoin when processing template:// URLs and instead check templateName here to make sure it doesn't include .. as a substring?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SecureJoin can remain there in processing URLs, but we still have to make sure that something isn’t calling Read() with an unexpected value.

GoDoc should also explain the expected value of name

@AkihiroSuda AkihiroSuda added this to the v1.1.0 milestone May 15, 2025
@jandubois
Don't use securejoin(templateDir, templateName)
ef331d0 
The final template path may be a symlink that points somewhere
outside the templateDir (e.g. when installed by Homebrew).

Also use `path` instead of `filepath` functions to join host and
path of template:// URLs; they are not native filepaths and always
uses slashes as path delimiters.

Signed-off-by: Jan Dubois <[email protected]>
AkihiroSuda
AkihiroSuda approved these changes May 19, 2025
View reviewed changes
Copy link
Member

@AkihiroSuda AkihiroSuda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

@AkihiroSuda AkihiroSuda merged commit 8fe7167 into lima-vm:master May 19, 2025
34 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.1.0
Development

Successfully merging this pull request may close these issues.

[v1.1 RC] limactl info: template "default.yaml" not found (only after installing additional guest agents)
2 participants
@jandubois @AkihiroSuda