mirror of
https://github.com/argoproj/argo-cd.git
synced 2026-02-20 01:28:45 +01:00
ef2501f4b1
* Add support for hidden directories with directory enforcer * Refactor * Lint * Rework done, still needs tests * WIP * Should be done * Fix test * Helm Charts
42 lines
1.3 KiB
Go
42 lines
1.3 KiB
Go
package security
|
|
|
|
import (
|
|
"fmt"
|
|
"path/filepath"
|
|
"strings"
|
|
)
|
|
|
|
// Ensure that `requestedPath` is on the same directory or any subdirectory of `currentRoot`. Both `currentRoot` and
|
|
// `requestedPath` must be absolute paths. They may contain any number of `./` or `/../` dir changes.
|
|
func EnforceToCurrentRoot(currentRoot, requestedPath string) (string, error) {
|
|
currentRoot = filepath.Clean(currentRoot)
|
|
requestedDir, requestedFile := parsePath(requestedPath)
|
|
if !isRequestedDirUnderCurrentRoot(currentRoot, requestedDir) {
|
|
return "", fmt.Errorf("requested path %s should be on or under current directory %s", requestedPath, currentRoot)
|
|
}
|
|
return requestedDir + string(filepath.Separator) + requestedFile, nil
|
|
}
|
|
|
|
func isRequestedDirUnderCurrentRoot(currentRoot, requestedPath string) bool {
|
|
if currentRoot == string(filepath.Separator) {
|
|
return true
|
|
} else if currentRoot == requestedPath {
|
|
return true
|
|
}
|
|
if requestedPath[len(requestedPath)-1] != '/' {
|
|
requestedPath = requestedPath + "/"
|
|
}
|
|
if currentRoot[len(currentRoot)-1] != '/' {
|
|
currentRoot = currentRoot + "/"
|
|
}
|
|
return strings.HasPrefix(requestedPath, currentRoot)
|
|
}
|
|
|
|
func parsePath(path string) (string, string) {
|
|
directory := filepath.Dir(path)
|
|
if directory == path {
|
|
return directory, ""
|
|
}
|
|
return directory, filepath.Base(path)
|
|
}
|