From a841ca8552a9c245fa269c5c125e43854334e47b Mon Sep 17 00:00:00 2001 From: sophia Date: Mon, 15 Nov 2021 15:44:37 -0600 Subject: [PATCH] Ensure box destination path is in box path --- internal/core/box_collection.go | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/internal/core/box_collection.go b/internal/core/box_collection.go index e5b6b2722..c72d47e9a 100644 --- a/internal/core/box_collection.go +++ b/internal/core/box_collection.go @@ -71,7 +71,10 @@ func (b *BoxCollection) Add(path, name, version, metadataURL string, force bool, if header == nil { continue } - dest := filepath.Join(tempDir, header.Name) + dest, err := validateNewPath(filepath.Join(tempDir, header.Name), tempDir) + if err != nil { + return nil, err + } switch header.Typeflag { case tar.TypeDir: // create directory if it doesn't already exist @@ -131,7 +134,10 @@ func (b *BoxCollection) Add(path, name, version, metadataURL string, force bool, os.MkdirAll(destDir, 0755) // Copy the contents of the tempdir to the final dir err = filepath.Walk(tempDir, func(path string, info os.FileInfo, erro error) (err error) { - destPath := filepath.Join(destDir, info.Name()) + destPath, err := validateNewPath(filepath.Join(destDir, info.Name()), destDir) + if err != nil { + return err + } if info.IsDir() { err = os.MkdirAll(destPath, info.Mode()) return err @@ -231,4 +237,16 @@ func (b *BoxCollection) generateDirectoryName(path string) (out string) { return strings.ReplaceAll(out, "/", VagrantSlash) } +func validateNewPath(path string, parentPath string) (newPath string, err error) { + newPath, err = filepath.Abs(path) + if err != nil { + return "", err + } + // Ensure that the newPath is within the parentPath + if !strings.HasPrefix(newPath, parentPath) { + return "", fmt.Errorf("could not add box outside of box directory %s", parentPath) + } + return +} + var _ core.BoxCollection = (*BoxCollection)(nil)