config: Use glob instead of regexp to match paths in annotations

When filtering annotations that correspond to paths,
e.g. hypervisor.path, it is better to use a glob syntax than a regexp
syntax, as it is more usual for paths, and prevents classes of matches
that are undesirable in our case, such as matching .. against .*

Fixes: #901

Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
This commit is contained in:
Christophe de Dinechin 2020-05-18 19:00:54 +02:00 committed by Peng Tao
parent 29f5dec38f
commit 5a587ba506

View File

@ -200,6 +200,18 @@ func regexpContains(s []string, e string) bool {
return false
}
func checkPathIsInGlobList(list []string, path string) bool {
for _, glob := range list {
filenames, _ := filepath.Glob(glob)
for _, a := range filenames {
if path == a {
return true
}
}
}
return false
}
func newLinuxDeviceInfo(d specs.LinuxDevice) (*config.DeviceInfo, error) {
allowedDeviceTypes := []string{"c", "b", "u", "p"}
@ -391,21 +403,21 @@ func addHypervisorConfigOverrides(ocispec specs.Spec, config *vc.SandboxConfig,
}
if value, ok := ocispec.Annotations[vcAnnotations.HypervisorPath]; ok {
if !regexpContains(runtime.HypervisorConfig.HypervisorPathList, value) {
if !checkPathIsInGlobList(runtime.HypervisorConfig.HypervisorPathList, value) {
return fmt.Errorf("hypervisor %v required from annotation is not valid", value)
}
config.HypervisorConfig.HypervisorPath = value
}
if value, ok := ocispec.Annotations[vcAnnotations.JailerPath]; ok {
if !regexpContains(runtime.HypervisorConfig.JailerPathList, value) {
if !checkPathIsInGlobList(runtime.HypervisorConfig.JailerPathList, value) {
return fmt.Errorf("jailer %v required from annotation is not valid", value)
}
config.HypervisorConfig.JailerPath = value
}
if value, ok := ocispec.Annotations[vcAnnotations.CtlPath]; ok {
if !regexpContains(runtime.HypervisorConfig.HypervisorCtlPathList, value) {
if !checkPathIsInGlobList(runtime.HypervisorConfig.HypervisorCtlPathList, value) {
return fmt.Errorf("hypervisor control %v required from annotation is not valid", value)
}
config.HypervisorConfig.HypervisorCtlPath = value
@ -435,7 +447,7 @@ func addHypervisorConfigOverrides(ocispec specs.Spec, config *vc.SandboxConfig,
}
if value, ok := ocispec.Annotations[vcAnnotations.VhostUserStorePath]; ok {
if !regexpContains(runtime.HypervisorConfig.VhostUserStorePathList, value) {
if !checkPathIsInGlobList(runtime.HypervisorConfig.VhostUserStorePathList, value) {
return fmt.Errorf("vhost store path %v required from annotation is not valid", value)
}
config.HypervisorConfig.VhostUserStorePath = value
@ -546,7 +558,7 @@ func addHypervisorMemoryOverrides(ocispec specs.Spec, sbConfig *vc.SandboxConfig
}
if value, ok := ocispec.Annotations[vcAnnotations.FileBackedMemRootDir]; ok {
if !regexpContains(runtime.HypervisorConfig.FileBackedMemRootList, value) {
if !checkPathIsInGlobList(runtime.HypervisorConfig.FileBackedMemRootList, value) {
return fmt.Errorf("file_mem_backend value %v required from annotation is not valid", value)
}
sbConfig.HypervisorConfig.FileBackedMemRootDir = value
@ -702,7 +714,7 @@ func addHypervisorVirtioFsOverrides(ocispec specs.Spec, sbConfig *vc.SandboxConf
}
if value, ok := ocispec.Annotations[vcAnnotations.VirtioFSDaemon]; ok {
if !regexpContains(runtime.HypervisorConfig.VirtioFSDaemonList, value) {
if !checkPathIsInGlobList(runtime.HypervisorConfig.VirtioFSDaemonList, value) {
return fmt.Errorf("virtiofs daemon %v required from annotation is not valid", value)
}
sbConfig.HypervisorConfig.VirtioFSDaemon = value