runtime: use filepath.Clean() to clean the mount path

Fix path check bypassed issuse introduced by #6082, use filepath.Clean() to clean path before check Fixes: #6082 Signed-off-by: XDTG <click1799@163.com>
2025-04-27 19:35:32 +00:00 · 2023-02-24 15:48:09 +08:00 · 2023-02-24 15:48:09 +08:00 · dc86d6dac3
commit dc86d6dac3
parent 44a780f262
3 changed files with 9 additions and 0 deletions
--- a/src/runtime/virtcontainers/mount.go
+++ b/src/runtime/virtcontainers/mount.go
@ -44,6 +44,7 @@ func mountLogger() *logrus.Entry {
 }

 func isSystemMount(m string) bool {
+	m = filepath.Clean(m)
 	for _, p := range systemMountPrefixes {
 		if m == p || strings.HasPrefix(m, p+"/") {
 			return true
@ -54,6 +55,7 @@ func isSystemMount(m string) bool {
 }

 func isHostDevice(m string) bool {
+	m = filepath.Clean(m)
 	if m == "/dev" {
 		return true
 	}
--- a/src/runtime/virtcontainers/mount_linux_test.go
+++ b/src/runtime/virtcontainers/mount_linux_test.go
@ -249,6 +249,9 @@ func TestIsHostDevice(t *testing.T) {
 		{"/dev/zero", true},
 		{"/dev/block", true},
 		{"/mnt/dev/block", false},
+		{"/../dev", true},
+		{"/../dev/block", true},
+		{"/../mnt/dev/block", false},
 	}

 	for _, test := range tests {
--- a/src/runtime/virtcontainers/mount_test.go
+++ b/src/runtime/virtcontainers/mount_test.go
@ -41,6 +41,10 @@ func TestIsSystemMount(t *testing.T) {
 		{"/home", false},
 		{"/dev/block/", false},
 		{"/mnt/dev/foo", false},
+		{"/../sys", true},
+		{"/../sys/", true},
+		{"/../sys/fs/cgroup", true},
+		{"/../sysfoo", false},
 	}

 	for _, test := range tests {