github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-04-30 04:34:27 +00:00
Code Issues Projects Releases Wiki Activity

runtime: use filepath.Clean() to clean the mount path

Browse Source 
Fix path check bypassed issuse introduced by #6082,
use filepath.Clean() to clean path before check

Fixes: #6082

Signed-off-by: XDTG <click1799@163.com>
This commit is contained in:
XDTG 2023-02-24 15:48:09 +08:00
parent 44a780f262
commit dc86d6dac3
3 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/runtime/virtcontainers/mount.go
View File

@ -44,6 +44,7 @@ func mountLogger() *logrus.Entry {
} }
func isSystemMount(m string) bool { func isSystemMount(m string) bool {
m = filepath.Clean(m)
for _, p := range systemMountPrefixes { for _, p := range systemMountPrefixes {
if m == p || strings.HasPrefix(m, p+"/") { if m == p || strings.HasPrefix(m, p+"/") {
return true return true
@ -54,6 +55,7 @@ func isSystemMount(m string) bool {
} }
func isHostDevice(m string) bool { func isHostDevice(m string) bool {
m = filepath.Clean(m)
if m == "/dev" { if m == "/dev" {
return true return true
} }

3
src/runtime/virtcontainers/mount_linux_test.go
View File

@ -249,6 +249,9 @@ func TestIsHostDevice(t *testing.T) {
{"/dev/zero", true}, {"/dev/zero", true},
{"/dev/block", true}, {"/dev/block", true},
{"/mnt/dev/block", false}, {"/mnt/dev/block", false},
{"/../dev", true},
{"/../dev/block", true},
{"/../mnt/dev/block", false},
} }
for _, test := range tests { for _, test := range tests {

4
src/runtime/virtcontainers/mount_test.go
View File

@ -41,6 +41,10 @@ func TestIsSystemMount(t *testing.T) {
{"/home", false}, {"/home", false},
{"/dev/block/", false}, {"/dev/block/", false},
{"/mnt/dev/foo", false}, {"/mnt/dev/foo", false},
{"/../sys", true},
{"/../sys/", true},
{"/../sys/fs/cgroup", true},
{"/../sysfoo", false},
} }
for _, test := range tests { for _, test := range tests {