From abc6fe6dbb724c835f77645a6119dfd5cb2698b0 Mon Sep 17 00:00:00 2001 From: Ismo Puustinen Date: Mon, 12 Mar 2018 14:13:54 +0200 Subject: [PATCH 1/2] build-ui.sh: use kube::util::ensure-temp-dir instead of static path. Using static paths for temporary files has been a security problem in the past. Use kube::util::ensure-temp-dir to create a safe temporary directory and place the temporary file there. --- hack/build-ui.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hack/build-ui.sh b/hack/build-ui.sh index 6e2e0e5d539..28d1738f2c9 100755 --- a/hack/build-ui.sh +++ b/hack/build-ui.sh @@ -30,7 +30,8 @@ if ! which go-bindata > /dev/null 2>&1 ; then exit 1 fi -readonly TMP_DATAFILE="/tmp/datafile.go" +kube::util::ensure-temp-dir +readonly TMP_DATAFILE="${KUBE_TEMP}/datafile.go" readonly SWAGGER_SRC="third_party/swagger-ui/..." readonly SWAGGER_PKG="swagger" From 14ccb8cf5203ddaba30f3929dd56c4be204fc7b9 Mon Sep 17 00:00:00 2001 From: Ismo Puustinen Date: Mon, 12 Mar 2018 14:41:06 +0200 Subject: [PATCH 2/2] update-translations.sh: use kube::util::ensure-temp-dir instead of static path. Use a temporary directory to hold the generated temporary file. This helps prevent a class of potential security issues on various platforms. --- hack/update-translations.sh | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/hack/update-translations.sh b/hack/update-translations.sh index 46c7cfd7397..65d9c728535 100755 --- a/hack/update-translations.sh +++ b/hack/update-translations.sh @@ -14,6 +14,9 @@ # See the License for the specific language governing permissions and # limitations under the License. +KUBE_ROOT=$(dirname "${BASH_SOURCE}")/.. +source "${KUBE_ROOT}/hack/lib/util.sh" + KUBECTL_FILES="pkg/kubectl/cmd/*.go pkg/kubectl/cmd/*/*.go" generate_pot="false" @@ -62,8 +65,9 @@ if [[ "${generate_pot}" == "true" ]]; then perl -pi -e 's/CHARSET/UTF-8/' tmp.pot perl -pi -e 's/\\\(/\\\\\(/g' tmp.pot perl -pi -e 's/\\\)/\\\\\)/g' tmp.pot - if msgcat -s tmp.pot > /tmp/template.pot; then - mv /tmp/template.pot translations/kubectl/template.pot + kube::util::ensure-temp-dir + if msgcat -s tmp.pot > "${KUBE_TEMP}/template.pot"; then + mv "${KUBE_TEMP}/template.pot" translations/kubectl/template.pot rm tmp.pot else echo "Failed to update template.pot"