From 9d1594c0365142400d6057ffc43cb71eefd321ad Mon Sep 17 00:00:00 2001 From: Ettore Di Giacinto Date: Tue, 3 Aug 2021 16:17:55 +0200 Subject: [PATCH] Check if the system-target path supplied is absolute docker.Untar (https://github.com/mudler/luet/blob/master/vendor/github.com/docker/docker/pkg/archive/archive.go#L942) requires absolute paths. We didn't do any input validation before, assuming the path passed by were absolute since they were coming from YAML configuration files, now that this is not the truth anymore we need to sanitize the input. With this change we check if the given path is absolute or relative, if it's relative we calculate the absolute path and use it in place. --- cmd/cleanup.go | 2 +- cmd/database/create.go | 2 +- cmd/database/get.go | 2 +- cmd/database/remove.go | 2 +- cmd/install.go | 2 +- cmd/reclaim.go | 2 +- cmd/reinstall.go | 2 +- cmd/replace.go | 2 +- cmd/search.go | 2 +- cmd/uninstall.go | 2 +- cmd/upgrade.go | 2 +- pkg/compiler/types/artifact/artifact.go | 3 +++ pkg/config/config.go | 13 +++++++++++++ 13 files changed, 27 insertions(+), 11 deletions(-) diff --git a/cmd/cleanup.go b/cmd/cleanup.go index f9ea1fbe..e927c5f8 100644 --- a/cmd/cleanup.go +++ b/cmd/cleanup.go @@ -45,7 +45,7 @@ var cleanupCmd = &cobra.Command{ LuetCfg.System.DatabaseEngine = engine LuetCfg.System.DatabasePath = dbpath - LuetCfg.System.Rootfs = rootfs + LuetCfg.System.SetRootFS(rootfs) // Check if cache dir exists if fileHelper.Exists(LuetCfg.GetSystem().GetSystemPkgsCacheDirPath()) { diff --git a/cmd/database/create.go b/cmd/database/create.go index 92c0d33e..ed6ffe5e 100644 --- a/cmd/database/create.go +++ b/cmd/database/create.go @@ -58,7 +58,7 @@ For reference, inspect a "metadata.yaml" file generated while running "luet buil LuetCfg.System.DatabaseEngine = engine LuetCfg.System.DatabasePath = dbpath - LuetCfg.System.Rootfs = rootfs + LuetCfg.System.SetRootFS(rootfs) systemDB := LuetCfg.GetSystemDB() diff --git a/cmd/database/get.go b/cmd/database/get.go index cef7511b..65a61fe0 100644 --- a/cmd/database/get.go +++ b/cmd/database/get.go @@ -51,7 +51,7 @@ To return also files: LuetCfg.System.DatabaseEngine = engine LuetCfg.System.DatabasePath = dbpath - LuetCfg.System.Rootfs = rootfs + LuetCfg.System.SetRootFS(rootfs) systemDB := LuetCfg.GetSystemDB() diff --git a/cmd/database/remove.go b/cmd/database/remove.go index ea27ef06..ad54f5b3 100644 --- a/cmd/database/remove.go +++ b/cmd/database/remove.go @@ -48,7 +48,7 @@ This commands takes multiple packages as arguments and prunes their entries from LuetCfg.System.DatabaseEngine = engine LuetCfg.System.DatabasePath = dbpath - LuetCfg.System.Rootfs = rootfs + LuetCfg.System.SetRootFS(rootfs) systemDB := LuetCfg.GetSystemDB() diff --git a/cmd/install.go b/cmd/install.go index 6aad2be7..1db765d3 100644 --- a/cmd/install.go +++ b/cmd/install.go @@ -87,7 +87,7 @@ To force install a package: LuetCfg.System.DatabaseEngine = engine LuetCfg.System.DatabasePath = dbpath - LuetCfg.System.Rootfs = rootfs + LuetCfg.System.SetRootFS(rootfs) LuetCfg.GetSolverOptions().Type = stype LuetCfg.GetSolverOptions().LearnRate = float32(rate) diff --git a/cmd/reclaim.go b/cmd/reclaim.go index 6b2910ea..009f868f 100644 --- a/cmd/reclaim.go +++ b/cmd/reclaim.go @@ -45,7 +45,7 @@ It scans the target file system, and if finds a match with a package available i LuetCfg.System.DatabaseEngine = engine LuetCfg.System.DatabasePath = dbpath - LuetCfg.System.Rootfs = rootfs + LuetCfg.System.SetRootFS(rootfs) // This shouldn't be necessary, but we need to unmarshal the repositories to a concrete struct, thus we need to port them back to the Repositories type repos := installer.Repositories{} diff --git a/cmd/reinstall.go b/cmd/reinstall.go index 0a66ea58..72f68aa5 100644 --- a/cmd/reinstall.go +++ b/cmd/reinstall.go @@ -66,7 +66,7 @@ var reinstallCmd = &cobra.Command{ LuetCfg.System.DatabaseEngine = engine LuetCfg.System.DatabasePath = dbpath - LuetCfg.System.Rootfs = rootfs + LuetCfg.System.SetRootFS(rootfs) for _, a := range args { pack, err := helpers.ParsePackageStr(a) diff --git a/cmd/replace.go b/cmd/replace.go index ffaa44f4..67da23c2 100644 --- a/cmd/replace.go +++ b/cmd/replace.go @@ -70,7 +70,7 @@ var replaceCmd = &cobra.Command{ LuetCfg.System.DatabaseEngine = engine LuetCfg.System.DatabasePath = dbpath - LuetCfg.System.Rootfs = rootfs + LuetCfg.System.SetRootFS(rootfs) for _, a := range args { pack, err := helpers.ParsePackageStr(a) diff --git a/cmd/search.go b/cmd/search.go index b2704196..e1a66a95 100644 --- a/cmd/search.go +++ b/cmd/search.go @@ -340,7 +340,7 @@ Search can also return results in the terminal in different ways: as terminal ou LuetCfg.System.DatabaseEngine = engine LuetCfg.System.DatabasePath = dbpath - LuetCfg.System.Rootfs = rootfs + LuetCfg.System.SetRootFS(rootfs) out, _ := cmd.Flags().GetString("output") if out != "terminal" { LuetCfg.GetLogging().SetLogLevel("error") diff --git a/cmd/uninstall.go b/cmd/uninstall.go index 8a8fe67b..f3f6df3e 100644 --- a/cmd/uninstall.go +++ b/cmd/uninstall.go @@ -71,7 +71,7 @@ var uninstallCmd = &cobra.Command{ LuetCfg.System.DatabaseEngine = engine LuetCfg.System.DatabasePath = dbpath - LuetCfg.System.Rootfs = rootfs + LuetCfg.System.SetRootFS(rootfs) LuetCfg.ConfigProtectSkip = !keepProtected LuetCfg.GetSolverOptions().Type = stype diff --git a/cmd/upgrade.go b/cmd/upgrade.go index e8540fe4..803fe985 100644 --- a/cmd/upgrade.go +++ b/cmd/upgrade.go @@ -70,7 +70,7 @@ var upgradeCmd = &cobra.Command{ LuetCfg.System.DatabaseEngine = engine LuetCfg.System.DatabasePath = dbpath - LuetCfg.System.Rootfs = rootfs + LuetCfg.System.SetRootFS(rootfs) LuetCfg.GetSolverOptions().Type = stype LuetCfg.GetSolverOptions().LearnRate = float32(rate) LuetCfg.GetSolverOptions().Discount = float32(discount) diff --git a/pkg/compiler/types/artifact/artifact.go b/pkg/compiler/types/artifact/artifact.go index b6534f78..8aa2f033 100644 --- a/pkg/compiler/types/artifact/artifact.go +++ b/pkg/compiler/types/artifact/artifact.go @@ -453,6 +453,9 @@ func (a *PackageArtifact) GetProtectFiles() []string { // Unpack Untar and decompress (TODO) to the given path func (a *PackageArtifact) Unpack(dst string, keepPerms bool) error { + if !strings.HasPrefix(dst, "/") { + return errors.New("destination must be an absolute path") + } // Create protectedFiles := a.GetProtectFiles() diff --git a/pkg/config/config.go b/pkg/config/config.go index d47d6fac..58a2d47e 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -107,6 +107,19 @@ type LuetSystemConfig struct { TmpDirBase string `yaml:"tmpdir_base" mapstructure:"tmpdir_base"` } +func (s *LuetSystemConfig) SetRootFS(path string) error { + pathToSet := path + if !filepath.IsAbs(path) { + abs, err := filepath.Abs(path) + if err != nil { + return err + } + pathToSet = abs + } + s.Rootfs = pathToSet + return nil +} + func (sc *LuetSystemConfig) GetRepoDatabaseDirPath(name string) string { dbpath := filepath.Join(sc.Rootfs, sc.DatabasePath) dbpath = filepath.Join(dbpath, "repos/"+name)