Check if the system-target path supplied is absolute

docker.Untar (https://github.com/mudler/luet/blob/master/vendor/github.com/docker/docker/pkg/archive/archive.go#L942) requires absolute paths. We didn't do any input validation before, assuming the path passed by were absolute since they were coming from YAML configuration files, now that this is not the truth anymore we need to sanitize the input. With this change we check if the given path is absolute or relative, if it's relative we calculate the absolute path and use it in place.
2025-09-07 18:20:19 +00:00 · 2021-08-03 16:17:55 +02:00
parent 75906c4198
commit 9d1594c036
13 changed files with 27 additions and 11 deletions
--- a/cmd/cleanup.go
+++ b/cmd/cleanup.go
@@ -45,7 +45,7 @@ var cleanupCmd = &cobra.Command{

 		LuetCfg.System.DatabaseEngine = engine
 		LuetCfg.System.DatabasePath = dbpath
-		LuetCfg.System.Rootfs = rootfs
+		LuetCfg.System.SetRootFS(rootfs)
 		// Check if cache dir exists
 		if fileHelper.Exists(LuetCfg.GetSystem().GetSystemPkgsCacheDirPath()) {

--- a/cmd/database/create.go
+++ b/cmd/database/create.go
@@ -58,7 +58,7 @@ For reference, inspect a "metadata.yaml" file generated while running "luet buil

 			LuetCfg.System.DatabaseEngine = engine
 			LuetCfg.System.DatabasePath = dbpath
-			LuetCfg.System.Rootfs = rootfs
+			LuetCfg.System.SetRootFS(rootfs)

 			systemDB := LuetCfg.GetSystemDB()

--- a/cmd/database/get.go
+++ b/cmd/database/get.go
@@ -51,7 +51,7 @@ To return also files:

 			LuetCfg.System.DatabaseEngine = engine
 			LuetCfg.System.DatabasePath = dbpath
-			LuetCfg.System.Rootfs = rootfs
+			LuetCfg.System.SetRootFS(rootfs)

 			systemDB := LuetCfg.GetSystemDB()

--- a/cmd/database/remove.go
+++ b/cmd/database/remove.go
@@ -48,7 +48,7 @@ This commands takes multiple packages as arguments and prunes their entries from

 			LuetCfg.System.DatabaseEngine = engine
 			LuetCfg.System.DatabasePath = dbpath
-			LuetCfg.System.Rootfs = rootfs
+			LuetCfg.System.SetRootFS(rootfs)

 			systemDB := LuetCfg.GetSystemDB()

--- a/cmd/install.go
+++ b/cmd/install.go
@@ -87,7 +87,7 @@ To force install a package:

 		LuetCfg.System.DatabaseEngine = engine
 		LuetCfg.System.DatabasePath = dbpath
-		LuetCfg.System.Rootfs = rootfs
+		LuetCfg.System.SetRootFS(rootfs)

 		LuetCfg.GetSolverOptions().Type = stype
 		LuetCfg.GetSolverOptions().LearnRate = float32(rate)
--- a/cmd/reclaim.go
+++ b/cmd/reclaim.go
@@ -45,7 +45,7 @@ It scans the target file system, and if finds a match with a package available i

 		LuetCfg.System.DatabaseEngine = engine
 		LuetCfg.System.DatabasePath = dbpath
-		LuetCfg.System.Rootfs = rootfs
+		LuetCfg.System.SetRootFS(rootfs)

 		// This shouldn't be necessary, but we need to unmarshal the repositories to a concrete struct, thus we need to port them back to the Repositories type
 		repos := installer.Repositories{}
--- a/cmd/reinstall.go
+++ b/cmd/reinstall.go
@@ -66,7 +66,7 @@ var reinstallCmd = &cobra.Command{

 		LuetCfg.System.DatabaseEngine = engine
 		LuetCfg.System.DatabasePath = dbpath
-		LuetCfg.System.Rootfs = rootfs
+		LuetCfg.System.SetRootFS(rootfs)

 		for _, a := range args {
 			pack, err := helpers.ParsePackageStr(a)
--- a/cmd/replace.go
+++ b/cmd/replace.go
@@ -70,7 +70,7 @@ var replaceCmd = &cobra.Command{

 		LuetCfg.System.DatabaseEngine = engine
 		LuetCfg.System.DatabasePath = dbpath
-		LuetCfg.System.Rootfs = rootfs
+		LuetCfg.System.SetRootFS(rootfs)

 		for _, a := range args {
 			pack, err := helpers.ParsePackageStr(a)
--- a/cmd/search.go
+++ b/cmd/search.go
@@ -340,7 +340,7 @@ Search can also return results in the terminal in different ways: as terminal ou

 		LuetCfg.System.DatabaseEngine = engine
 		LuetCfg.System.DatabasePath = dbpath
-		LuetCfg.System.Rootfs = rootfs
+		LuetCfg.System.SetRootFS(rootfs)
 		out, _ := cmd.Flags().GetString("output")
 		if out != "terminal" {
 			LuetCfg.GetLogging().SetLogLevel("error")
--- a/cmd/uninstall.go
+++ b/cmd/uninstall.go
@@ -71,7 +71,7 @@ var uninstallCmd = &cobra.Command{

 		LuetCfg.System.DatabaseEngine = engine
 		LuetCfg.System.DatabasePath = dbpath
-		LuetCfg.System.Rootfs = rootfs
+		LuetCfg.System.SetRootFS(rootfs)
 		LuetCfg.ConfigProtectSkip = !keepProtected

 		LuetCfg.GetSolverOptions().Type = stype
--- a/cmd/upgrade.go
+++ b/cmd/upgrade.go
@@ -70,7 +70,7 @@ var upgradeCmd = &cobra.Command{

 		LuetCfg.System.DatabaseEngine = engine
 		LuetCfg.System.DatabasePath = dbpath
-		LuetCfg.System.Rootfs = rootfs
+		LuetCfg.System.SetRootFS(rootfs)
 		LuetCfg.GetSolverOptions().Type = stype
 		LuetCfg.GetSolverOptions().LearnRate = float32(rate)
 		LuetCfg.GetSolverOptions().Discount = float32(discount)
--- a/pkg/compiler/types/artifact/artifact.go
+++ b/pkg/compiler/types/artifact/artifact.go
@@ -453,6 +453,9 @@ func (a *PackageArtifact) GetProtectFiles() []string {

 // Unpack Untar and decompress (TODO) to the given path
 func (a *PackageArtifact) Unpack(dst string, keepPerms bool) error {
+	if !strings.HasPrefix(dst, "/") {
+		return errors.New("destination must be an absolute path")
+	}

 	// Create
 	protectedFiles := a.GetProtectFiles()
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -107,6 +107,19 @@ type LuetSystemConfig struct {
 	TmpDirBase     string `yaml:"tmpdir_base" mapstructure:"tmpdir_base"`
 }

+func (s *LuetSystemConfig) SetRootFS(path string) error {
+	pathToSet := path
+	if !filepath.IsAbs(path) {
+		abs, err := filepath.Abs(path)
+		if err != nil {
+			return err
+		}
+		pathToSet = abs
+	}
+	s.Rootfs = pathToSet
+	return nil
+}
+
 func (sc *LuetSystemConfig) GetRepoDatabaseDirPath(name string) string {
 	dbpath := filepath.Join(sc.Rootfs, sc.DatabasePath)
 	dbpath = filepath.Join(dbpath, "repos/"+name)