8000 [Builder] Add tempDir validations (#3552) by TomerShor · Pull Request #3556 · nuclio/nuclio · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

[Builder] Add tempDir validations (#3552) #3556

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Mar 23, 2025
Merged

[Builder] Add tempDir validations (#3552) #3556

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 12 additions & 2 deletions pkg/processor/build/builder.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -926,10 +926,20 @@ func (b *Builder) createTempDir() error {

// either use injected temporary dir or generate a new one
if b.options.FunctionConfig.Spec.Build.TempDir != "" {
b.tempDir = b.options.FunctionConfig.Spec.Build.TempDir

err = os.MkdirAll(b.tempDir, 0744)
// Validate the user-provided temporary directory to ensure it does not contain directory traversal sequences
if strings.Contains(b.options.FunctionConfig.Spec.Build.TempDir, "..") {
return errors.New("Invalid temporary directory path: contains '..'")
}

// if the user-provided temp directory is not under /tmp, create it under /tmp
if !strings.HasPrefix(b.options.FunctionConfig.Spec.Build.TempDir, "/tmp") {
b.tempDir = filepath.Join("/tmp", b.options.FunctionConfig.Spec.Build.TempDir)
} else {
b.tempDir = b.options.FunctionConfig.Spec.Build.TempDir
}

err = os.MkdirAll(b.tempDir, 0744)
} else {
b.tempDir, err = os.MkdirTemp("", "nuclio-build-")
}
Expand Down
66 changes: 66 additions & 0 deletions pkg/processor/build/builder_test.go
10384 View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1012,6 +1012,72 @@ func (suite *testSuite) TestResolveResources() {
}
}

func (suite *testSuite) TestCreateTempDir() {
tests := []struct {
name string
tempDir string
expectError bool
expectedDir string
}{
{
name: "Valid temp dir under /tmp",
tempDir: "/tmp/test-dir",
expectError: false,
expectedDir: "/tmp/test-dir",
},
{
name: "Invalid traversal path",
tempDir: "/tmp/../etc/passwd",
expectError: true,
},
{
name: "Injection attempt with multiple traversal sequences",
tempDir: "../..//..//etc",
expectError: true,
},
{
name: "Temp dir outside /tmp",
tempDir: "custom-dir",
expectError: false,
expectedDir: "/tmp/custom-dir",
},
{
name: "No temp dir provided",
tempDir: "",
expectError: false,
},
}

for _, testCase := range tests {
suite.Run(testCase.name, func() {
tempDir := suite.builder.options.FunctionConfig.Spec.Build.TempDir
suite.builder.options.FunctionConfig.Spec.Build.TempDir = testCase.tempDir

// revert changes
defer func() {
suite.builder.options.FunctionConfig.Spec.Build.TempDir = tempDir
}()

err := suite.builder.createTempDir()
defer os.RemoveAll(suite.builder.tempDir) // nolint: errcheck

if testCase.expectError {
suite.Require().Error(err, "Expected an error for tempDir: %s", testCase.tempDir)
} else {
suite.Require().NoError(err, "Did not expect an error for tempDir: %s", testCase.tempDir)

if testCase.tempDir != "" {
suite.Require().Equal(testCase.expectedDir, suite.builder.tempDir)
} else {
// Verify temp dir is created in the system's temporary directory
suite.Require().Contains(suite.builder.tempDir, os.TempDir())
}

}
})
}
}

func (suite *testSuite) testResolveFunctionPathRemoteCodeFile(fileExtension string) {

// mock http response
Expand Down
Loading
0