Merge remote-tracking branch 'origin/slurm-update-and-fixes' into slurm-update-and-fixes

Author: XaverStiensmeier

bibigrid/core/actions/create.py

@@ -80,8 +80,10 @@ def write_cluster_state(self, state):
         with open(CLUSTER_MEMORY_PATH, mode="w+", encoding="UTF-8") as cluster_memory_file:
             yaml.safe_dump(data=state, stream=cluster_memory_file)
         # all clusters
-        with open(os.path.join(CLUSTER_INFO_FOLDER, f"{self.cluster_id}.yaml"), mode="w+",
-                  encoding="UTF-8") as cluster_info_file:
+        cluster_info_path = os.path.normpath(os.path.join(CLUSTER_INFO_FOLDER, f"{self.cluster_id}.yaml"))
+        if not cluster_info_path.startswith(os.path.normpath(CLUSTER_INFO_FOLDER)):
+            raise Exception("Invalid cluster_id resulting in path traversal")
+        with open(cluster_info_path, mode="w+", encoding="UTF-8") as cluster_info_file:
             yaml.safe_dump(data=state, stream=cluster_info_file)
 
     def create_defaults(self):

bibigrid/core/actions/terminate.py

@@ -20,11 +20,12 @@ def write_cluster_state(cluster_id, state):
     with open(CLUSTER_MEMORY_PATH, mode="w+", encoding="UTF-8") as cluster_memory_file:
         yaml.safe_dump(data=state, stream=cluster_memory_file)
     # all clusters
-    with open(os.path.join(CLUSTER_INFO_FOLDER, f"{cluster_id}.yaml"), mode="w+",
-              encoding="UTF-8") as cluster_info_file:
+    cluster_info_path = os.path.normpath(os.path.join(CLUSTER_INFO_FOLDER, f"{cluster_id}.yaml"))
+    if not cluster_info_path.startswith(CLUSTER_INFO_FOLDER):
+        raise Exception("Invalid cluster_id")
+    with open(cluster_info_path, mode="w+", encoding="UTF-8") as cluster_info_file:
         yaml.safe_dump(data=state, stream=cluster_info_file)
 
-
 def terminate(cluster_id, providers, log, debug=False, assume_yes=False):
     """
     Goes through all providers and gets info of all servers which name contains cluster ID.