split tests so some can run on Plan 9

Move common variables and functions into common.go

Check for root containing .. on Plan 9

Signed-off-by: Ronald G Minnich <[email protected]>

Author: g.lenda

common.go

@@ -0,0 +1,48 @@
+// Copyright (C) 2014-2015 Docker Inc & Go Authors. All rights reserved.
+// Copyright (C) 2017-2025 SUSE LLC. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package securejoin
+
+import (
+	"errors"
+	"os"
+	"path/filepath"
+	"strings"
+	"syscall"
+)
+
+// IsNotExist tells you if err is an error that implies that either the path
+// accessed does not exist (or path components don't exist). This is
+// effectively a more broad version of [os.IsNotExist].
+func IsNotExist(err error) bool {
+	// Check that it's not actually an ENOTDIR, which in some cases is a more
+	// convoluted case of ENOENT (usually involving weird paths).
+	return errors.Is(err, os.ErrNotExist) || errors.Is(err, syscall.ENOTDIR) || errors.Is(err, syscall.ENOENT)
+}
+
+// errUnsafeRoot is returned if the user provides SecureJoinVFS with a path
+// that contains ".." components.
+var errUnsafeRoot = errors.New("root path provided to SecureJoin contains '..' components")
+
+// hasDotDot checks if the path contains ".." components in a platform-agnostic
+// way.
+func hasDotDot(path string) bool {
+	// If we are on Windows, strip any volume letters. It turns out that
+	// C:..\foo may (or may not) be a valid pathname and we need to handle that
+	// leading "..".
+	path = stripVolume(path)
+	// Look for "/../" in the path, but we need to handle leading and trailing
+	// ".."s by adding separators. Doing this with filepath.Separator is ugly
+	// so just convert to Unix-style "/" first.
+	path = filepath.ToSlash(path)
+	return strings.Contains("/"+path+"/", "/../")
+}
+
+// stripVolume just gets rid of the Windows volume included in a path. Based on
+// some godbolt tests, the Go compiler is smart enough to make this a no-op on
+// Linux.
+func stripVolume(path string) string {
+	return path[len(filepath.VolumeName(path)):]
+}

join.go

@@ -8,7 +8,6 @@
 package securejoin
 
 import (
-	"errors"
 	"os"
 	"path/filepath"
 	"strings"
@@ -17,40 +16,6 @@ import (
 
 const maxSymlinkLimit = 255
 
-// IsNotExist tells you if err is an error that implies that either the path
-// accessed does not exist (or path components don't exist). This is
-// effectively a more broad version of [os.IsNotExist].
-func IsNotExist(err error) bool {
-	// Check that it's not actually an ENOTDIR, which in some cases is a more
-	// convoluted case of ENOENT (usually involving weird paths).
-	return errors.Is(err, os.ErrNotExist) || errors.Is(err, syscall.ENOTDIR) || errors.Is(err, syscall.ENOENT)
-}
-
-// errUnsafeRoot is returned if the user provides SecureJoinVFS with a path
-// that contains ".." components.
-var errUnsafeRoot = errors.New("root path provided to SecureJoin contains '..' components")
-
-// stripVolume just gets rid of the Windows volume included in a path. Based on
-// some godbolt tests, the Go compiler is smart enough to make this a no-op on
-// Linux.
-func stripVolume(path string) string {
-	return path[len(filepath.VolumeName(path)):]
-}
-
-// hasDotDot checks if the path contains ".." components in a platform-agnostic
-// way.
-func hasDotDot(path string) bool {
-	// If we are on Windows, strip any volume letters. It turns out that
-	// C:..\foo may (or may not) be a valid pathname and we need to handle that
-	// leading "..".
-	path = stripVolume(path)
-	// Look for "/../" in the path, but we need to handle leading and trailing
-	// ".."s by adding separators. Doing this with filepath.Separator is ugly
-	// so just convert to Unix-style "/" first.
-	path = filepath.ToSlash(path)
-	return strings.Contains("/"+path+"/", "/../")
-}
-
 // SecureJoinVFS joins the two given path components (similar to [filepath.Join]) except
 // that the returned path is guaranteed to be scoped inside the provided root
 // path (when evaluated). Any symbolic links in the path are evaluated with the

join_plan9.go

@@ -9,6 +9,14 @@ import "path/filepath"
 
 // SecureJoin is equivalent to filepath.Join, as plan9 doesn't have symlinks.
 func SecureJoin(root, unsafePath string) (string, error) {
+	// The root path must not contain ".." components, otherwise when we join
+	// the subpath we will end up with a weird path. We could work around this
+	// in other ways but users shouldn't be giving us non-lexical root paths in
+	// the first place.
+	if hasDotDot(root) {
+		return "", errUnsafeRoot
+	}
+
 	unsafePath = filepath.Join(string(filepath.Separator), unsafePath)
 	return filepath.Join(root, unsafePath), nil
 }