Skip to content

Commit 70ca035

Browse files
crosbymichaelcrosbymichael
authored
Merge pull request #1883 from lifubang/containeridinpath
fix delete other file bug when container id is ..
2 parents 9cda583 + 4eb30fc commit 70ca035

File tree

1 file changed

+19
-4
lines changed

1 file changed

+19
-4
lines changed

libcontainer/factory_linux.go

Lines changed: 19 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@ import (
1111
"runtime/debug"
1212
"strconv"
1313

14+
"github.com/cyphar/filepath-securejoin"
1415
"github.com/opencontainers/runc/libcontainer/cgroups"
1516
"github.com/opencontainers/runc/libcontainer/cgroups/fs"
1617
"github.com/opencontainers/runc/libcontainer/cgroups/systemd"
@@ -195,7 +196,10 @@ func (l *LinuxFactory) Create(id string, config *configs.Config) (Container, err
195196
if err := l.Validator.Validate(config); err != nil {
196197
return nil, newGenericError(err, ConfigInvalid)
197198
}
198-
containerRoot := filepath.Join(l.Root, id)
199+
containerRoot, err := securejoin.SecureJoin(l.Root, id)
200+
if err != nil {
201+
return nil, err
202+
}
199203
if _, err := os.Stat(containerRoot); err == nil {
200204
return nil, newGenericError(fmt.Errorf("container with id exists: %v", id), IdInUse)
201205
} else if !os.IsNotExist(err) {
@@ -229,7 +233,14 @@ func (l *LinuxFactory) Load(id string) (Container, error) {
229233
if l.Root == "" {
230234
return nil, newGenericError(fmt.Errorf("invalid root"), ConfigInvalid)
231235
}
232-
containerRoot := filepath.Join(l.Root, id)
236+
//when load, we need to check id is valid or not.
237+
if err := l.validateID(id); err != nil {
238+
return nil, err
239+
}
240+
containerRoot, err := securejoin.SecureJoin(l.Root, id)
241+
if err != nil {
242+
return nil, err
243+
}
233244
state, err := l.loadState(containerRoot, id)
234245
if err != nil {
235246
return nil, err
@@ -339,7 +350,11 @@ func (l *LinuxFactory) StartInitialization() (err error) {
339350
}
340351

341352
func (l *LinuxFactory) loadState(root, id string) (*State, error) {
342-
f, err := os.Open(filepath.Join(root, stateFilename))
353+
stateFilePath, err := securejoin.SecureJoin(root, stateFilename)
354+
if err != nil {
355+
return nil, err
356+
}
357+
f, err := os.Open(stateFilePath)
343358
if err != nil {
344359
if os.IsNotExist(err) {
345360
return nil, newGenericError(fmt.Errorf("container %q does not exist", id), ContainerNotExists)
@@ -355,7 +370,7 @@ func (l *LinuxFactory) loadState(root, id string) (*State, error) {
355370
}
356371

357372
func (l *LinuxFactory) validateID(id string) error {
358-
if !idRegex.MatchString(id) {
373+
if !idRegex.MatchString(id) || string(os.PathSeparator)+id != utils.CleanPath(string(os.PathSeparator)+id) {
359374
return newGenericError(fmt.Errorf("invalid id format: %v", id), InvalidIdFormat)
360375
}
361376

0 commit comments

Comments
 (0)