Skip to content

feat: Add format-specific annotations to override secret file names #572

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Techassi merged 13 commits into from
Mar 31, 2025
Merged

feat: Add format-specific annotations to override secret file names #572

Changes from 1 commit
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
980acfe
feat: Add format-specific annotations to override secret file names
Techassi Mar 18, 2025
6514f14
docs: Add annotations to volume page
Techassi Mar 18, 2025
f829379
test: Add custom secret name tests
Techassi Mar 18, 2025
a7718e0
feat: Add check against path traversal
Techassi Mar 18, 2025
83fea67
refactor: Flatten struct, use moved value
Techassi Mar 19, 2025
94e78c5
refactor: Flatten compat struct, use moved value
Techassi Mar 19, 2025
2d0a593
test: Add unit test for selector deserialization
Techassi Mar 19, 2025
932e993
chore: Merge branch 'main' into feat/filename-annotations
Techassi Mar 31, 2025
ad76a26
refactor: Adjust path traversal checks
Techassi Mar 31, 2025
1c2d64c
test: Add custom CA name
Techassi Mar 31, 2025
a9be60f
chore: Use quoted paths in error messages
Techassi Mar 31, 2025
22864d2
refactor: Ensure all components of a path a normal
Techassi Mar 31, 2025
dfd732b
chore: Add changelog entry
Techassi Mar 31, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 33 additions & 25 deletions rust/operator-binary/src/csi_server/node.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
use std::{
fs::Permissions,
os::unix::prelude::PermissionsExt,
path::{Path, PathBuf},
path::{Component, Path, PathBuf},
};

use openssl::sha::Sha256;
Expand Down Expand Up @@ -98,17 +98,11 @@ enum PublishError {
path: PathBuf,
},

#[snafu(display("failed to canonicalize path {}", path.display()))]
CanonicalizePath {
source: std::io::Error,
path: PathBuf,
},
#[snafu(display("file path {} must not contain more than one component", path.display()))]
InvalidComponentCount { path: PathBuf },

#[snafu(display("encountered invalid path base in {}, expected {}", path.display(), expected_base.display()))]
InvalidPathBase {
path: PathBuf,
expected_base: PathBuf,
},
#[snafu(display("file path {} must not be absolute", path.display()))]
InvalidAbsolutePath { path: PathBuf },

#[snafu(display("failed to tag pod with expiry metadata"))]
TagPod {
Expand Down Expand Up @@ -138,8 +132,8 @@ impl From<PublishError> for Status {
PublishError::SetDirPermissions { .. } => Status::unavailable(full_msg),
PublishError::CreateFile { .. } => Status::unavailable(full_msg),
PublishError::WriteFile { .. } => Status::unavailable(full_msg),
PublishError::CanonicalizePath { .. } => Status::unavailable(full_msg),
PublishError::InvalidPathBase { .. } => Status::unavailable(full_msg),
PublishError::InvalidComponentCount { .. } => Status::unavailable(full_msg),
PublishError::InvalidAbsolutePath { .. } => Status::unavailable(full_msg),
PublishError::TagPod { .. } => Status::unavailable(full_msg),
PublishError::BuildAnnotation { .. } => Status::unavailable(full_msg),
}
Expand Down Expand Up @@ -247,23 +241,37 @@ impl SecretProvisionerNode {
.into_files(format, names, compat)
.context(publish_error::FormatDataSnafu)?
{
let item_path = target_path.join(k);
// The following few lines of code do some basic checks against
// unwanted path traversals. In the future, we want to leverage
// capability based filesystem operations (openat) to prevent these
// traversals.

// Prevent unwanted path traversals by first canonicalizing the final
// path and then validating that the path starts with the base we
// expect.
let item_path = item_path
.canonicalize()
.context(publish_error::CanonicalizePathSnafu { path: &item_path })?;
// First, let's turn the (potentially custom) file path into a path.
let file_path = PathBuf::from(k);

// Next, ensure the path is not absolute (does not contain root),
// because joining an absolute path with a different path will
// replace the exiting path entirely.
ensure!(
item_path.starts_with(target_path),
publish_error::InvalidPathBaseSnafu {
path: &item_path,
expected_base: &target_path
}
!file_path.has_root(),
publish_error::InvalidAbsolutePathSnafu { path: &file_path }
);

// Ensure that the file path only consists of a single normal
// component. This prevents any path traversals up the path using
// '..'.
ensure!(
file_path
.components()
.filter(|c| matches!(c, Component::Normal(_)))
.count()
== 1,
publish_error::InvalidComponentCountSnafu { path: &file_path }
);

// Now, we can join the base and file path
let item_path = target_path.join(file_path);

if let Some(item_path_parent) = item_path.parent() {
create_dir_all(item_path_parent)
.await
Expand Down