prevent path traversal

nccgroup · Jan 23, 2020 · 8ea3752 · 8ea3752
1 parent a50b012
commit 8ea3752
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 1 deletion.
diff --git a/example/README.md b/example/README.md
@@ -7,6 +7,7 @@ Docker image that is a server that has a secret.
 * Tag and push
 
 `docker build -t 127.0.0.1:5000/test/test .`
+
 `docker push 127.0.0.1:5000/test/test`
 
 * Pillage the configs and search for secrets in their Configs:

diff --git a/go.mod b/go.mod
@@ -3,6 +3,7 @@ module github.com/nccgroup/go-pillage-registries
 go 1.13
 
 require (
+	github.com/cyphar/filepath-securejoin v0.2.2
 	github.com/google/go-containerregistry v0.0.0-20200122230840-907b5bbd980c
 	github.com/remeh/sizedwaitgroup v1.0.0
 	github.com/spf13/cobra v0.0.5

diff --git a/go.sum b/go.sum
@@ -51,6 +51,8 @@ github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfc
 github.com/coreos/pkg v0.0.0-20180108230652-97fdf19511ea/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
 github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE=
 github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
+github.com/cyphar/filepath-securejoin v0.2.2 h1:jCwT2GTP+PY5nBz3c/YL5PAIbusElVrPujOBSCj8xRg=
+github.com/cyphar/filepath-securejoin v0.2.2/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2G9VLXONKD9G7QGMM+4=
 github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=

diff --git a/pkg/pillage/pillage.go b/pkg/pillage/pillage.go
@@ -7,6 +7,7 @@ import (
 	"log"
 	"os"
 	"path"
+	"path/filepath"
 	"sync"
 
 	"github.com/google/go-containerregistry/pkg/crane"
@@ -41,12 +42,19 @@ func MakeCraneOptions(insecure bool) (options []crane.Option) {
 	return options
 }
 
+func securejoin(paths ...string) (out string) {
+	for _, path := range paths {
+		out = filepath.Join(out, filepath.Clean("/"+path))
+	}
+	return out
+}
+
 //Store will output the information enumerated from an image to an output directory and optionally will pull the image filesystems as well
 func (image *ImageData) Store(options *StorageOptions) error {
 	log.Printf("Storing results for image: %s", image.Reference)
 
 	//make image output dir
-	imagePath := path.Join(options.ResultsPath, image.Registry, image.Repository, image.Tag)
+	imagePath := filepath.Join(options.ResultsPath, securejoin(image.Registry, image.Repository, image.Tag))
 	err := os.MkdirAll(imagePath, os.ModePerm)
 	if err != nil {
 		log.Printf("Error making storage path %s: %v", imagePath, err)