Merge pull request #9 from nberlee/path_sanitize

nberlee · web-flow · commit b86218702811 · 2023-03-28T13:52:51.000+02:00
Path sanitize
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -5,7 +5,7 @@
 
 version: 2
 updates:
-  - package-ecosystem: "" # See documentation for possible values
+  - package-ecosystem: "gomod" # See documentation for possible values
     directory: "/" # Location of package manifests
     schedule:
-      interval: "weekly"
+      interval: "daily"
diff --git a/netns/netns.go b/netns/netns.go
@@ -50,7 +50,8 @@ func GetNetNsPids(netNSNames []string) (pidNetNS *map[uint32]string) {
 
 func getNetNsInodeFromBindMount(netNSNames []string) (inodes []string, err error) {
 	for _, netNSName := range netNSNames {
-		netNSPath := path.Join(NetNSPath, netNSName)
+		sanitizedNetNSName := path.Base(netNSName)
+		netNSPath := path.Join(NetNSPath, sanitizedNetNSName)
 
 		f, err := os.Open(netNSPath)
 		if err != nil {
@@ -78,7 +79,8 @@ func getNetNsInodeFromBindMount(netNSNames []string) (inodes []string, err error
 
 func getNetNsInodeFromSymlink(netNSNames []string) (inodes []string, err error) {
 	for _, netNSName := range netNSNames {
-		symlinkPath := path.Join(NetNSPath, netNSName)
+		sanitizedNetNSName := path.Base(netNSName)
+		symlinkPath := path.Join(NetNSPath, sanitizedNetNSName)
 
 		fileInfo, err := os.Stat(symlinkPath)
 		if err != nil {
diff --git a/netns/netns_test.go b/netns/netns_test.go
@@ -221,6 +221,12 @@ func TestGetNetNsInodeFromSymlink(t *testing.T) {
 			expected:   nil,
 			wantErr:    false,
 		},
+		{
+			name:       "path exploits",
+			netNSNames: []string{"../netns1", "../netns2"},
+			expected:   expectedInodes,
+			wantErr:    false,
+		},
 	}
 
 	// Temporarily replace the NetNSPath global variable
