Browse Source

Fix path traversal vulnerability in IBM provider

Co-authored-by: Skarlso <182850+Skarlso@users.noreply.github.com>
copilot-swe-agent[bot] 8 months ago
parent
commit
b287ffd5a1
1 changed files with 7 additions and 2 deletions
  1. 7 2
      pkg/provider/ibm/provider.go

+ 7 - 2
pkg/provider/ibm/provider.go

@@ -24,6 +24,7 @@ import (
 	"errors"
 	"fmt"
 	"os"
+	"path/filepath"
 	"strings"
 	"time"
 
@@ -613,8 +614,10 @@ func (ibm *providerIBM) ValidateStore(store esv1.GenericStore) (admission.Warnin
 		if containerRef.TokenLocation == "" {
 			containerRef.TokenLocation = "/var/run/secrets/tokens/vault-token"
 		}
-		if _, err := os.Open(containerRef.TokenLocation); err != nil {
-			return nil, fmt.Errorf("cannot read container auth token %s. %w", containerRef.TokenLocation, err)
+		// Clean the path to prevent path traversal attacks
+		cleanedPath := filepath.Clean(containerRef.TokenLocation)
+		if _, err := os.Open(cleanedPath); err != nil {
+			return nil, fmt.Errorf("cannot read container auth token %s. %w", cleanedPath, err)
 		}
 		return nil, nil
 	}
@@ -664,6 +667,8 @@ func (ibm *providerIBM) NewClient(ctx context.Context, store esv1.GenericStore,
 			// API default path
 			containerAuthToken = "/var/run/secrets/tokens/vault-token"
 		}
+		// Clean the path to prevent path traversal attacks
+		containerAuthToken = filepath.Clean(containerAuthToken)
 		if containerAuthEndpoint == "" {
 			// API default path
 			containerAuthEndpoint = "https://iam.cloud.ibm.com"