IND-1810 CVE Fixes

hashicorp · Jan 31, 2025 · 399d392 · 399d392
1 parent d8b1ee7
commit 399d392
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 18 deletions.
diff --git a/go.mod b/go.mod
@@ -7,12 +7,12 @@ require (
 	github.com/google/go-cmp v0.5.9
 	github.com/hashicorp/terraform-registry-address v0.2.0
 	github.com/hashicorp/terraform-svchost v0.0.1
-	golang.org/x/mod v0.10.0
-	golang.org/x/sys v0.13.0
+	golang.org/x/mod v0.17.0
+	golang.org/x/sys v0.29.0
 )
 
 require (
 	github.com/go-test/deep v1.0.3 // indirect
-	golang.org/x/net v0.17.0 // indirect
-	golang.org/x/text v0.13.0 // indirect
+	golang.org/x/net v0.34.0 // indirect
+	golang.org/x/text v0.21.0 // indirect
 )
diff --git a/go.sum b/go.sum
@@ -13,11 +13,11 @@ github.com/hashicorp/terraform-svchost v0.0.1 h1:Zj6fR5wnpOHnJUmLyWozjMeDaVuE+cs
 github.com/hashicorp/terraform-svchost v0.0.1/go.mod h1:ut8JaH0vumgdCfJaihdcZULqkAwHdQNwNH7taIDdsZM=
 github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348 h1:MtvEpTB6LX3vkb4ax0b5D2DHbNAUsen0Gx5wZoq3lV4=
 github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348/go.mod h1:B69LEHPfb2qLo0BaaOLcbitczOKLWTsrBG9LczfCD4k=
-golang.org/x/mod v0.10.0 h1:lFO9qtOdlre5W1jxS3r/4szv2/6iXxScdzjoBMXNhYk=
-golang.org/x/mod v0.10.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
-golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
-golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
-golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
-golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
+golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/net v0.34.0 h1:Mb7Mrk043xzHgnRM88suvJFwzVrRfHEHJEl5/71CKw0=
+golang.org/x/net v0.34.0/go.mod h1:di0qlW3YNM5oh6GqDGQr92MyTozJPmybPK4Ev/Gm31k=
+golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
+golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
diff --git a/slug.go b/slug.go
@@ -427,11 +427,14 @@ func (p *Packer) Unpack(r io.Reader, dst string) error {
 
 		// Handle symlinks, directories, non-regular files
 		if info.IsSymlink() {
+
 			if ok, err := p.validSymlink(dst, header.Name, header.Linkname); ok {
 				// Create the symlink.
-				if err = os.Symlink(header.Linkname, info.Path); err != nil {
+				headerName := filepath.Clean(header.Name)
+				headerLinkname := filepath.Clean(header.Linkname)
+				if err = os.Symlink(headerLinkname, info.Path); err != nil {
 					return fmt.Errorf("failed creating symlink (%q -> %q): %w",
-						header.Name, header.Linkname, err)
+						headerName, headerLinkname, err)
 				}
 			} else {
 				return err
@@ -507,19 +510,24 @@ func (p *Packer) validSymlink(root, path, target string) (bool, error) {
 	// Get the absolute path to the file path.
 	absPath := path
 	if !filepath.IsAbs(absPath) {
-		absPath = filepath.Join(absRoot, path)
+		absPath = filepath.Clean(filepath.Join(absRoot, path))
 	}
 
 	// Get the absolute path of the symlink target.
 	var absTarget string
 	if filepath.IsAbs(target) {
 		absTarget = filepath.Clean(target)
 	} else {
-		absTarget = filepath.Join(filepath.Dir(absPath), target)
+		absTarget = filepath.Clean(filepath.Join(filepath.Dir(absPath), target))
 	}
 
 	// Target falls within root.
-	if strings.HasPrefix(absTarget, absRoot) {
+	rel, err := filepath.Rel(absRoot, absTarget)
+	if err != nil {
+		return false, fmt.Errorf("couldn't find relative path : %w", err)
+	}
+
+	if rel != ".." && !(len(rel) >= 3 && rel[:3] == "../") {
 		return true, nil
 	}
 
@@ -529,6 +537,7 @@ func (p *Packer) validSymlink(root, path, target string) (bool, error) {
 		if !filepath.IsAbs(prefix) {
 			prefix = filepath.Join(absRoot, prefix)
 		}
+		prefix = filepath.Clean(prefix)
 
 		// Exact match is allowed.
 		if absTarget == prefix {
@@ -539,7 +548,13 @@ func (p *Packer) validSymlink(root, path, target string) (bool, error) {
 		if !strings.HasSuffix(prefix, "/") {
 			prefix += "/"
 		}
-		if strings.HasPrefix(absTarget, prefix) {
+
+		rel, err := filepath.Rel(prefix, absTarget)
+		if err != nil {
+			return false, fmt.Errorf("couldn't find relative path : %w", err)
+		}
+
+		if rel != ".." && !(len(rel) >= 3 && rel[:3] == "../") {
 			return true, nil
 		}
 	}