Add changes for fixing the absolute path behaviour in oras push and a…

…ttach
oras-project · Jun 26, 2023 · 58d20d4 · 58d20d4
1 parent bf33bb7
commit 58d20d4
Show file tree

Hide file tree

Showing 4 changed files with 37 additions and 2 deletions.
diff --git a/cmd/oras/internal/option/packer.go b/cmd/oras/internal/option/packer.go
@@ -21,6 +21,7 @@ import (
 	"errors"
 	"fmt"
 	"os"
+	"path/filepath"
 	"strings"
 
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
@@ -38,6 +39,7 @@ var (
 	errAnnotationConflict    = errors.New("`--annotation` and `--annotation-file` cannot be both specified")
 	errAnnotationFormat      = errors.New("missing key in `--annotation` flag")
 	errAnnotationDuplication = errors.New("duplicate annotation key")
+	errPathValidation        = errors.New("one or more files are not in the current directory.If it's intentional use --disable-path-validation flag to skip this check")
 )
 
 // Packer option struct.
@@ -69,6 +71,35 @@ func (opts *Packer) ExportManifest(ctx context.Context, fetcher content.Fetcher,
 	}
 	return os.WriteFile(opts.ManifestExportPath, manifestBytes, 0666)
 }
+func (opts *Packer) Parse() error {
+	currentDir, err := os.Getwd()
+	var failedPaths []string
+	if err != nil {
+		return err
+	}
+	if !opts.PathValidationDisabled && len(opts.FileRefs) != 0 {
+		for _, path := range opts.FileRefs {
+			//Remove the type if specified in the path <file>[:<type>] format
+			lastIndex := strings.LastIndex(path, ":")
+			if lastIndex != -1 {
+				path = path[:lastIndex]
+			}
+			absPath, err := filepath.Abs(path)
+			dirPath := filepath.Dir(absPath)
+			if err != nil {
+				return err
+			}
+			if dirPath != currentDir {
+				failedPaths = append(failedPaths, absPath)
+			}
+		}
+		if len(failedPaths) > 0 {
+			errorMsg := fmt.Sprintf("%v: %v currentDir :%v", errPathValidation, strings.Join(failedPaths, ", "), currentDir)
+			return errors.New(errorMsg)
+		}
+	}
+	return nil
+}
 
 // LoadManifestAnnotations loads the manifest annotation map.
 func (opts *Packer) LoadManifestAnnotations() (annotations map[string]map[string]string, err error) {

diff --git a/cmd/oras/root/attach.go b/cmd/oras/root/attach.go
@@ -113,7 +113,6 @@ func runAttach(ctx context.Context, opts attachOptions) error {
 		return err
 	}
 	defer store.Close()
-	store.AllowPathTraversalOnWrite = opts.PathValidationDisabled
 
 	dst, err := opts.NewTarget(opts.Common)
 	if err != nil {

diff --git a/cmd/oras/root/pull.go b/cmd/oras/root/pull.go
@@ -17,8 +17,10 @@ package root
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"io"
+	"strings"
 	"sync"
 
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
@@ -237,6 +239,10 @@ func runPull(ctx context.Context, opts pullOptions) error {
 	// Copy
 	desc, err := oras.Copy(ctx, src, opts.Reference, dst, opts.Reference, copyOptions)
 	if err != nil {
+		if strings.Contains(err.Error(), "path traversal disallowed") {
+			errorMsg := fmt.Sprintf("%v: %v ", err, "To enable path traversal use --allow-path-traversal flag")
+			return errors.New(errorMsg)
+		}
 		return err
 	}
 	if pulledEmpty {

diff --git a/cmd/oras/root/push.go b/cmd/oras/root/push.go
@@ -139,7 +139,6 @@ func runPush(ctx context.Context, opts pushOptions) error {
 		return err
 	}
 	defer store.Close()
-	store.AllowPathTraversalOnWrite = opts.PathValidationDisabled
 	if opts.manifestConfigRef != "" {
 		path, cfgMediaType, err := fileref.Parse(opts.manifestConfigRef, oras.MediaTypeUnknownConfig)
 		if err != nil {