fix(compose):filter out symlink in custom template EE-1928 (#6579)

* fix prevent symlink in customtemplate
2022-03-04 12:05:34 +08:00 · 2022-03-04 12:05:34 +08:00 · c442d936d3
parent 0cd164bada
commit c442d936d3
1 changed files with 20 additions and 4 deletions
--- a/api/http/handler/customtemplates/customtemplate_create.go
+++ b/api/http/handler/customtemplates/customtemplate_create.go
@ -4,6 +4,7 @@ import (
 	"errors"
 	"log"
 	"net/http"
+	"os"
 	"regexp"
 	"strconv"

@ -271,15 +272,20 @@ func (handler *Handler) createCustomTemplateFromGitRepository(r *http.Request) (
 	if err != nil {
 		return nil, err
 	}
-
-	entryPath := filesystem.JoinPaths(projectPath, customTemplate.EntryPoint)
-
-	exists, err := handler.FileService.FileExists(entryPath)
-	if err != nil || !exists {
+	isValidProject := true
+	defer func() {
+		if !isValidProject {
 			if err := handler.FileService.RemoveDirectory(projectPath); err != nil {
 				log.Printf("[WARN] [http,customtemplate,git] [error: %s] [message: unable to remove git repository directory]", err)
 			}
 		}
+	}()
+
+	entryPath := filesystem.JoinPaths(projectPath, customTemplate.EntryPoint)
+	exists, err := handler.FileService.FileExists(entryPath)
+	if err != nil || !exists {
+		isValidProject = false
+	}

 	if err != nil {
 		return nil, err
@ -289,6 +295,16 @@ func (handler *Handler) createCustomTemplateFromGitRepository(r *http.Request) (
 		return nil, errors.New("Invalid Compose file, ensure that the Compose file path is correct")
 	}

+	info, err := os.Lstat(entryPath)
+	if err != nil {
+		isValidProject = false
+		return nil, err
+	}
+	if info.Mode()&os.ModeSymlink != 0 { // entry is a symlink
+		isValidProject = false
+		return nil, errors.New("Invalid Compose file, ensure that the Compose file is not a symbolic link")
+	}
+
 	return customTemplate, nil
 }