Controller: Several security fixes. (#13069)

Co-authored-by: Tabitha Sable <tabitha.c.sable@gmail.com>
2025-03-25 00:00:39 +01:00 · 2025-03-25 00:00:39 +01:00 · 626305229f
commit 626305229f
parent cfd4d89a56
7 changed files with 36 additions and 15 deletions
--- a/internal/ingress/annotations/auth/main.go
+++ b/internal/ingress/annotations/auth/main.go
@ -19,6 +19,7 @@ package auth
 import (
 	"fmt"
 	"os"
+	"path/filepath"
 	"regexp"
 	"strings"

@ -203,16 +204,24 @@ func (a auth) Parse(ing *networking.Ingress) (interface{}, error) {
 		return nil, err
 	}

-	passFilename := fmt.Sprintf("%v/%v-%v-%v.passwd", a.authDirectory, ing.GetNamespace(), ing.UID, secret.UID)
+	passFileName := fmt.Sprintf("%v-%v-%v.passwd", ing.GetNamespace(), ing.UID, secret.UID)
+	passFilePath := filepath.Join(a.authDirectory, passFileName)
+
+	// Ensure password file name does not contain any path traversal characters.
+	if a.authDirectory != filepath.Dir(passFilePath) || passFileName != filepath.Base(passFilePath) {
+		return nil, ing_errors.LocationDeniedError{
+			Reason: fmt.Errorf("invalid password file name: %s", passFileName),
+		}
+	}

 	switch secretType {
 	case fileAuth:
-		err = dumpSecretAuthFile(passFilename, secret)
+		err = dumpSecretAuthFile(passFilePath, secret)
 		if err != nil {
 			return nil, err
 		}
 	case mapAuth:
-		err = dumpSecretAuthMap(passFilename, secret)
+		err = dumpSecretAuthMap(passFilePath, secret)
 		if err != nil {
 			return nil, err
 		}
@ -225,9 +234,9 @@ func (a auth) Parse(ing *networking.Ingress) (interface{}, error) {
 	return &Config{
 		Type:       at,
 		Realm:      realm,
-		File:       passFilename,
+		File:       passFilePath,
 		Secured:    true,
-		FileSHA:    file.SHA1(passFilename),
+		FileSHA:    file.SHA1(passFilePath),
 		Secret:     name,
 		SecretType: secretType,
 	}, nil