fix(filesystem): harden the filesystem service to avoid path traversal attacks EE-1922 (#5957)

fix(filesystem): harden the filesystem service to avoid path traversal attacks EE-1922
2025-07-19 13:29:41 +02:00 · 2021-11-01 08:01:03 -03:00 · 2021-11-01 08:01:03 -03:00 · 28f71e486a
commit 28f71e486a
parent c763219f74
21 changed files with 292 additions and 176 deletions
--- a/api/http/handler/stacks/stack_delete.go
+++ b/api/http/handler/stacks/stack_delete.go
@ -6,7 +6,6 @@ import (
 	"io/ioutil"
 	"net/http"
 	"os"
-	"path"
 	"strconv"

 	"github.com/pkg/errors"
@ -198,8 +197,8 @@ func (handler *Handler) deleteStack(userID portainer.UserID, stack *portainer.St
 			defer os.RemoveAll(tmpDir)

 			for _, fileName := range fileNames {
-				manifestFilePath := path.Join(tmpDir, fileName)
-				manifestContent, err := ioutil.ReadFile(path.Join(stack.ProjectPath, fileName))
+				manifestFilePath := filesystem.JoinPaths(tmpDir, fileName)
+				manifestContent, err := handler.FileService.GetFileContent(stack.ProjectPath, fileName)
 				if err != nil {
 					return errors.Wrap(err, "failed to read manifest file")
 				}