Docker/portainer
Docker/portainer
1
0
Fork 0
mirror of https://github.com/portainer/portainer.git synced 2025-07-19 13:29:41 +02:00
Code Issues Releases Activity

fix(security): potential vulnerability of path traversal attacks EE-5303 (#8728)

Browse source
This commit is contained in:
cmeng 2023-04-04 09:00:17 +12:00 committed by GitHub
parent 1a451823d9
commit 30a2bb0495
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 7 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

4
api/stacks/stackutils/util.go
View file

@ -15,6 +15,10 @@ func UserIsAdminOrEndpointAdmin(user *portainer.User, endpointID portainer.Endpo
}
// GetStackFilePaths returns a list of file paths based on stack project path
// If absolute is false, the path sanitization step will be skipped, which makes the returning
// paths vulnerable to path traversal attacks. Thus, the followed function using the returning
// paths are responsible to sanitize the raw paths
// If absolute is true, the raw paths will be sanitized
func GetStackFilePaths(stack *portainer.Stack, absolute bool) []string {
if !absolute {
return append([]string{stack.EntryPoint}, stack.AdditionalFiles...)