fix(security): avoid to use raw paths in stack operation

2025-08-10 16:25:22 +02:00 · 2022-11-10 09:54:33 +13:00 · 2022-11-10 09:54:33 +13:00 · 7c95746714
commit 7c95746714
parent e1e81731b9
3 changed files with 8 additions and 4 deletions
--- a/api/exec/compose_stack.go
+++ b/api/exec/compose_stack.go
@ -58,7 +58,7 @@ func (manager *ComposeStackManager) Up(ctx context.Context, stack *portainer.Sta
 		return errors.Wrap(err, "failed to create env file")
 	}

-	filePaths := stackutils.GetStackFilePaths(stack, false)
+	filePaths := stackutils.GetStackFilePaths(stack, true)
 	err = manager.deployer.Deploy(ctx, stack.ProjectPath, url, stack.Name, filePaths, envFile, forceRereate)
 	return errors.Wrap(err, "failed to deploy a stack")
 }
@ -78,7 +78,7 @@ func (manager *ComposeStackManager) Down(ctx context.Context, stack *portainer.S
 		return errors.Wrap(err, "failed to create env file")
 	}

-	filePaths := stackutils.GetStackFilePaths(stack, false)
+	filePaths := stackutils.GetStackFilePaths(stack, true)

 	err = manager.deployer.Remove(ctx, stack.ProjectPath, url, stack.Name, filePaths, envFile)
 	return errors.Wrap(err, "failed to remove a stack")
@ -100,7 +100,7 @@ func (manager *ComposeStackManager) Pull(ctx context.Context, stack *portainer.S
 		return errors.Wrap(err, "failed to create env file")
 	}

-	filePaths := stackutils.GetStackFilePaths(stack, false)
+	filePaths := stackutils.GetStackFilePaths(stack, true)
 	err = manager.deployer.Pull(ctx, stack.ProjectPath, url, stack.Name, filePaths, envFile)
 	return errors.Wrap(err, "failed to pull images of the stack")
 }
--- a/api/exec/swarm_stack.go
+++ b/api/exec/swarm_stack.go
@ -90,7 +90,7 @@ func (manager *SwarmStackManager) Logout(endpoint *portainer.Endpoint) error {

 // Deploy executes the docker stack deploy command.
 func (manager *SwarmStackManager) Deploy(stack *portainer.Stack, prune bool, pullImage bool, endpoint *portainer.Endpoint) error {
-	filePaths := stackutils.GetStackFilePaths(stack, false)
+	filePaths := stackutils.GetStackFilePaths(stack, true)
 	command, args, err := manager.prepareDockerCommandAndArgs(manager.binaryPath, manager.configPath, endpoint)
 	if err != nil {
 		return err
--- a/api/stacks/stackutils/util.go
+++ b/api/stacks/stackutils/util.go
@ -15,6 +15,10 @@ func UserIsAdminOrEndpointAdmin(user *portainer.User, endpointID portainer.Endpo
 }

 // GetStackFilePaths returns a list of file paths based on stack project path
+// If absolute is false, the path sanitization step will be skipped, which makes the returning
+// paths vulnerable to path traversal attacks. Thus, the followed function using the returning
+// paths are responsible to sanitize the raw paths
+// If absolute is true, the raw paths will be sanitized
 func GetStackFilePaths(stack *portainer.Stack, absolute bool) []string {
 	if !absolute {
 		return append([]string{stack.EntryPoint}, stack.AdditionalFiles...)