From c442d936d3cabfc66f8560b2f4087b4331935c39 Mon Sep 17 00:00:00 2001
From: sunportainer <93502624+sunportainer@users.noreply.github.com>
Date: Fri, 4 Mar 2022 12:05:34 +0800
Subject: [PATCH] fix(compose):filter out symlink in custom template EE-1928
 (#6579)

* fix prevent symlink in customtemplate
---
 .../customtemplates/customtemplate_create.go  | 24 +++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/api/http/handler/customtemplates/customtemplate_create.go b/api/http/handler/customtemplates/customtemplate_create.go
index f87a489b0..47c79f70f 100644
--- a/api/http/handler/customtemplates/customtemplate_create.go
+++ b/api/http/handler/customtemplates/customtemplate_create.go
@@ -4,6 +4,7 @@ import (
 	"errors"
 	"log"
 	"net/http"
+	"os"
 	"regexp"
 	"strconv"
 
@@ -271,14 +272,19 @@ func (handler *Handler) createCustomTemplateFromGitRepository(r *http.Request) (
 	if err != nil {
 		return nil, err
 	}
+	isValidProject := true
+	defer func() {
+		if !isValidProject {
+			if err := handler.FileService.RemoveDirectory(projectPath); err != nil {
+				log.Printf("[WARN] [http,customtemplate,git] [error: %s] [message: unable to remove git repository directory]", err)
+			}
+		}
+	}()
 
 	entryPath := filesystem.JoinPaths(projectPath, customTemplate.EntryPoint)
-
 	exists, err := handler.FileService.FileExists(entryPath)
 	if err != nil || !exists {
-		if err := handler.FileService.RemoveDirectory(projectPath); err != nil {
-			log.Printf("[WARN] [http,customtemplate,git] [error: %s] [message: unable to remove git repository directory]", err)
-		}
+		isValidProject = false
 	}
 
 	if err != nil {
@@ -289,6 +295,16 @@ func (handler *Handler) createCustomTemplateFromGitRepository(r *http.Request) (
 		return nil, errors.New("Invalid Compose file, ensure that the Compose file path is correct")
 	}
 
+	info, err := os.Lstat(entryPath)
+	if err != nil {
+		isValidProject = false
+		return nil, err
+	}
+	if info.Mode()&os.ModeSymlink != 0 { // entry is a symlink
+		isValidProject = false
+		return nil, errors.New("Invalid Compose file, ensure that the Compose file is not a symbolic link")
+	}
+
 	return customTemplate, nil
 }