Affected by GO-2022-0732 and 9 other vulnerabilities

GO-2022-0732: Privilege escalation in Hashicorp Nomad in github.com/hashicorp/nomad

GO-2022-1062: Nomad Panics On Job Submission With Bad Artifact Stanza Source URL in github.com/hashicorp/nomad

GO-2023-1581: Uncontrolled Resource Consumption in Hashicorp Nomad in github.com/hashicorp/nomad

GO-2024-2669: API token secret ID leak to Sentinel in github.com/hashicorp/nomad

GO-2024-2670: ACL security vulnerability in github.com/hashicorp/nomad

GO-2024-3073: Nomad Vulnerable to Allocation Directory Escape On Non-Existing File Paths Through Archive Unpacking in github.com/hashicorp/nomad

GO-2024-3262: Hashicorp Nomad Incorrect Authorization vulnerability in github.com/hashicorp/nomad

GO-2024-3354: Hashicorp Nomad Incorrect Privilege Assignment vulnerability in github.com/hashicorp/nomad

GO-2025-3510: Unintentional exposure of the workload identity token and client secret in logs in github.com/hashicorp/nomad

GO-2025-3758: Hashicorp Nomad Incorrect Privilege Assignment vulnerability in github.com/hashicorp/nomad

escapingfs

package

v1.3.0 Latest Latest Go to latest Published: May 11, 2022 License: MPL-2.0 Imports: 4 Imported by: 5

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/hashicorp/nomad

Links

Open Source Insights

Documentation ¶

Index ¶

func PathEscapesAllocDir(base, prefix, path string) (bool, error)
func PathEscapesAllocViaRelative(prefix, path string) (bool, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func PathEscapesAllocDir ¶

func PathEscapesAllocDir(base, prefix, path string) (bool, error)

PathEscapesAllocDir returns true if base/prefix/path escapes the given base directory.

Escaping a directory can be done with relative paths (e.g. ../../ etc.) or by using symlinks. This checks both methods.

The base directory must be an absolute path.

func PathEscapesAllocViaRelative ¶

func PathEscapesAllocViaRelative(prefix, path string) (bool, error)

PathEscapesAllocViaRelative returns if the given path escapes the allocation directory using relative paths.

Only for use in server-side validation, where the real filesystem is not available. For client-side validation use PathEscapesAllocDir, which includes symlink validation as well.

The prefix is joined to the path (e.g. "task/local"), and this function checks if path escapes the alloc dir, NOT the prefix directory within the alloc dir. With prefix="task/local", it will return false for "../secret", but true for "../../../../../../root" path; only the latter escapes the alloc dir.

Types ¶

This section is empty.

Source Files ¶

View all Source files

escapes.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL