Documentation
¶
Overview ¶
Package safepath provides a path-traversal guard used by the OCI and bucket source packages. Both packages must prevent a malicious remote (a crafted tar archive or a mis-curated bucket) from writing files outside the caller's designated cache slot.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func SafeJoin ¶
SafeJoin joins base and rel, verifying that the resulting path stays strictly inside base. It defends against two escape shapes:
- Relative traversal: `../../escape.txt` — filepath.Clean collapses the dots; Rel then reports a `..` prefix which is rejected.
- Absolute path: `/etc/passwd` — rejected before the Join when rejectAbsolute is true (tar-header callers). When rejectAbsolute is false (bucket-key callers), filepath.Join's component-boundary handling silently strips the leading slash and keeps the result inside base; Rel still validates containment after the join.
The rejectAbsolute flag exists because the two callers differ in semantics:
- OCI tar extraction (rejectAbsolute = true): a tar header with an absolute path (e.g. `/etc/passwd`) is a sign of a malicious archive; it must be rejected, not silently redirected.
- Bucket key download (rejectAbsolute = false): bucket object names are not filesystem paths; an object literally named "/etc/passwd" is contained safely by filepath.Join and should not error.
Returns the cleaned absolute path on success, or an error if the path would escape base.
Types ¶
This section is empty.
Source Files
Click to show internal directories.
Click to hide internal directories.