validatePathInBase ensures a file path is contained within the base directory, as OCI artifact resources must all live within the same folder.
(base, unsafePath string)
| 47 | // validatePathInBase ensures a file path is contained within the base directory, |
| 48 | // as OCI artifact resources must all live within the same folder. |
| 49 | func validatePathInBase(base, unsafePath string) error { |
| 50 | // Reject paths with path separators regardless of OS |
| 51 | if strings.ContainsAny(unsafePath, "\\/") { |
| 52 | return fmt.Errorf("invalid OCI artifact") |
| 53 | } |
| 54 | |
| 55 | // Join the base with the untrusted path |
| 56 | targetPath := filepath.Join(base, unsafePath) |
| 57 | |
| 58 | // Get the directory of the target path |
| 59 | targetDir := filepath.Dir(targetPath) |
| 60 | |
| 61 | // Clean both paths to resolve any .. or . components |
| 62 | cleanBase := filepath.Clean(base) |
| 63 | cleanTargetDir := filepath.Clean(targetDir) |
| 64 | |
| 65 | // Check if the target directory is the same as base directory |
| 66 | if cleanTargetDir != cleanBase { |
| 67 | return fmt.Errorf("invalid OCI artifact") |
| 68 | } |
| 69 | |
| 70 | return nil |
| 71 | } |
| 72 | |
| 73 | func ociRemoteLoaderEnabled() (bool, error) { |
| 74 | if v := os.Getenv(OCI_REMOTE_ENABLED); v != "" { |