MCPcopy
hub / github.com/docker/compose / validatePathInBase

Function validatePathInBase

pkg/remote/oci.go:49–71  ·  pkg/remote/oci.go::validatePathInBase

validatePathInBase ensures a file path is contained within the base directory, as OCI artifact resources must all live within the same folder.

(base, unsafePath string)

Source from the content-addressed store, hash-verified

47// validatePathInBase ensures a file path is contained within the base directory,
48// as OCI artifact resources must all live within the same folder.
49func validatePathInBase(base, unsafePath string) error {
50 // Reject paths with path separators regardless of OS
51 if strings.ContainsAny(unsafePath, "\\/") {
52 return fmt.Errorf("invalid OCI artifact")
53 }
54
55 // Join the base with the untrusted path
56 targetPath := filepath.Join(base, unsafePath)
57
58 // Get the directory of the target path
59 targetDir := filepath.Dir(targetPath)
60
61 // Clean both paths to resolve any .. or . components
62 cleanBase := filepath.Clean(base)
63 cleanTargetDir := filepath.Clean(targetDir)
64
65 // Check if the target directory is the same as base directory
66 if cleanTargetDir != cleanBase {
67 return fmt.Errorf("invalid OCI artifact")
68 }
69
70 return nil
71}
72
73func ociRemoteLoaderEnabled() (bool, error) {
74 if v := os.Getenv(OCI_REMOTE_ENABLED); v != "" {

Callers 3

TestValidatePathInBaseFunction · 0.85
writeComposeFileFunction · 0.85
writeEnvFileFunction · 0.85

Calls 1

DirMethod · 0.45

Tested by 1

TestValidatePathInBaseFunction · 0.68