Merge pull request #9 from nberlee/path_sanitize

Path sanitize

.github/workflows/dependabot.yml → .github/dependabot.yml

@@ -5,7 +5,7 @@
 
 version: 2
 updates:
-  - package-ecosystem: "" # See documentation for possible values
+  - package-ecosystem: "gomod" # See documentation for possible values
     directory: "/" # Location of package manifests
     schedule:
-      interval: "weekly"
+      interval: "daily"

netns/netns.go

@@ -50,7 +50,8 @@ func GetNetNsPids(netNSNames []string) (pidNetNS *map[uint32]string) {
 
 func getNetNsInodeFromBindMount(netNSNames []string) (inodes []string, err error) {
 	for _, netNSName := range netNSNames {
-		netNSPath := path.Join(NetNSPath, netNSName)
+		sanitizedNetNSName := path.Base(netNSName)
+		netNSPath := path.Join(NetNSPath, sanitizedNetNSName)
 
 		f, err := os.Open(netNSPath)
 		if err != nil {
@@ -78,7 +79,8 @@ func getNetNsInodeFromBindMount(netNSNames []string) (inodes []string, err error
 
 func getNetNsInodeFromSymlink(netNSNames []string) (inodes []string, err error) {
 	for _, netNSName := range netNSNames {
-		symlinkPath := path.Join(NetNSPath, netNSName)
+		sanitizedNetNSName := path.Base(netNSName)
+		symlinkPath := path.Join(NetNSPath, sanitizedNetNSName)
 
 		fileInfo, err := os.Stat(symlinkPath)
 		if err != nil {

netns/netns_test.go

@@ -221,6 +221,12 @@ func TestGetNetNsInodeFromSymlink(t *testing.T) {
 			expected:   nil,
 			wantErr:    false,
 		},
+		{
+			name:       "path exploits",
+			netNSNames: []string{"../netns1", "../netns2"},
+			expected:   expectedInodes,
+			wantErr:    false,
+		},
 	}
 
 	// Temporarily replace the NetNSPath global variable