config: Use glob instead of regexp to match paths in annotations

c3d · fidencio · commit db5fb825f828 · 2020-11-11T09:46:08.000+01:00
When filtering annotations that correspond to paths, e.g. hypervisor.path, it is better to use a glob syntax than a regexp syntax, as it is more usual for paths, and prevents classes of matches that are undesirable in our case, such as matching .. against .* Fixes: #3004 Signed-off-by: Christophe de Dinechin <dinechin@redhat.com>
diff --git a/virtcontainers/pkg/oci/utils.go b/virtcontainers/pkg/oci/utils.go
@@ -212,6 +212,18 @@ func regexpContains(s []string, e string) bool {
 	return false
 }
 
+func checkPathIsInGlobList(list []string, path string) bool {
+	for _, glob := range list {
+		filenames, _ := filepath.Glob(glob)
+		for _, a := range filenames {
+			if path == a {
+				return true
+			}
+		}
+	}
+	return false
+}
+
 func newLinuxDeviceInfo(d specs.LinuxDevice) (*config.DeviceInfo, error) {
 	allowedDeviceTypes := []string{"c", "b", "u", "p"}
 
@@ -398,21 +410,21 @@ func addHypervisorConfigOverrides(ocispec specs.Spec, config *vc.SandboxConfig,
 	}
 
 	if value, ok := ocispec.Annotations[vcAnnotations.HypervisorPath]; ok {
-		if !regexpContains(runtime.HypervisorConfig.HypervisorPathList, value) {
+		if !checkPathIsInGlobList(runtime.HypervisorConfig.HypervisorPathList, value) {
 			return fmt.Errorf("hypervisor %v required from annotation is not valid", value)
 		}
 		config.HypervisorConfig.HypervisorPath = value
 	}
 
 	if value, ok := ocispec.Annotations[vcAnnotations.JailerPath]; ok {
-		if !regexpContains(runtime.HypervisorConfig.JailerPathList, value) {
+		if !checkPathIsInGlobList(runtime.HypervisorConfig.JailerPathList, value) {
 			return fmt.Errorf("jailer %v required from annotation is not valid", value)
 		}
 		config.HypervisorConfig.JailerPath = value
 	}
 
 	if value, ok := ocispec.Annotations[vcAnnotations.CtlPath]; ok {
-		if !regexpContains(runtime.HypervisorConfig.HypervisorCtlPathList, value) {
+		if !checkPathIsInGlobList(runtime.HypervisorConfig.HypervisorCtlPathList, value) {
 			return fmt.Errorf("hypervisor control %v required from annotation is not valid", value)
 		}
 		config.HypervisorConfig.HypervisorCtlPath = value
@@ -451,7 +463,7 @@ func addHypervisorConfigOverrides(ocispec specs.Spec, config *vc.SandboxConfig,
 	}
 
 	if value, ok := ocispec.Annotations[vcAnnotations.VhostUserStorePath]; ok {
-		if !regexpContains(runtime.HypervisorConfig.VhostUserStorePathList, value) {
+		if !checkPathIsInGlobList(runtime.HypervisorConfig.VhostUserStorePathList, value) {
 			return fmt.Errorf("vhost store path %v required from annotation is not valid", value)
 		}
 		config.HypervisorConfig.VhostUserStorePath = value
@@ -567,7 +579,7 @@ func addHypervisorMemoryOverrides(ocispec specs.Spec, sbConfig *vc.SandboxConfig
 	}
 
 	if value, ok := ocispec.Annotations[vcAnnotations.FileBackedMemRootDir]; ok {
-		if !regexpContains(runtime.HypervisorConfig.FileBackedMemRootList, value) {
+		if !checkPathIsInGlobList(runtime.HypervisorConfig.FileBackedMemRootList, value) {
 			return fmt.Errorf("file_mem_backend value %v required from annotation is not valid", value)
 		}
 		sbConfig.HypervisorConfig.FileBackedMemRootDir = value
@@ -705,7 +717,7 @@ func addHypervisorVirtioFsOverrides(ocispec specs.Spec, sbConfig *vc.SandboxConf
 	}
 
 	if value, ok := ocispec.Annotations[vcAnnotations.VirtioFSDaemon]; ok {
-		if !regexpContains(runtime.HypervisorConfig.VirtioFSDaemonList, value) {
+		if !checkPathIsInGlobList(runtime.HypervisorConfig.VirtioFSDaemonList, value) {
 			return fmt.Errorf("virtiofs daemon %v required from annotation is not valid", value)
 		}
 		sbConfig.HypervisorConfig.VirtioFSDaemon = value

Original file line number	Diff line number	Diff line change
`@@ -212,6 +212,18 @@ func regexpContains(s []string, e string) bool {`
`212`	`212`	`return false`
`213`	`213`	`}`
`214`	`214`
	`215`	`+func checkPathIsInGlobList(list []string, path string) bool {`
	`216`	`+ for _, glob := range list {`
	`217`	`+ filenames, _ := filepath.Glob(glob)`
	`218`	`+ for _, a := range filenames {`
	`219`	`+ if path == a {`
	`220`	`+ return true`
	`221`	`+ }`
	`222`	`+ }`
	`223`	`+ }`
	`224`	`+ return false`
	`225`	`+}`
	`226`	`+`
`215`	`227`	`func newLinuxDeviceInfo(d specs.LinuxDevice) (*config.DeviceInfo, error) {`
`216`	`228`	`allowedDeviceTypes := []string{"c", "b", "u", "p"}`
`217`	`229`
`@@ -398,21 +410,21 @@ func addHypervisorConfigOverrides(ocispec specs.Spec, config *vc.SandboxConfig,`
`398`	`410`	`}`
`399`	`411`
`400`	`412`	`if value, ok := ocispec.Annotations[vcAnnotations.HypervisorPath]; ok {`
`401`		`- if !regexpContains(runtime.HypervisorConfig.HypervisorPathList, value) {`
	`413`	`+ if !checkPathIsInGlobList(runtime.HypervisorConfig.HypervisorPathList, value) {`
`402`	`414`	`return fmt.Errorf("hypervisor %v required from annotation is not valid", value)`
`403`	`415`	`}`
`404`	`416`	`config.HypervisorConfig.HypervisorPath = value`
`405`	`417`	`}`
`406`	`418`
`407`	`419`	`if value, ok := ocispec.Annotations[vcAnnotations.JailerPath]; ok {`
`408`		`- if !regexpContains(runtime.HypervisorConfig.JailerPathList, value) {`
	`420`	`+ if !checkPathIsInGlobList(runtime.HypervisorConfig.JailerPathList, value) {`
`409`	`421`	`return fmt.Errorf("jailer %v required from annotation is not valid", value)`
`410`	`422`	`}`
`411`	`423`	`config.HypervisorConfig.JailerPath = value`
`412`	`424`	`}`
`413`	`425`
`414`	`426`	`if value, ok := ocispec.Annotations[vcAnnotations.CtlPath]; ok {`
`415`		`- if !regexpContains(runtime.HypervisorConfig.HypervisorCtlPathList, value) {`
	`427`	`+ if !checkPathIsInGlobList(runtime.HypervisorConfig.HypervisorCtlPathList, value) {`
`416`	`428`	`return fmt.Errorf("hypervisor control %v required from annotation is not valid", value)`
`417`	`429`	`}`
`418`	`430`	`config.HypervisorConfig.HypervisorCtlPath = value`
`@@ -451,7 +463,7 @@ func addHypervisorConfigOverrides(ocispec specs.Spec, config *vc.SandboxConfig,`
`451`	`463`	`}`
`452`	`464`
`453`	`465`	`if value, ok := ocispec.Annotations[vcAnnotations.VhostUserStorePath]; ok {`
`454`		`- if !regexpContains(runtime.HypervisorConfig.VhostUserStorePathList, value) {`
	`466`	`+ if !checkPathIsInGlobList(runtime.HypervisorConfig.VhostUserStorePathList, value) {`
`455`	`467`	`return fmt.Errorf("vhost store path %v required from annotation is not valid", value)`
`456`	`468`	`}`
`457`	`469`	`config.HypervisorConfig.VhostUserStorePath = value`
`@@ -567,7 +579,7 @@ func addHypervisorMemoryOverrides(ocispec specs.Spec, sbConfig *vc.SandboxConfig`
`567`	`579`	`}`
`568`	`580`
`569`	`581`	`if value, ok := ocispec.Annotations[vcAnnotations.FileBackedMemRootDir]; ok {`
`570`		`- if !regexpContains(runtime.HypervisorConfig.FileBackedMemRootList, value) {`
	`582`	`+ if !checkPathIsInGlobList(runtime.HypervisorConfig.FileBackedMemRootList, value) {`
`571`	`583`	`return fmt.Errorf("file_mem_backend value %v required from annotation is not valid", value)`
`572`	`584`	`}`
`573`	`585`	`sbConfig.HypervisorConfig.FileBackedMemRootDir = value`
`@@ -705,7 +717,7 @@ func addHypervisorVirtioFsOverrides(ocispec specs.Spec, sbConfig *vc.SandboxConf`
`705`	`717`	`}`
`706`	`718`
`707`	`719`	`if value, ok := ocispec.Annotations[vcAnnotations.VirtioFSDaemon]; ok {`
`708`		`- if !regexpContains(runtime.HypervisorConfig.VirtioFSDaemonList, value) {`
	`720`	`+ if !checkPathIsInGlobList(runtime.HypervisorConfig.VirtioFSDaemonList, value) {`
`709`	`721`	`return fmt.Errorf("virtiofs daemon %v required from annotation is not valid", value)`
`710`	`722`	`}`
`711`	`723`	`sbConfig.HypervisorConfig.VirtioFSDaemon = value`