safepath

package
v1.0.0-beta.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 15, 2023 License: Apache-2.0 Imports: 11 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ChmodAtNoFollow

func ChmodAtNoFollow(path *Path, mode os.FileMode) error

func ChownAtNoFollow

func ChownAtNoFollow(path *Path, uid, gid int) error

func ChpermAtNoFollow

func ChpermAtNoFollow(path *Path, uid, gid int, mode os.FileMode) error

func GetxattrNoFollow added in v0.58.2

func GetxattrNoFollow(path *Path, attr string) ([]byte, error)

func ListenUnixNoFollow

func ListenUnixNoFollow(socketDir *Path, socketName string) (net.Listener, error)

ListenUnixNoFollow safely creates a socket in user-owned path Since there exists no socketat on unix, first a safe delete is performed, then the socket is created.

func MkdirAtNoFollow

func MkdirAtNoFollow(path *Path, dirName string, mode os.FileMode) error

func MknodAtNoFollow

func MknodAtNoFollow(path *Path, fileName string, mode os.FileMode, dev uint64) (err error)

func StatAtNoFollow

func StatAtNoFollow(path *Path) (os.FileInfo, error)

func TouchAtNoFollow

func TouchAtNoFollow(path *Path, fileName string, mode os.FileMode) (err error)

TouchAtNoFollow safely touches a file relative to rootBase. The additional elements form the relative path. Any symlink encountered will be treated as invalid and the operation will be aborted. This works best together with a path first resolved with JoinAndResolveWithRelativeRoot which can resolve relative paths to their real path without symlinks. If the target file exists already, the function will fail.

func UnlinkAtNoFollow

func UnlinkAtNoFollow(path *Path) error

UnlinkAtNoFollow allows deleting the specified file or directory (directory must be empty to succeed).

Types

type File

type File struct {
	// contains filtered or unexported fields
}

func NewFileNoFollow

func NewFileNoFollow(path string) (*File, error)

NewFileNoFollow assumes that a real path to a file is given. It will validate that the file is indeed absolute by doing the following checks:

  • ensure that the path is absolute
  • ensure that the path does not container relative path elements
  • ensure that no symlinks are provided

It will return the opened file which contains a link to a safe-to-use path to the file, which can't be tampered with. To operate on the file just use os.Open and related calls.

func OpenAtNoFollow

func OpenAtNoFollow(path *Path) (file *File, err error)

OpenAtNoFollow safely opens a filedescriptor to a path relative to rootBase. Any symlink encountered will be treated as invalid and the operation will be aborted. This works best together with a path first resolved with JoinAndResolveWithRelativeRoot which can resolve relative paths and symlinks.

func (*File) Close

func (f *File) Close() error

func (*File) Path

func (f *File) Path() *Path

func (*File) SafePath

func (f *File) SafePath() string

SafePath returns a path pointing to the associated file descriptor. It is safe to reuse this path without additional checks. The kernel will ensure that this path always points to the resolved file. To operate on the file just use os.Open and related calls.

func (*File) String

func (f *File) String() string

type Path

type Path struct {
	// contains filtered or unexported fields
}

Path is a path which was at the time of creation a real path re

func JoinAndResolveWithRelativeRoot

func JoinAndResolveWithRelativeRoot(rootBase string, elems ...string) (*Path, error)

JoinAndResolveWithRelativeRoot joins an absolute relativeRoot base path with additional elements which have to be kept below the relativeRoot base. Relative and absolute links will be resolved relative to the provided rootBase and can not escape it.

func JoinNoFollow

func JoinNoFollow(rootPath *Path, path string) (*Path, error)

JoinNoFollow joins the root path with the given additional path. If the additional path element is not a real path (like containing symlinks), it fails.

func NewPathNoFollow

func NewPathNoFollow(path string) (*Path, error)

NewPathNoFollow is a convenience method to get out of a supposedly link-free path a safepath.Path. If there is a symlink included the command will fail.

func (*Path) AppendAndResolveWithRelativeRoot

func (p *Path) AppendAndResolveWithRelativeRoot(relativeRootElems ...string) (*Path, error)

AppendAndResolveWithRelativeRoot returns a new path with the passed elements resolve relative to the current absolute path.

func (*Path) Base

func (p *Path) Base() (string, error)

Base returns the basename of the relative untrusted part of the safepath.

func (*Path) DirNoFollow

func (p *Path) DirNoFollow() (*Path, error)

DirNoFollow returns the parent directory of the safepath.Path as safepath.Path.

func (*Path) ExecuteNoFollow

func (p *Path) ExecuteNoFollow(callback func(safePath string) error) error

ExecuteNoFollow opens the file in question and provides the file descriptor path as safePath string. This safePath string can be (re)opened with normal os.* operations. The file descriptor path is managed by the kernel and there is no way to inject malicious symlinks.

func (*Path) IsRoot

func (p *Path) IsRoot() bool

func (*Path) Raw

func (p *Path) Raw() *unsafepath.Path

Raw returns an "unsafe" path. It's properties are not safe to use without certain precautions. It exposes no access functions. All access happens via functions in the "unsafepath" package.

func (*Path) String

func (p *Path) String() string

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL