ref(pkg/plugin): create clean path for extracting plugins

fed7e69c · Michelle Noorali · 75682ed5 · fed7e69c · fed7e69c · fed7e69c
Commit fed7e69c authored 7 years ago by Michelle Noorali
Hide whitespace changes
Inline Side-by-side

Showing

with 108 additions and 8 deletions
+108 -8
--- a/glide.lock
+++ b/glide.lock
-hash: 6837936360d447b64aa7a09d3c89c18ac5540b009a57fc4d3227af299bf40268
-updated: 2018-04-03T08:17:14.801847688-07:00
+hash: 4023a1644d60060fbf2fdbbe5b73cbb4b957eb686ce925640d102db2d1858676
+updated: 2018-04-14T11:27:34.604716498-04:00
 imports:
 - name: cloud.google.com/go
  version: 3b1ae45394a234c385be014e9a488f2bb6eef821
@@ -31,6 +31,8 @@ imports:
  version: 71acacd42f85e5e82f70a55327789582a5200a90
  subpackages:
  - md2man
+- name: github.com/cyphar/filepath-securejoin
+  version: 06bda8370f45268db985f7af15732444d94ed51c
 - name: github.com/davecgh/go-spew
  version: 782f4967f2dc4564575ca782fe2d04090b5faca8
  subpackages:
@@ -210,6 +212,8 @@ imports:
  version: ca53cad383cad2479bbba7f7a1a05797ec1386e4
 - name: github.com/peterbourgon/diskv
  version: 5f041e8faa004a95c88a202771f4cc3e991971e6
+- name: github.com/pkg/errors
+  version: 645ef00459ed84a119197bfb8d8205042c6df63d
 - name: github.com/prometheus/client_golang
  version: c5b7fccd204277076155f10851dad72b76a49317
  subpackages:
@@ -641,7 +645,7 @@ imports:
  - pkg/util/proto
  - pkg/util/proto/validation
 - name: k8s.io/kubernetes
-  version: a22f9fd34871d9dc9e5db2c02c713821d18ab2cd
+  version: baab3992147260d47cb59b9c485a24fdeff2e457
  subpackages:
  - pkg/api/events
  - pkg/api/legacyscheme

--- a/glide.yaml
+++ b/glide.yaml
@@ -57,6 +57,8 @@ import:
  version: release-1.10
 - package: k8s.io/apiserver
  version: release-1.10
+- package: github.com/cyphar/filepath-securejoin
+  version: ^0.2.1

 testImports:
 - package: github.com/stretchr/testify

--- a/pkg/plugin/installer/http_installer.go
+++ b/pkg/plugin/installer/http_installer.go
@@ -21,14 +21,17 @@ import (
 	"compress/gzip"
 	"fmt"
 	"io"
-	"k8s.io/helm/pkg/getter"
-	"k8s.io/helm/pkg/helm/environment"
-	"k8s.io/helm/pkg/helm/helmpath"
-	"k8s.io/helm/pkg/plugin/cache"
 	"os"
 	"path/filepath"
 	"regexp"
 	"strings"
+
+	fp "github.com/cyphar/filepath-securejoin"
+
+	"k8s.io/helm/pkg/getter"
+	"k8s.io/helm/pkg/helm/environment"
+	"k8s.io/helm/pkg/helm/helmpath"
+	"k8s.io/helm/pkg/plugin/cache"
 )

 // HTTPInstaller installs plugins from an archive served by a web server.
@@ -181,7 +184,10 @@ func (g *TarGzExtractor) Extract(buffer *bytes.Buffer, targetDir string) error {
 			return err
 		}

-		path := filepath.Join(targetDir, header.Name)
+		path, err := fp.SecureJoin(targetDir, header.Name)
+		if err != nil {
+			return err
+		}

 		switch header.Typeflag {
 		case tar.TypeDir:

--- a/pkg/plugin/installer/http_installer_test.go
+++ b/pkg/plugin/installer/http_installer_test.go
@@ -16,12 +16,15 @@ limitations under the License.
 package installer // import "k8s.io/helm/pkg/plugin/installer"

 import (
+	"archive/tar"
 	"bytes"
+	"compress/gzip"
 	"encoding/base64"
 	"fmt"
 	"io/ioutil"
 	"k8s.io/helm/pkg/helm/helmpath"
 	"os"
+	"path/filepath"
 	"testing"
 )

@@ -187,3 +190,88 @@ func TestHTTPInstallerUpdate(t *testing.T) {
 		t.Error("update method not implemented for http installer")
 	}
 }
+
+func TestExtract(t *testing.T) {
+	//create a temp home
+	hh, err := ioutil.TempDir("", "helm-home-")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(hh)
+
+	home := helmpath.Home(hh)
+	if err := os.MkdirAll(home.Plugins(), 0755); err != nil {
+		t.Fatalf("Could not create %s: %s", home.Plugins(), err)
+	}
+
+	cacheDir := filepath.Join(home.Cache(), "plugins", "plugin-key")
+	if err := os.MkdirAll(cacheDir, 0755); err != nil {
+		t.Fatalf("Could not create %s: %s", cacheDir, err)
+	}
+
+	//{"plugin.yaml", "plugin metadata up in here"},
+	//{"README.md", "so you know what's upp"},
+	//{"script.sh", "echo script"},
+
+	var tarbuf bytes.Buffer
+	tw := tar.NewWriter(&tarbuf)
+	var files = []struct {
+		Name, Body string
+	}{
+		{"../../plugin.yaml", "sneaky plugin metadata"},
+		{"README.md", "some text"},
+	}
+	for _, file := range files {
+		hdr := &tar.Header{
+			Name:     file.Name,
+			Typeflag: tar.TypeReg,
+			Mode:     0600,
+			Size:     int64(len(file.Body)),
+		}
+		if err := tw.WriteHeader(hdr); err != nil {
+			t.Fatal(err)
+		}
+		if _, err := tw.Write([]byte(file.Body)); err != nil {
+			t.Fatal(err)
+		}
+	}
+	if err := tw.Close(); err != nil {
+		t.Fatal(err)
+	}
+
+	var buf bytes.Buffer
+	gz := gzip.NewWriter(&buf)
+	if _, err := gz.Write(tarbuf.Bytes()); err != nil {
+		t.Fatal(err)
+	}
+	gz.Close()
+
+	source := "https://repo.localdomain/plugins/fake-plugin-0.0.1.tgz"
+	extr, err := NewExtractor(source)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if err = extr.Extract(&buf, cacheDir); err != nil {
+		t.Errorf("Did not expect error but got error: %v", err)
+	}
+
+	pluginYAMLFullPath := filepath.Join(cacheDir, "plugin.yaml")
+	if _, err := os.Stat(pluginYAMLFullPath); err != nil {
+		if os.IsNotExist(err) {
+			t.Errorf("Expected %s to exist but doesn't", pluginYAMLFullPath)
+		} else {
+			t.Error(err)
+		}
+	}
+
+	readmeFullPath := filepath.Join(cacheDir, "README.md")
+	if _, err := os.Stat(readmeFullPath); err != nil {
+		if os.IsNotExist(err) {
+			t.Errorf("Expected %s to exist but doesn't", readmeFullPath)
+		} else {
+			t.Error(err)
+		}
+	}
+
+}