config: Use glob instead of regexp to match paths in annotations

When filtering annotations that correspond to paths, e.g. hypervisor.path, it is better to use a glob syntax than a regexp syntax, as it is more usual for paths, and prevents classes of matches that are undesirable in our case, such as matching .. against .* Fixes: #3004 Signed-off-by: Christophe de Dinechin <[email protected]>
kata-containers · Nov 10, 2020 · 2417d0b · 2417d0b
1 parent 1e036c8
commit 2417d0b
Showing 1 changed file with 18 additions and 6 deletions.
diff --git a/virtcontainers/pkg/oci/utils.go b/virtcontainers/pkg/oci/utils.go
@@ -215,6 +215,18 @@ func regexpContains(s []string, e string) bool {
 	return false
 }
 
+func checkPathIsInGlobList(list []string, path string) bool {
+	for _, glob := range list {
+		filenames, _ := filepath.Glob(glob)
+		for _, a := range filenames {
+			if path == a {
+				return true
+			}
+		}
+	}
+	return false
+}
+
 func newLinuxDeviceInfo(d specs.LinuxDevice) (*config.DeviceInfo, error) {
 	allowedDeviceTypes := []string{"c", "b", "u", "p"}
 
@@ -401,21 +413,21 @@ func addHypervisorConfigOverrides(ocispec specs.Spec, config *vc.SandboxConfig,
 	}
 
 	if value, ok := ocispec.Annotations[vcAnnotations.HypervisorPath]; ok {
-		if !regexpContains(runtime.HypervisorConfig.HypervisorPathList, value) {
+		if !checkPathIsInGlobList(runtime.HypervisorConfig.HypervisorPathList, value) {
 			return fmt.Errorf("hypervisor %v required from annotation is not valid", value)
 		}
 		config.HypervisorConfig.HypervisorPath = value
 	}
 
 	if value, ok := ocispec.Annotations[vcAnnotations.JailerPath]; ok {
-		if !regexpContains(runtime.HypervisorConfig.JailerPathList, value) {
+		if !checkPathIsInGlobList(runtime.HypervisorConfig.JailerPathList, value) {
 			return fmt.Errorf("jailer %v required from annotation is not valid", value)
 		}
 		config.HypervisorConfig.JailerPath = value
 	}
 
 	if value, ok := ocispec.Annotations[vcAnnotations.CtlPath]; ok {
-		if !regexpContains(runtime.HypervisorConfig.HypervisorCtlPathList, value) {
+		if !checkPathIsInGlobList(runtime.HypervisorConfig.HypervisorCtlPathList, value) {
 			return fmt.Errorf("hypervisor control %v required from annotation is not valid", value)
 		}
 		config.HypervisorConfig.HypervisorCtlPath = value
@@ -460,7 +472,7 @@ func addHypervisorConfigOverrides(ocispec specs.Spec, config *vc.SandboxConfig,
 	}
 
 	if value, ok := ocispec.Annotations[vcAnnotations.VhostUserStorePath]; ok {
-		if !regexpContains(runtime.HypervisorConfig.VhostUserStorePathList, value) {
+		if !checkPathIsInGlobList(runtime.HypervisorConfig.VhostUserStorePathList, value) {
 			return fmt.Errorf("vhost store path %v required from annotation is not valid", value)
 		}
 		config.HypervisorConfig.VhostUserStorePath = value
@@ -576,7 +588,7 @@ func addHypervisorMemoryOverrides(ocispec specs.Spec, sbConfig *vc.SandboxConfig
 	}
 
 	if value, ok := ocispec.Annotations[vcAnnotations.FileBackedMemRootDir]; ok {
-		if !regexpContains(runtime.HypervisorConfig.FileBackedMemRootList, value) {
+		if !checkPathIsInGlobList(runtime.HypervisorConfig.FileBackedMemRootList, value) {
 			return fmt.Errorf("file_mem_backend value %v required from annotation is not valid", value)
 		}
 		sbConfig.HypervisorConfig.FileBackedMemRootDir = value
@@ -732,7 +744,7 @@ func addHypervisorVirtioFsOverrides(ocispec specs.Spec, sbConfig *vc.SandboxConf
 	}
 
 	if value, ok := ocispec.Annotations[vcAnnotations.VirtioFSDaemon]; ok {
-		if !regexpContains(runtime.HypervisorConfig.VirtioFSDaemonList, value) {
+		if !checkPathIsInGlobList(runtime.HypervisorConfig.VirtioFSDaemonList, value) {
 			return fmt.Errorf("virtiofs daemon %v required from annotation is not valid", value)
 		}
 		sbConfig.HypervisorConfig.VirtioFSDaemon = value