diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index c67e2fd7..4443f46f 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -76,25 +76,6 @@ jobs: - name: Unit tests run: make check-unit - system-tests: - env: - DEBUG: "1" - SKIP_VM_LAUNCH: "1" - SNAPSHOT_RESTORE: "1" - name: System - runs-on: GitHubMicrocloud - strategy: - fail-fast: false - matrix: - go: ["1.22.x"] - suite: - - "add" - - "instances" - - "basic" - - "recover" - - "interactive" - - "mismatch" - - "preseed" steps: - name: Performance tuning diff --git a/api/services_tokens.go b/api/services_tokens.go index d6f67822..6dd590af 100644 --- a/api/services_tokens.go +++ b/api/services_tokens.go @@ -5,6 +5,9 @@ import ( "fmt" "net/http" "net/url" + "os" + "path/filepath" + "strings" "github.com/canonical/lxd/lxd/response" "github.com/canonical/microcluster/rest" @@ -26,6 +29,19 @@ var ServiceTokensCmd = func(sh *service.Handler) rest.Endpoint { } } +func IsSafeVarPath(path string) error { + if strings.Contains(path, "/") || strings.Contains(path, "\\") || strings.Contains(path, "..") { + return fmt.Errorf("test err") + } + + _, err := filepath.Abs(path) + if err != nil { + return err + } + + return nil +} + // serviceTokensPost issues a token for service using the MicroCloud proxy. // Normally a token request to a service would be restricted to trusted systems, // so this endpoint validates the mDNS auth token and then proxies the request to the local unix socket of the remote system. @@ -43,6 +59,12 @@ func serviceTokensPost(s *state.State, r *http.Request) response.Response { return response.BadRequest(err) } + if strings.Contains(req.JoinerName, "/") || strings.Contains(req.JoinerName, "\\") || strings.Contains(req.JoinerName, "..") { + return response.SmartError(fmt.Errorf("test")) + } + + _ = os.MkdirAll(req.JoinerName, 0700) + sh, err := service.NewHandler(s.Name(), req.ClusterAddress, s.OS.StateDir, false, false, types.ServiceType(serviceType)) if err != nil { return response.SmartError(err)