csi: fix check of StagePublishBaseDir being subdirectory of MountDir

backport of commit a4f577f (#27905)

Co-authored-by: Allison Larson <allison.larson@hashicorp.com>

Author: hc-github-team-nomad-core

.changelog/27717.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+csi: improve check of StagePublishBaseDir being subdirectory of MountDir
+```

helper/funcs.go

@@ -568,3 +568,12 @@ func FindExecutableFiles(path string) (map[string]string, error) {
 	}
 	return executables, nil
 }
+
+// IsSubdirectory returns true if potentialParent is equal to or a parent directory of path.
+func IsSubdirectory(potentialParent, path string) bool {
+	rel, err := filepath.Rel(potentialParent, path)
+	if err != nil {
+		return false
+	}
+	return !strings.HasPrefix(rel, "..")
+}

helper/funcs_test.go

@@ -528,3 +528,23 @@ func TestFlattenMultiError(t *testing.T) {
 
 `, err.Error())
 }
+
+func TestIsSubdirectory(t *testing.T) {
+	cases := []struct {
+		potentialParent string
+		path            string
+		expected        bool
+	}{
+		{potentialParent: "/dir", path: "/dir/local", expected: true},
+		{potentialParent: "/dir", path: "/other", expected: false},
+		{potentialParent: "/dir", path: "/directory", expected: false},
+		{potentialParent: "/dir", path: "/directory/../dir/local", expected: true},
+	}
+
+	for _, tc := range cases {
+		t.Run(fmt.Sprintf("parent=%q path=%q", tc.potentialParent, tc.path), func(t *testing.T) {
+			result := IsSubdirectory(tc.potentialParent, tc.path)
+			require.Equal(t, tc.expected, result)
+		})
+	}
+}

nomad/structs/structs.go

@@ -8357,7 +8357,7 @@ func (t *Task) Validate(jobType string, tg *TaskGroup) error {
 		}
 
 		if t.CSIPluginConfig.StagePublishBaseDir != "" && t.CSIPluginConfig.MountDir != "" &&
-			strings.HasPrefix(t.CSIPluginConfig.StagePublishBaseDir, t.CSIPluginConfig.MountDir) {
+			helper.IsSubdirectory(t.CSIPluginConfig.MountDir, t.CSIPluginConfig.StagePublishBaseDir) {
 			mErr.Errors = append(mErr.Errors, fmt.Errorf("CSIPluginConfig StagePublishBaseDir must not be a subdirectory of MountDir, got: StagePublishBaseDir=\"%s\" MountDir=\"%s\"", t.CSIPluginConfig.StagePublishBaseDir, t.CSIPluginConfig.MountDir))
 		}
 

nomad/structs/structs_test.go

@@ -3369,6 +3369,15 @@ func TestTask_Validate_CSIPluginConfig(t *testing.T) {
 			},
 			expectedErr: "CSIPluginConfig StagePublishBaseDir must not be a subdirectory of MountDir, got: StagePublishBaseDir=\"/csi/local\" MountDir=\"/csi\"",
 		},
+		{
+			name: "handles valid staging publish base dir",
+			pc: &TaskCSIPluginConfig{
+				ID:                  "com.hashicorp.csi",
+				Type:                "monolith",
+				MountDir:            "/csi",
+				StagePublishBaseDir: "/csilocal",
+			},
+		},
 	}
 
 	for _, tt := range table {