Merge pull request #1088 from andyzhangx/fix/validate-path-v2

cleanup: add validatePath to newNFSVolume

Author: andyzhangx

pkg/nfs/controllerserver.go

@@ -709,6 +709,13 @@ func newNFSVolume(name string, size int64, params map[string]string, defaultOnDe
 		return nil, fmt.Errorf("%v is a required parameter", paramServer)
 	}
 
+	if err := validatePath(baseDir); err != nil {
+		return nil, fmt.Errorf("invalid share %q: %v", baseDir, err)
+	}
+	if err := validatePath(subDir); err != nil {
+		return nil, fmt.Errorf("invalid subDir %q: %v", subDir, err)
+	}
+
 	vol := &nfsVolume{
 		server:  server,
 		baseDir: baseDir,

pkg/nfs/controllerserver_test.go

@@ -705,6 +705,30 @@ func TestNewNFSVolume(t *testing.T) {
 			expectVol: nil,
 			expectErr: fmt.Errorf("invalid value %s for OnDelete, supported values are %v", "invalid", supportedOnDeleteValues),
 		},
+		{
+			desc: "subDir with path traversal should be rejected",
+			name: "pv-name",
+			size: 100,
+			params: map[string]string{
+				paramServer: "//nfs-server.default.svc.cluster.local",
+				paramShare:  "share",
+				paramSubDir: "../../etc/shadow",
+			},
+			expectVol: nil,
+			expectErr: fmt.Errorf("invalid subDir %q: path contains directory traversal sequence", "../../etc/shadow"),
+		},
+		{
+			desc: "share with path traversal should be rejected",
+			name: "pv-name",
+			size: 100,
+			params: map[string]string{
+				paramServer: "//nfs-server.default.svc.cluster.local",
+				paramShare:  "/exports/../../../etc",
+				paramSubDir: "data",
+			},
+			expectVol: nil,
+			expectErr: fmt.Errorf("invalid share %q: path contains directory traversal sequence", "/exports/../../../etc"),
+		},
 	}
 
 	for _, test := range cases {