tighten up plugin-finding logic

squeed · squeed · commit 6e33d928cc0f · 2021-02-01T12:18:08.000+01:00
Signed-off-by: Casey Callendrello &lt;cdc@redhat.com&gt;
diff --git a/pkg/invoke/find.go b/pkg/invoke/find.go
@@ -18,6 +18,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"strings"
 )
 
 // FindInPath returns the full path of the plugin by searching in the provided path
@@ -26,6 +27,10 @@ func FindInPath(plugin string, paths []string) (string, error) {
 		return "", fmt.Errorf("no plugin name provided")
 	}
 
+	if strings.ContainsRune(plugin, os.PathSeparator) {
+		return "", fmt.Errorf("invalid plugin name: %s", plugin)
+	}
+
 	if len(paths) == 0 {
 		return "", fmt.Errorf("no paths provided")
 	}
diff --git a/pkg/invoke/find_test.go b/pkg/invoke/find_test.go
@@ -99,5 +99,13 @@ var _ = Describe("FindInPath", func() {
 				Expect(err).To(MatchError(fmt.Sprintf("failed to find plugin %q in path %s", pluginName, pathsWithNothing)))
 			})
 		})
+
+		Context("When the plugin contains a directory separator", func() {
+			It("returns an error", func() {
+				bogusPlugin := ".." + string(os.PathSeparator) + "pluginname"
+				_, err := invoke.FindInPath(bogusPlugin, []string{anotherTempDir})
+				Expect(err).To(MatchError("invalid plugin name: " + bogusPlugin))
+			})
+		})
 	})
 })

Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,7 @@ import (`
`18`	`18`	`"fmt"`
`19`	`19`	`"os"`
`20`	`20`	`"path/filepath"`
	`21`	`+ "strings"`
`21`	`22`	`)`
`22`	`23`
`23`	`24`	`// FindInPath returns the full path of the plugin by searching in the provided path`
`@@ -26,6 +27,10 @@ func FindInPath(plugin string, paths []string) (string, error) {`
`26`	`27`	`return "", fmt.Errorf("no plugin name provided")`
`27`	`28`	`}`
`28`	`29`
	`30`	`+ if strings.ContainsRune(plugin, os.PathSeparator) {`
	`31`	`+ return "", fmt.Errorf("invalid plugin name: %s", plugin)`
	`32`	`+ }`
	`33`	`+`
`29`	`34`	`if len(paths) == 0 {`
`30`	`35`	`return "", fmt.Errorf("no paths provided")`
`31`	`36`	`}`