MkdirAllInRoot attempts to make path, _ := securejoin.SecureJoin(root.Name(), unsafePath) os.MkdirAll(path, mode) os.Open(path) safer against attacks where components in the path are changed between SecureJoin returning and MkdirAll (or Open) being called. In particular, we try to detect any sy
(root *os.File, unsafePath string, mode os.FileMode)
| 48 | // needed for a lot of runc callers and fixing this would require reworking a |
| 49 | // lot of path logic). |
| 50 | func MkdirAllInRoot(root *os.File, unsafePath string, mode os.FileMode) (*os.File, error) { |
| 51 | unsafePath, err := hallucinateUnsafePath(root.Name(), unsafePath) |
| 52 | if err != nil { |
| 53 | return nil, fmt.Errorf("failed to construct hallucinated target path: %w", err) |
| 54 | } |
| 55 | |
| 56 | // Check for any silly mode bits. |
| 57 | if mode&^0o7777 != 0 { |
| 58 | return nil, fmt.Errorf("tried to include non-mode bits in MkdirAll mode: 0o%.3o", mode) |
| 59 | } |
| 60 | // Linux (and thus os.MkdirAll) silently ignores the suid and sgid bits if |
| 61 | // passed. While it would make sense to return an error in that case (since |
| 62 | // the user has asked for a mode that won't be applied), for compatibility |
| 63 | // reasons we have to ignore these bits. |
| 64 | if ignoredBits := mode &^ 0o1777; ignoredBits != 0 { |
| 65 | logrus.Warnf("MkdirAll called with no-op mode bits that are ignored by Linux: 0o%.3o", ignoredBits) |
| 66 | mode &= 0o1777 |
| 67 | } |
| 68 | |
| 69 | return retryEAGAIN(func() (*os.File, error) { |
| 70 | return pathrs.MkdirAllHandle(root, unsafePath, mode) |
| 71 | }) |
| 72 | } |
no test coverage detected
searching dependent graphs…