Skip to content

Improve path handling in source reconcilers#2054

Merged
hiddeco merged 2 commits into
mainfrom
resolve-paths-with-securejoin
May 19, 2026
Merged

Improve path handling in source reconcilers#2054
hiddeco merged 2 commits into
mainfrom
resolve-paths-with-securejoin

Conversation

@hiddeco

@hiddeco hiddeco commented May 19, 2026

Copy link
Copy Markdown
Member

No description provided.

@hiddeco
Resolve bucket object paths with SecureJoin
6d2d86d 
Bucket object keys are external input and may contain arbitrary
characters. Joining them with the reconciler's working directory
through `filepath.Join` applies `filepath.Clean`, which collapses
parent-directory segments and can yield a destination outside the
working directory. `securejoin.SecureJoin` resolves the key while
keeping the result within the working directory, matching the
pattern already used elsewhere in the controllers for similar
joins (e.g. GitRepository include paths).

Assisted-by: claude-code/opus-4.7
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
matheuscscp
matheuscscp approved these changes May 19, 2026
View reviewed changes

@matheuscscp matheuscscp left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@matheuscscp matheuscscp added the backport:release/v1.8.x To be backported to release/v1.8.x label May 19, 2026
@hiddeco
Resolve sparse checkout paths with SecureJoin
f5fe034 
When validating that the paths listed in `spec.sparseCheckout`
exist in the cloned working tree, resolve each entry with
`securejoin.SecureJoin` instead of `filepath.Join`. `filepath.Join`
collapses parent-directory segments via `filepath.Clean`, so a
configured path like `../foo` would have been checked against a
location outside the working tree, masking a missing entry behind
an unrelated filesystem stat. SecureJoin keeps the resolved path
inside the working tree, matching the pattern already used for
include paths elsewhere in the controller.

Assisted-by: claude-code/opus-4.7
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
@hiddeco hiddeco force-pushed the resolve-paths-with-securejoin branch from e99183e to f5fe034 Compare May 19, 2026 10:41
@hiddeco hiddeco added backport:release/v1.6.x To be backported to release/v1.6.x backport:release/v1.7.x To be backported to release/v1.7.x and removed backport:release/v1.6.x To be backported to release/v1.6.x backport:release/v1.7.x To be backported to release/v1.7.x labels May 19, 2026
@hiddeco hiddeco merged commit 759bd6c into main May 19, 2026
8 of 9 checks passed
@hiddeco hiddeco deleted the resolve-paths-with-securejoin branch May 19, 2026 11:47
@fluxcdbot fluxcdbot mentioned this pull request May 19, 2026
Merged
@fluxcdbot

fluxcdbot commented May 19, 2026

Copy link
Copy Markdown
Member

Successfully created backport PR for release/v1.8.x:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@matheuscscp matheuscscp matheuscscp approved these changes

Assignees

No one assigned

Labels

backport:release/v1.8.x To be backported to release/v1.8.x

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@hiddeco @fluxcdbot @matheuscscp