Skip to content

Commit a7c96e9

Browse files
patjlmclaude
andcommitted
validation: add absolute path and overlap checks for SA token mount paths
Match the validation behavior of validateCredentials: reject relative paths and detect parent/child mount path overlaps that would shadow each other at runtime. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1 parent fdce86f commit a7c96e9

1 file changed

Lines changed: 18 additions & 0 deletions

File tree

pkg/validation/test.go

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -962,9 +962,22 @@ func (v *Validator) validateServiceAccountTokens(fieldRoot string, tokens []api.
962962
}
963963
if token.MountPath == "" {
964964
ret = append(ret, fmt.Errorf("%s.mount_path: must not be empty", fieldPath))
965+
} else if !filepath.IsAbs(token.MountPath) {
966+
ret = append(ret, fmt.Errorf("%s.mount_path: must be an absolute path", fieldPath))
965967
} else if mountPaths.Has(token.MountPath) {
966968
ret = append(ret, fmt.Errorf("%s.mount_path: duplicate mount path %q", fieldPath, token.MountPath))
967969
} else {
970+
for j, other := range tokens[:i] {
971+
if other.MountPath == "" {
972+
continue
973+
}
974+
if relPath, err := filepath.Rel(other.MountPath, token.MountPath); err == nil && !strings.Contains(relPath, "..") {
975+
ret = append(ret, fmt.Errorf("%s.mount_path: %s is under service_account_tokens[%d] mount path %s", fieldPath, token.MountPath, j, other.MountPath))
976+
}
977+
if relPath, err := filepath.Rel(token.MountPath, other.MountPath); err == nil && !strings.Contains(relPath, "..") {
978+
ret = append(ret, fmt.Errorf("%s.mount_path: service_account_tokens[%d] mount path %s is under %s", fieldPath, j, other.MountPath, token.MountPath))
979+
}
980+
}
968981
mountPaths.Insert(token.MountPath)
969982
}
970983
if token.ExpirationSeconds != nil && *token.ExpirationSeconds < 600 {
@@ -977,6 +990,11 @@ func (v *Validator) validateServiceAccountTokens(fieldRoot string, tokens []api.
977990
// verifyAudienceOwnership checks if metadata's org and repo match those in the
978991
// audience config, verifying if it's one of the owners of the audience.
979992
func verifyAudienceOwnership(audience api.AllowedAudienceDetails, m *api.Metadata) error {
993+
// When metadata is nil (e.g., standalone registry reference validation via
994+
// IsValidReference), we can't determine org/repo ownership, so we permit the
995+
// audience. This is intentionally more permissive than verifyClusterProfileOwnership
996+
// because audience restrictions are enforced at the resolved config level where
997+
// metadata is always available.
980998
if m == nil || m.Org == "" {
981999
return nil
9821000
}

0 commit comments

Comments
 (0)