From a42e944c22048019acea38748fcd197dc3ab4f32 Mon Sep 17 00:00:00 2001
From: Sachin <57769917+slayer321@users.noreply.github.com>
Date: Wed, 13 Oct 2021 10:48:45 -0700
Subject: [PATCH] fix Potential file inclusion via variable (#2523)

Signed-off-by: slayer321 <sachin.maurya7666@gmail.com>
---
 pkg/kyverno/apply/apply_command.go | 4 ++++
 pkg/kyverno/common/common.go       | 2 ++
 pkg/kyverno/common/fetch.go        | 1 +
 pkg/testrunner/scenario.go         | 9 ++++++---
 pkg/testrunner/utils.go            | 2 ++
 pkg/webhookconfig/common.go        | 2 ++
 6 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/pkg/kyverno/apply/apply_command.go b/pkg/kyverno/apply/apply_command.go
index 081abb8128..13940d7dce 100644
--- a/pkg/kyverno/apply/apply_command.go
+++ b/pkg/kyverno/apply/apply_command.go
@@ -204,7 +204,9 @@ func applyCommandHelper(resourcePaths []string, cluster bool, policyReport bool,
 	// empty the previous contents of the file just in case if the file already existed before with some content(so as to perform overwrites)
 	// the truncation of files for the case when mutateLogPath is dir, is handled under pkg/kyverno/apply/common.go
 	if !mutateLogPathIsDir && mutateLogPath != "" {
+		mutateLogPath = filepath.Clean(mutateLogPath)
 		_, err := os.OpenFile(mutateLogPath, os.O_TRUNC|os.O_WRONLY, 0600)
+
 		if err != nil {
 			if !sanitizederror.IsErrorSanitized(err) {
 				return rc, resources, skippedPolicies, pvInfos, sanitizederror.NewWithError("failed to truncate the existing file at "+mutateLogPath, err)
@@ -374,7 +376,9 @@ func createFileOrFolder(mutateLogPath string, mutateLogPathIsDir bool) error {
 					}
 				}
 
+				mutateLogPath = filepath.Clean(mutateLogPath)
 				file, err := os.OpenFile(mutateLogPath, os.O_RDONLY|os.O_CREATE, 0600)
+
 				if err != nil {
 					return sanitizederror.NewWithError(fmt.Sprintf("failed to create file"), err)
 				}
diff --git a/pkg/kyverno/common/common.go b/pkg/kyverno/common/common.go
index 668eedebd1..6727fd834e 100644
--- a/pkg/kyverno/common/common.go
+++ b/pkg/kyverno/common/common.go
@@ -139,6 +139,7 @@ func GetPolicies(paths []string) (policies []*v1.ClusterPolicy, errors []error)
 					continue
 				}
 			} else {
+				path = filepath.Clean(path)
 				fileBytes, err = ioutil.ReadFile(path)
 				if err != nil {
 					err := fmt.Errorf("failed to process %v: %v", path, err.Error())
@@ -649,6 +650,7 @@ func PrintMutatedOutput(mutateLogPath string, mutateLogPathIsDir bool, yaml stri
 	var err error
 	yaml = yaml + ("\n---\n\n")
 
+	mutateLogPath = filepath.Clean(mutateLogPath)
 	if !mutateLogPathIsDir {
 		// truncation for the case when mutateLogPath is a file (not a directory) is handled under pkg/kyverno/apply/test_command.go
 		f, err = os.OpenFile(mutateLogPath, os.O_APPEND|os.O_WRONLY, 0600)
diff --git a/pkg/kyverno/common/fetch.go b/pkg/kyverno/common/fetch.go
index f067610e3d..0345accd46 100644
--- a/pkg/kyverno/common/fetch.go
+++ b/pkg/kyverno/common/fetch.go
@@ -236,6 +236,7 @@ func getFileBytes(path string) ([]byte, error) {
 			return nil, err
 		}
 	} else {
+		path = filepath.Clean(path)
 		file, err = ioutil.ReadFile(path)
 		if err != nil {
 			return nil, err
diff --git a/pkg/testrunner/scenario.go b/pkg/testrunner/scenario.go
index c20fe5231e..262d7d5d9a 100644
--- a/pkg/testrunner/scenario.go
+++ b/pkg/testrunner/scenario.go
@@ -3,7 +3,6 @@ package testrunner
 import (
 	"bytes"
 	"encoding/json"
-	"github.com/stretchr/testify/assert"
 	"io/ioutil"
 	"os"
 	ospath "path"
@@ -11,6 +10,11 @@ import (
 	"reflect"
 	"testing"
 
+	"github.com/stretchr/testify/assert"
+
+	"path"
+	"runtime"
+
 	kyverno "github.com/kyverno/kyverno/pkg/api/kyverno/v1"
 	client "github.com/kyverno/kyverno/pkg/dclient"
 	"github.com/kyverno/kyverno/pkg/engine"
@@ -22,8 +26,6 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	apiyaml "k8s.io/apimachinery/pkg/util/yaml"
 	"k8s.io/client-go/kubernetes/scheme"
-	"path"
-	"runtime"
 )
 
 type Scenario struct {
@@ -116,6 +118,7 @@ func loadFile(t *testing.T, path string) ([]byte, error) {
 	if _, err := os.Stat(path); os.IsNotExist(err) {
 		return nil, err
 	}
+	path = filepath.Clean(path)
 	return ioutil.ReadFile(path)
 }
 
diff --git a/pkg/testrunner/utils.go b/pkg/testrunner/utils.go
index 43600a0af6..eaf1cde98b 100644
--- a/pkg/testrunner/utils.go
+++ b/pkg/testrunner/utils.go
@@ -3,6 +3,7 @@ package testrunner
 import (
 	"io/ioutil"
 	"os"
+	"path/filepath"
 
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"sigs.k8s.io/controller-runtime/pkg/log"
@@ -13,6 +14,7 @@ func LoadFile(path string) ([]byte, error) {
 	if _, err := os.Stat(path); os.IsNotExist(err) {
 		return nil, err
 	}
+	path = filepath.Clean(path)
 	return ioutil.ReadFile(path)
 }
 
diff --git a/pkg/webhookconfig/common.go b/pkg/webhookconfig/common.go
index 1294f925fa..8a0ae763be 100644
--- a/pkg/webhookconfig/common.go
+++ b/pkg/webhookconfig/common.go
@@ -2,6 +2,7 @@ package webhookconfig
 
 import (
 	"io/ioutil"
+	"path/filepath"
 	"reflect"
 
 	"github.com/kyverno/kyverno/pkg/config"
@@ -42,6 +43,7 @@ func extractCA(config *rest.Config) (result []byte) {
 	fileName := config.TLSClientConfig.CAFile
 
 	if fileName != "" {
+		fileName = filepath.Clean(fileName)
 		result, err := ioutil.ReadFile(fileName)
 
 		if err != nil {