add validation rule to reject input with relative path

naver · Jan 8, 2025 · 4e82494 · 4e82494
1 parent 31d45f6
commit 4e82494
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 0 deletions.
diff --git a/pkg/operator/api/v1/template/template.go b/pkg/operator/api/v1/template/template.go
@@ -21,6 +21,7 @@ import (
 	"errors"
 	"fmt"
 	"net/url"
+	"path/filepath"
 	"strings"
 	"text/template"
 	"time"
@@ -54,6 +55,10 @@ func ValidateTemplateString(templateStr string) error {
 		return errors.New("mismatch between '{{' and '}}'")
 	}
 
+	if !filepath.IsAbs(templateStr) {
+		return errors.New("the template should be an absolute path (starting with `/`)")
+	}
+
 	tmpl, err := getTemplate(fmt.Sprintf("validate_%s", templateStr), PathElement{}).Parse(templateStr)
 	if err != nil {
 		return err

diff --git a/pkg/operator/api/v1/template/template_test.go b/pkg/operator/api/v1/template/template_test.go
@@ -64,6 +64,7 @@ func TestInvalidPath(t *testing.T) {
 		"/{.SourcePath}}",              // invalid brace
 		"/{{.TimeLayout \"2006-01\"}}", // invalid function usage
 		"/{{TimeLayout}}",              // invalid function usage
+		"{{.Container}}/{{.Pod}}",      // invalid relative path
 	}
 
 	for _, tmpl := range templates {