I have a script source SasUri like:
https://xxx.blob.windows.net/container/foo/bar.sh
According to:
|
fileName, blobPathError := getBlobPathAfterContainerName(blobURI, containerRef.Name) |
|
if fileName == "" { |
|
return "", errors.Wrapf(blobPathError, "cannot extract blob path name from URL: %q", blobURI) |
|
} |
|
|
|
blobref := containerRef.GetBlobReference(fileName) |
|
reader, err := blobref.Get(nil) |
|
if err != nil { |
|
return "", errors.Wrapf(err, "unable to open storage blob: %q", blobURI) |
|
} |
|
|
|
scriptFilePath := filepath.Join(targetDir, fileName) |
|
const mode = 0500 // scripts should have execute permissions |
|
file, err := os.OpenFile(scriptFilePath, os.O_WRONLY|os.O_TRUNC|os.O_CREATE, mode) |
|
if err != nil { |
|
return "", errors.Wrap(err, "failed to open file for writing: "+scriptFilePath) |
|
} |
|
defer file.Close() |
fileName becomes foo/bar.sh. However, directory foo doesn't exist so the open below always fails.
Suggest using fixed file name like a GUID. Otherwise you have to deal with .. and / in paths which could cause a lot of security troubles.
I have a script source SasUri like:
According to:
run-command-handler-linux/pkg/download/blob.go
Lines 82 to 99 in 6efb77e
fileNamebecomesfoo/bar.sh. However, directoryfoodoesn't exist so theopenbelow always fails.Suggest using fixed file name like a GUID. Otherwise you have to deal with
..and/in paths which could cause a lot of security troubles.