From a04741d9f3b45a95e4ff06632209547f2cd34456 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Fri, 3 May 2024 09:32:10 +0000
Subject: [PATCH] fix(deps): update module
 github.com/cyphar/filepath-securejoin to v0.2.5

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 go.mod                                        |  2 +-
 go.sum                                        |  4 +-
 .../cyphar/filepath-securejoin/VERSION        |  2 +-
 .../cyphar/filepath-securejoin/join.go        | 77 +++++++++----------
 vendor/modules.txt                            |  2 +-
 5 files changed, 43 insertions(+), 44 deletions(-)

diff --git a/go.mod b/go.mod
index 9b53490a874..0d21cf130bd 100644
--- a/go.mod
+++ b/go.mod
@@ -25,7 +25,7 @@ require (
 	github.com/containers/luksy v0.0.0-20240408185936-afd8e7619947
 	github.com/containers/ocicrypt v1.1.10
 	github.com/containers/storage v1.53.1-0.20240411065836-1fd0dc1d20e5
-	github.com/cyphar/filepath-securejoin v0.2.4
+	github.com/cyphar/filepath-securejoin v0.2.5
 	github.com/docker/distribution v2.8.3+incompatible
 	github.com/docker/docker v25.0.5+incompatible
 	github.com/docker/go-units v0.5.0
diff --git a/go.sum b/go.sum
index b54f4702c60..5234790681e 100644
--- a/go.sum
+++ b/go.sum
@@ -77,8 +77,8 @@ github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ3
 github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY=
 github.com/cyberphone/json-canonicalization v0.0.0-20231217050601-ba74d44ecf5f h1:eHnXnuK47UlSTOQexbzxAZfekVz6i+LKRdj1CU5DPaM=
 github.com/cyberphone/json-canonicalization v0.0.0-20231217050601-ba74d44ecf5f/go.mod h1:uzvlm1mxhHkdfqitSA92i7Se+S9ksOn3a3qmv/kyOCw=
-github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg=
-github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
+github.com/cyphar/filepath-securejoin v0.2.5 h1:6iR5tXJ/e6tJZzzdMc1km3Sa7RRIVBKAK32O2s7AYfo=
+github.com/cyphar/filepath-securejoin v0.2.5/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
diff --git a/vendor/github.com/cyphar/filepath-securejoin/VERSION b/vendor/github.com/cyphar/filepath-securejoin/VERSION
index abd410582de..3a4036fb450 100644
--- a/vendor/github.com/cyphar/filepath-securejoin/VERSION
+++ b/vendor/github.com/cyphar/filepath-securejoin/VERSION
@@ -1 +1 @@
-0.2.4
+0.2.5
diff --git a/vendor/github.com/cyphar/filepath-securejoin/join.go b/vendor/github.com/cyphar/filepath-securejoin/join.go
index aa32b85fb84..5ac23b99831 100644
--- a/vendor/github.com/cyphar/filepath-securejoin/join.go
+++ b/vendor/github.com/cyphar/filepath-securejoin/join.go
@@ -11,7 +11,6 @@
 package securejoin
 
 import (
-	"bytes"
 	"errors"
 	"os"
 	"path/filepath"
@@ -19,6 +18,8 @@ import (
 	"syscall"
 )
 
+const maxSymlinkLimit = 255
+
 // IsNotExist tells you if err is an error that implies that either the path
 // accessed does not exist (or path components don't exist). This is
 // effectively a more broad version of os.IsNotExist.
@@ -51,71 +52,69 @@ func SecureJoinVFS(root, unsafePath string, vfs VFS) (string, error) {
 	}
 
 	unsafePath = filepath.FromSlash(unsafePath)
-	var path bytes.Buffer
-	n := 0
-	for unsafePath != "" {
-		if n > 255 {
-			return "", &os.PathError{Op: "SecureJoin", Path: root + string(filepath.Separator) + unsafePath, Err: syscall.ELOOP}
-		}
-
-		if v := filepath.VolumeName(unsafePath); v != "" {
-			unsafePath = unsafePath[len(v):]
+	var (
+		currentPath   string
+		remainingPath = unsafePath
+		linksWalked   int
+	)
+	for remainingPath != "" {
+		if v := filepath.VolumeName(remainingPath); v != "" {
+			remainingPath = remainingPath[len(v):]
 		}
 
-		// Next path component, p.
-		i := strings.IndexRune(unsafePath, filepath.Separator)
-		var p string
-		if i == -1 {
-			p, unsafePath = unsafePath, ""
+		// Get the next path component.
+		var part string
+		if i := strings.IndexRune(remainingPath, filepath.Separator); i == -1 {
+			part, remainingPath = remainingPath, ""
 		} else {
-			p, unsafePath = unsafePath[:i], unsafePath[i+1:]
+			part, remainingPath = remainingPath[:i], remainingPath[i+1:]
 		}
 
-		// Create a cleaned path, using the lexical semantics of /../a, to
-		// create a "scoped" path component which can safely be joined to fullP
-		// for evaluation. At this point, path.String() doesn't contain any
-		// symlink components.
-		cleanP := filepath.Clean(string(filepath.Separator) + path.String() + p)
-		if cleanP == string(filepath.Separator) {
-			path.Reset()
+		// Apply the component lexically to the path we are building.
+		// currentPath does not contain any symlinks, and we are lexically
+		// dealing with a single component, so it's okay to do a filepath.Clean
+		// here.
+		nextPath := filepath.Join(string(filepath.Separator), currentPath, part)
+		if nextPath == string(filepath.Separator) {
+			currentPath = ""
 			continue
 		}
-		fullP := filepath.Clean(root + cleanP)
+		fullPath := root + string(filepath.Separator) + nextPath
 
 		// Figure out whether the path is a symlink.
-		fi, err := vfs.Lstat(fullP)
+		fi, err := vfs.Lstat(fullPath)
 		if err != nil && !IsNotExist(err) {
 			return "", err
 		}
 		// Treat non-existent path components the same as non-symlinks (we
 		// can't do any better here).
 		if IsNotExist(err) || fi.Mode()&os.ModeSymlink == 0 {
-			path.WriteString(p)
-			path.WriteRune(filepath.Separator)
+			currentPath = nextPath
 			continue
 		}
 
-		// Only increment when we actually dereference a link.
-		n++
+		// It's a symlink, so get its contents and expand it by prepending it
+		// to the yet-unparsed path.
+		linksWalked++
+		if linksWalked > maxSymlinkLimit {
+			return "", &os.PathError{Op: "SecureJoin", Path: root + string(filepath.Separator) + unsafePath, Err: syscall.ELOOP}
+		}
 
-		// It's a symlink, expand it by prepending it to the yet-unparsed path.
-		dest, err := vfs.Readlink(fullP)
+		dest, err := vfs.Readlink(fullPath)
 		if err != nil {
 			return "", err
 		}
+		remainingPath = dest + string(filepath.Separator) + remainingPath
 		// Absolute symlinks reset any work we've already done.
 		if filepath.IsAbs(dest) {
-			path.Reset()
+			currentPath = ""
 		}
-		unsafePath = dest + string(filepath.Separator) + unsafePath
 	}
 
-	// We have to clean path.String() here because it may contain '..'
-	// components that are entirely lexical, but would be misleading otherwise.
-	// And finally do a final clean to ensure that root is also lexically
-	// clean.
-	fullP := filepath.Clean(string(filepath.Separator) + path.String())
-	return filepath.Clean(root + fullP), nil
+	// There should be no lexical components like ".." left in the path here,
+	// but for safety clean up the path before joining it to the root.
+	finalPath := filepath.Join(string(filepath.Separator), currentPath)
+	return filepath.Join(root, finalPath), nil
 }
 
 // SecureJoin is a wrapper around SecureJoinVFS that just uses the os.* library
diff --git a/vendor/modules.txt b/vendor/modules.txt
index d197e1c23f0..12b79d52b81 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -307,7 +307,7 @@ github.com/coreos/go-systemd/v22/dbus
 # github.com/cyberphone/json-canonicalization v0.0.0-20231217050601-ba74d44ecf5f
 ## explicit
 github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer
-# github.com/cyphar/filepath-securejoin v0.2.4
+# github.com/cyphar/filepath-securejoin v0.2.5
 ## explicit; go 1.13
 github.com/cyphar/filepath-securejoin
 # github.com/davecgh/go-spew v1.1.1