kustomize: introduce secure FS implementation #262
Merged
Commits on Apr 15, 2022
-
kustomize: introduce secure FS implementation
This implementation functions as a drop-in replacement for Kustomize's own `fsOnDisk`, and asserts any path it handles to be inside root. In essence, the whole file system is now restricted like loader.RestrictionRootOnly would, but while allowing root to differ from the top Kustomization directory. The main reason to put the constraint in the file system implementation is because the current Krusty API does not allow to configure a custom load restrictor, but does allow injecting a custom FS. Signed-off-by: Hidde Beydals <hello@hidde.co>
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.