Use securejoin

Signed-off-by: Evan Phoenix <evan@phx.io>
opencontainers · Oct 3, 2022 · f3a00d3 · f3a00d3
1 parent 4932cf4
commit f3a00d3
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/libcontainer/cgroups/systemd/common.go b/libcontainer/cgroups/systemd/common.go
@@ -14,6 +14,7 @@ import (
 	"time"
 
 	systemdDbus "github.com/coreos/go-systemd/v22/dbus"
+	securejoin "github.com/cyphar/filepath-securejoin"
 	dbus "github.com/godbus/dbus/v5"
 	"github.com/sirupsen/logrus"
 
@@ -297,7 +298,13 @@ func generateDeviceProperties(r *configs.Resources) ([]systemdDbus.Property, err
 				// (/dev/{block,char} is populated by udev, which isn't strictly required for systemd).
 				// Ironically, this happens most easily when starting containerd within a runc created
 				// container itself.
-				if _, err := os.Stat("/sys" + entry.Path); err != nil {
+				testPath, err := securejoin.SecureJoin("/sys", entry.Path)
+				if err != nil {
+					logrus.Errorf("error joining entry path: %s", err)
+					continue
+				}
+
+				if _, err := os.Stat(testPath); err != nil {
 					logrus.Warnf("skipping device %s for systemd: %s", entry.Path, err)
 					continue
 				}