File 0001-tighten-up-plugin-finding-logic.patch of Package cni.30388
From ada67263b12ff0c65f1256e120f6d9f7f0277388 Mon Sep 17 00:00:00 2001
From: Casey Callendrello <cdc@redhat.com>
Date: Tue, 19 Jan 2021 15:36:49 +0100
Subject: [PATCH] tighten up plugin-finding logic
Signed-off-by: Casey Callendrello <cdc@redhat.com>
---
 pkg/invoke/find.go      | 5 +++++
 pkg/invoke/find_test.go | 8 ++++++++
 2 files changed, 13 insertions(+)
diff --git a/pkg/invoke/find.go b/pkg/invoke/find.go
index e815404c..e62029eb 100644
--- a/pkg/invoke/find.go
+++ b/pkg/invoke/find.go
@@ -18,6 +18,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"strings"
 )
 
 // FindInPath returns the full path of the plugin by searching in the provided path
@@ -26,6 +27,10 @@ func FindInPath(plugin string, paths []string) (string, error) {
 		return "", fmt.Errorf("no plugin name provided")
 	}
 
+	if strings.ContainsRune(plugin, os.PathSeparator) {
+		return "", fmt.Errorf("invalid plugin name: %s", plugin)
+	}
+
 	if len(paths) == 0 {
 		return "", fmt.Errorf("no paths provided")
 	}
diff --git a/pkg/invoke/find_test.go b/pkg/invoke/find_test.go
index 58543131..dfa7440b 100644
--- a/pkg/invoke/find_test.go
+++ b/pkg/invoke/find_test.go
@@ -99,5 +99,13 @@ var _ = Describe("FindInPath", func() {
 				Expect(err).To(MatchError(fmt.Sprintf("failed to find plugin %q in path %s", pluginName, pathsWithNothing)))
 			})
 		})
+
+		Context("When the plugin contains a directory separator", func() {
+			It("returns an error", func() {
+				bogusPlugin := ".." + string(os.PathSeparator) + "pluginname"
+				_, err := invoke.FindInPath(bogusPlugin, []string{anotherTempDir})
+				Expect(err).To(MatchError("invalid plugin name: " + bogusPlugin))
+			})
+		})
 	})
 })