internal/safepath/join_windows.go - third_party/github.com/moby/moby - Git at Google

 package safepath

 import (
 	"context"
 	"os"
 	"path/filepath"
 	"strings"

 	"github.com/containerd/log"
 	"github.com/docker/docker/internal/cleanups"
 	"github.com/pkg/errors"
 	"golang.org/x/sys/windows"
 )

 // Join locks all individual components of the path which is the concatenation
 // of provided path and its subpath, checks that it doesn't escape the base path
 // and returns the concatenated path.
 //
 // The path is safe (the path target won't change) until the returned SafePath
 // is Closed.
 // Caller is responsible for calling the Close function which unlocks the path.
 func Join(ctx context.Context, path, subpath string) (*SafePath, error) {
 	base, subpart, err := evaluatePath(path, subpath)
 	if err != nil {
 		return nil, err
 	}
 	parts := strings.Split(subpart, string(os.PathSeparator))

 	cleanupJobs := cleanups.Composite{}
 	defer func() {
 		if cErr := cleanupJobs.Call(context.WithoutCancel(ctx)); cErr != nil {
 			log.G(ctx).WithError(cErr).Warn("failed to close handles after error")
 		}
 	}()

 	fullPath := base
 	for _, part := range parts {
 		fullPath = filepath.Join(fullPath, part)

 		handle, err := lockFile(fullPath)
 		if err != nil {
 			if errors.Is(err, windows.ERROR_FILE_NOT_FOUND) {
 				return nil, &ErrNotAccessible{Path: fullPath, Cause: err}
 			}
 			return nil, errors.Wrapf(err, "failed to lock file %s", fullPath)
 		}
 		cleanupJobs.Add(func(context.Context) error {
 			if err := windows.CloseHandle(handle); err != nil {
 				return &os.PathError{Op: "CloseHandle", Path: fullPath, Err: err}
 			}
 			return err
 		})

 		realPath, err := filepath.EvalSymlinks(fullPath)
 		if err != nil {
 			return nil, errors.Wrapf(err, "failed to eval symlinks of %s", fullPath)
 		}

 		if realPath != fullPath && !isLocalTo(realPath, base) {
 			return nil, &ErrEscapesBase{Base: base, Subpath: subpart}
 		}

 		var info windows.ByHandleFileInformation
 		if err := windows.GetFileInformationByHandle(handle, &info); err != nil {
 			return nil, errors.WithStack(&os.PathError{Op: "GetFileInformationByHandle", Path: fullPath, Err: err})
 		}

 		if (info.FileAttributes & windows.FILE_ATTRIBUTE_REPARSE_POINT) != 0 {
 			return nil, &ErrNotAccessible{Path: fullPath, Cause: err}
 		}
 	}

 	return &SafePath{
 		path:          fullPath,
 		sourceBase:    base,
 		sourceSubpath: subpart,
 		cleanup:       cleanupJobs.Release(),
 	}, nil
 }

 func lockFile(path string) (windows.Handle, error) {
 	p, err := windows.UTF16PtrFromString(path)
 	if err != nil {
 		return windows.InvalidHandle, &os.PathError{Op: "UTF16PtrFromString", Path: path, Err: err}
 	}
 	const flags = windows.FILE_FLAG_BACKUP_SEMANTICS | windows.FILE_FLAG_OPEN_REPARSE_POINT
 	handle, err := windows.CreateFile(p, windows.GENERIC_READ, windows.FILE_SHARE_READ, nil, windows.OPEN_EXISTING, flags, 0)
 	if err != nil {
 		return handle, &os.PathError{Op: "CreateFile", Path: path, Err: err}
 	}
 	return handle, nil
 }
	package safepath

	import (
	"context"
	"os"
	"path/filepath"
	"strings"

	"github.com/containerd/log"
	"github.com/docker/docker/internal/cleanups"
	"github.com/pkg/errors"
	"golang.org/x/sys/windows"
	)

	// Join locks all individual components of the path which is the concatenation
	// of provided path and its subpath, checks that it doesn't escape the base path
	// and returns the concatenated path.
	//
	// The path is safe (the path target won't change) until the returned SafePath
	// is Closed.
	// Caller is responsible for calling the Close function which unlocks the path.
	func Join(ctx context.Context, path, subpath string) (*SafePath, error) {
	base, subpart, err := evaluatePath(path, subpath)
	if err != nil {
	return nil, err
	}
	parts := strings.Split(subpart, string(os.PathSeparator))

	cleanupJobs := cleanups.Composite{}
	defer func() {
	if cErr := cleanupJobs.Call(context.WithoutCancel(ctx)); cErr != nil {
	log.G(ctx).WithError(cErr).Warn("failed to close handles after error")
	}
	}()

	fullPath := base
	for _, part := range parts {
	fullPath = filepath.Join(fullPath, part)

	handle, err := lockFile(fullPath)
	if err != nil {
	if errors.Is(err, windows.ERROR_FILE_NOT_FOUND) {
	return nil, &ErrNotAccessible{Path: fullPath, Cause: err}
	}
	return nil, errors.Wrapf(err, "failed to lock file %s", fullPath)
	}
	cleanupJobs.Add(func(context.Context) error {
	if err := windows.CloseHandle(handle); err != nil {
	return &os.PathError{Op: "CloseHandle", Path: fullPath, Err: err}
	}
	return err
	})

	realPath, err := filepath.EvalSymlinks(fullPath)
	if err != nil {
	return nil, errors.Wrapf(err, "failed to eval symlinks of %s", fullPath)
	}

	if realPath != fullPath && !isLocalTo(realPath, base) {
	return nil, &ErrEscapesBase{Base: base, Subpath: subpart}
	}

	var info windows.ByHandleFileInformation
	if err := windows.GetFileInformationByHandle(handle, &info); err != nil {
	return nil, errors.WithStack(&os.PathError{Op: "GetFileInformationByHandle", Path: fullPath, Err: err})
	}

	if (info.FileAttributes & windows.FILE_ATTRIBUTE_REPARSE_POINT) != 0 {
	return nil, &ErrNotAccessible{Path: fullPath, Cause: err}
	}
	}

	return &SafePath{
	path: fullPath,
	sourceBase: base,
	sourceSubpath: subpart,
	cleanup: cleanupJobs.Release(),
	}, nil
	}

	func lockFile(path string) (windows.Handle, error) {
	p, err := windows.UTF16PtrFromString(path)
	if err != nil {
	return windows.InvalidHandle, &os.PathError{Op: "UTF16PtrFromString", Path: path, Err: err}
	}
	const flags = windows.FILE_FLAG_BACKUP_SEMANTICS \| windows.FILE_FLAG_OPEN_REPARSE_POINT
	handle, err := windows.CreateFile(p, windows.GENERIC_READ, windows.FILE_SHARE_READ, nil, windows.OPEN_EXISTING, flags, 0)
	if err != nil {
	return handle, &os.PathError{Op: "CreateFile", Path: path, Err: err}
	}
	return handle, nil
	}