Merge pull request #45 from jirislav/bind-paths-too-permisive

fix: it was possible to bind paths which were not allowed
buildkite · Nov 16, 2018 · 83a10bf · 83a10bf
2 parents 2beee6e + 322ae5a
commit 83a10bf
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/director.go b/director.go
@@ -335,7 +335,7 @@ func (r *rulesDirector) isBindAllowed(l socketproxy.Logger, bind string, allowed
 		hostSrc := filepath.FromSlash(path.Clean("/" + chunks[0]))
 
 		for _, allowedPath := range allowed {
-			if strings.HasPrefix(hostSrc, allowedPath) {
+			if allowedPath == hostSrc || strings.HasPrefix(hostSrc, allowedPath + "/") {
 				return true, nil
 			}
 		}