Comments.

pstibrany · pstibrany · commit de67abbcdc16 · 2021-03-08T22:09:53.000+01:00
Signed-off-by: Peter Štibraný &lt;peter.stibrany@grafana.com&gt;
diff --git a/pkg/alertmanager/multitenant.go b/pkg/alertmanager/multitenant.go
@@ -1144,17 +1144,21 @@ func (s StatusHandler) ServeHTTP(w http.ResponseWriter, _ *http.Request) {
 	}
 }
 
-func storeTemplateFile(tenantTemplateDir, templateFileName, content string) (changed bool, _ error) {
+// storeTemplateFile stores template file with given content into specific directory.
+// Since templateFileName is provided by end-user, it is verified that it doesn't do any path-traversal.
+// Returns true, if file content has changed (new or updated file), false if file with the same name
+// and content was already stored locally.
+func storeTemplateFile(dir, templateFileName, content string) (bool, error) {
 	if templateFileName != filepath.Base(templateFileName) {
 		return false, fmt.Errorf("template file name '%s' is not not valid", templateFileName)
 	}
 
-	err := os.MkdirAll(tenantTemplateDir, 0755)
+	err := os.MkdirAll(dir, 0755)
 	if err != nil {
-		return false, fmt.Errorf("unable to create Alertmanager templates directory %q: %s", tenantTemplateDir, err)
+		return false, fmt.Errorf("unable to create Alertmanager templates directory %q: %s", dir, err)
 	}
 
-	file := filepath.Join(tenantTemplateDir, templateFileName)
+	file := filepath.Join(dir, templateFileName)
 	// Check if the template file already exists and if it has changed
 	if tmpl, err := ioutil.ReadFile(file); err == nil && string(tmpl) == content {
 		return false, nil

Original file line number	Diff line number	Diff line change
`@@ -1144,17 +1144,21 @@ func (s StatusHandler) ServeHTTP(w http.ResponseWriter, _ *http.Request) {`
`1144`	`1144`	`}`
`1145`	`1145`	`}`
`1146`	`1146`
`1147`		`-func storeTemplateFile(tenantTemplateDir, templateFileName, content string) (changed bool, _ error) {`
	`1147`	`+// storeTemplateFile stores template file with given content into specific directory.`
	`1148`	`+// Since templateFileName is provided by end-user, it is verified that it doesn't do any path-traversal.`
	`1149`	`+// Returns true, if file content has changed (new or updated file), false if file with the same name`
	`1150`	`+// and content was already stored locally.`
	`1151`	`+func storeTemplateFile(dir, templateFileName, content string) (bool, error) {`
`1148`	`1152`	`if templateFileName != filepath.Base(templateFileName) {`
`1149`	`1153`	`return false, fmt.Errorf("template file name '%s' is not not valid", templateFileName)`
`1150`	`1154`	`}`
`1151`	`1155`
`1152`		`- err := os.MkdirAll(tenantTemplateDir, 0755)`
	`1156`	`+ err := os.MkdirAll(dir, 0755)`
`1153`	`1157`	`if err != nil {`
`1154`		`- return false, fmt.Errorf("unable to create Alertmanager templates directory %q: %s", tenantTemplateDir, err)`
	`1158`	`+ return false, fmt.Errorf("unable to create Alertmanager templates directory %q: %s", dir, err)`
`1155`	`1159`	`}`
`1156`	`1160`
`1157`		`- file := filepath.Join(tenantTemplateDir, templateFileName)`
	`1161`	`+ file := filepath.Join(dir, templateFileName)`
`1158`	`1162`	`// Check if the template file already exists and if it has changed`
`1159`	`1163`	`if tmpl, err := ioutil.ReadFile(file); err == nil && string(tmpl) == content {`
`1160`	`1164`	`return false, nil`