Implement secure join

[yihuaf]

We need a secure_join implementation that's similar to https://github.com/cyphar/filepath-securejoin. In short, this function guarantee secure_join(rootfs, path) the path is within rootfs. When path is ../../ or other malicious symbolic links, it can cause youki to make changes outside of rootfs, creating security issue. This can be a follow up to #342

An example of usage in runc:

https://github.com/opencontainers/runc/blob/51beb5c436b159ae2d483b219c37ecfde13b006a/libcontainer/utils/utils.go#L119

[Ian-Yy]

Hi, I'm quite new to youki. Can I try to work on this?

[yihuaf]

@Ian-Yy Sure. Do you know where to start? Please don't hesitate to ask us on how we can help you.

[Ian-Yy]

@yihuaf I will try going through the code first. Thanks.

[Ian-Yy]

Hi @yihuaf , correct me if I am wrong. This task require me to implement a new function secure_join in the trait PathBufExt? Is that right?

[yihuaf]

Hi @yihuaf , correct me if I am wrong. This task require me to implement a new function secure_join in the trait PathBufExt? Is that right?

Yes that's a very good idea. Or you can just implement a function secure_join(rootfs: Path, path: Path) as a single function.

[Ian-Yy]

Sorry but there's one thing I'm quite unsure of now. The implementation of secure_join in https://github.com/cyphar/filepath-securejoin uses a lot of filepath.Clean and we do not have it in Rust. I saw there's a crate path_clean that does exactly the same as Go filepath.Clean but is quite old. Should I use this crate or code it?

[yihuaf]

Let's use it to at least prototype.

[Ian-Yy]

Hi @yihuaf , I've done with a prototype with some tests for it. After working on it for some time, I realized I don't need to use the crate path_clean as mentioned above. Please let me know if there's anything wrong with the PR.