source/http: sanitize downloaded filenames

Add safeFileName and route all getFileName sources through it.

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
(cherry picked from commit 9d117af5ab1e1032f75658884384328fea440843)
(cherry picked from commit ee4de4c2aa53a76fb2ba135cfcb2daa8e45c5b80)

Author: tonistiigi

source/http/source.go

@@ -18,6 +18,7 @@ import (
 	"strconv"
 	"strings"
 	"time"
+	"unicode"
 
 	"github.com/moby/buildkit/cache"
 	"github.com/moby/buildkit/session"
@@ -955,16 +956,30 @@ func (hs *httpSourceHandler) newHTTPRequest(ctx context.Context, g session.Group
 	return req, nil
 }
 
+func safeFileName(s string) string {
+	defaultName := "download"
+	name := filepath.Base(filepath.FromSlash(strings.TrimSpace(s)))
+	if name == "" || name == "." || name == ".." {
+		return defaultName
+	}
+	for _, r := range name {
+		if r == 0 || unicode.IsControl(r) {
+			return defaultName
+		}
+	}
+	return name
+}
+
 func getFileName(urlStr, manualFilename string, resp *http.Response) string {
 	if manualFilename != "" {
-		return manualFilename
+		return safeFileName(manualFilename)
 	}
 	if resp != nil {
 		if contentDisposition := resp.Header.Get("Content-Disposition"); contentDisposition != "" {
 			if _, params, err := mime.ParseMediaType(contentDisposition); err == nil {
 				if params["filename"] != "" && !strings.HasSuffix(params["filename"], "/") {
 					if filename := filepath.Base(filepath.FromSlash(params["filename"])); filename != "" {
-						return filename
+						return safeFileName(filename)
 					}
 				}
 			}
@@ -973,10 +988,10 @@ func getFileName(urlStr, manualFilename string, resp *http.Response) string {
 	u, err := url.Parse(urlStr)
 	if err == nil {
 		if base := path.Base(u.Path); base != "." && base != "/" {
-			return base
+			return safeFileName(base)
 		}
 	}
-	return "download"
+	return safeFileName("")
 }
 
 func searchHTTPURLDigest(ctx context.Context, store cache.MetadataStore, dgst digest.Digest) ([]cacheRefMetadata, error) {

source/http/source_test.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"os"
 	"path/filepath"
+	"runtime"
 	"testing"
 
 	"github.com/containerd/containerd/v2/core/diff/apply"
@@ -31,6 +32,50 @@ import (
 
 const signFixturesPathEnv = "BUILDKIT_TEST_SIGN_FIXTURES"
 
+func TestSafeFileName(t *testing.T) {
+	t.Parallel()
+
+	type testCase struct {
+		name string
+		in   string
+		want string
+	}
+
+	tests := []testCase{
+		{name: "simple", in: "foo", want: "foo"},
+		{name: "simple_ext", in: "foo.txt", want: "foo.txt"},
+		{name: "unicode_cjk", in: "資料.txt", want: "資料.txt"},
+		{name: "unicode_cyrillic", in: "тест-файл", want: "тест-файл"},
+		{name: "spaces_allowed", in: "name with spaces.txt", want: "name with spaces.txt"},
+		{name: "trim_outer_whitespace", in: "  foo.txt  ", want: "foo.txt"},
+		{name: "unix_path", in: "a/b/c.txt", want: "c.txt"},
+		{name: "empty", in: "", want: "download"},
+		{name: "dot", in: ".", want: "download"},
+		{name: "dot_dot", in: "..", want: "download"},
+		{name: "traversal_unix", in: "../", want: "download"},
+		{name: "nul_byte", in: "a\x00b", want: "download"},
+		{name: "control", in: "a\nb", want: "download"},
+	}
+	if runtime.GOOS == "windows" {
+		tests = append(tests,
+			testCase{name: "windows_traversal", in: "..\\", want: "download"},
+			testCase{name: "windows_path_basename", in: "a\\b\\c.txt", want: "c.txt"},
+		)
+	} else {
+		tests = append(tests,
+			testCase{name: "windows_traversal_literal", in: "..\\", want: "..\\"},
+			testCase{name: "windows_path_literal", in: "a\\b\\c.txt", want: "a\\b\\c.txt"},
+		)
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			require.Equal(t, tt.want, safeFileName(tt.in))
+		})
+	}
+}
+
 func TestHTTPSource(t *testing.T) {
 	t.Parallel()
 	ctx := context.TODO()