Merge commit from fork

The compilePipeline function passes the 'uses' value directly to
filepath.Join(pd, uses+".yaml") without validation. A crafted uses
value like "../../../etc/passwd" could read arbitrary files outside
the pipeline directory.

This fix rejects absolute paths and '..' sequences in uses, and
verifies the resolved path remains within the pipeline directory
using filepath.Rel after cleaning.

Co-authored-by: Mark <mark.manning@chainguard.dev>

Author: egibs

pkg/build/compile.go

@@ -225,14 +225,24 @@ func (c *Compiled) compilePipeline(ctx context.Context, sm *SubstitutionMap, pip
 	// When compiling an already-compiled config, `uses` will be redundant and FYI only,
 	// so ignore it if there is also a `pipelines` spelled out.
 	if uses != "" && len(pipeline.Pipeline) == 0 {
+		// Validate that 'uses' does not contain path traversal sequences or absolute paths.
+		if filepath.IsAbs(uses) || strings.Contains(uses, "..") {
+			return fmt.Errorf("invalid pipeline 'uses' value %q: must not contain absolute paths or '..' sequences", uses)
+		}
+
 		var data []byte
 		// Set this to fail up front in case there are no pipeline dirs specified
 		// and we can't find them.
 		err := fmt.Errorf("could not find 'uses' pipeline %q", uses)
 
 		for _, pd := range c.PipelineDirs {
 			log.Debugf("trying to load pipeline %q from %q", uses, pd)
-			data, err = os.ReadFile(filepath.Join(pd, uses+".yaml")) // #nosec G304 - Loading pipeline definition from configured directory
+			target := filepath.Join(pd, uses+".yaml")
+			// Verify the resolved path is still within the pipeline directory.
+			if rel, err := filepath.Rel(pd, filepath.Clean(target)); err != nil || strings.HasPrefix(rel, "..") {
+				return fmt.Errorf("pipeline 'uses' value %q resolves outside pipeline directory %q", uses, pd)
+			}
+			data, err = os.ReadFile(target) // #nosec G304 - Loading pipeline definition from configured directory
 			if err == nil {
 				log.Debugf("Found pipeline %s", string(data))
 				break