Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: archive extraction header.Linkname and old dependencies #80

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: archive extraction header.Linkname and old dependencies #80

wants to merge 1 commit into from

Conversation

mohanmanikanta2299
Copy link

@mohanmanikanta2299 mohanmanikanta2299 requested a review from a team as a code owner January 31, 2025 14:43
@dduzgun-security dduzgun-security changed the title CVE Fixes fix: archive extraction header.Linkname and old dependencies Jan 31, 2025
dduzgun-security
dduzgun-security reviewed Jan 31, 2025
View reviewed changes
slug.go
return false, fmt.Errorf("couldn't find relative path : %w", err)
}

if rel != ".." && !(len(rel) >= 3 && rel[:3] == "../") {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can remove this condition since the rel will already be cleaned.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be a good idea to copy the validation function the Nomad team worked on and use that to reduce code. https://github.com/hashicorp/nomad/blob/main/helper/escapingfs/escapes.go#L110-L119 maybe under /internal/helper

dduzgun-security
dduzgun-security reviewed Jan 31, 2025
View reviewed changes
slug.go
return false, fmt.Errorf("couldn't find relative path : %w", err)
}

if rel != ".." && !(len(rel) >= 3 && rel[:3] == "../") {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Similar to the following comment: https://github.com/hashicorp/go-slug/pull/80/files#r1937639814

dduzgun-security
dduzgun-security requested changes Jan 31, 2025
View reviewed changes
Copy link
Collaborator

@dduzgun-security dduzgun-security left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks a lot for looking into that, really appreciate the work. Left some comments and it would be nice to add lots of unit tests (expected failure and valid ones) covering different scenarios included.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dduzgun-security dduzgun-security dduzgun-security requested changes

@picatz picatz Awaiting requested review from picatz

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mohanmanikanta2299 @dduzgun-security