path security restrictions should be enforced #17

OriHoch · 2017-06-29T06:57:33Z

SECURITY: / (absolute path) and ../ (relative parent path) are forbidden to avoid security vulnerabilities when implementing data package tools. These limitations on resource path ensure that resource paths only point to files within the data package directory and its subdirectories. This prevents data package tools being exploited by a malicious user to gain unintended access to sensitive information. For example, suppose a data package hosting service stores packages on disk and allows access via an API. A malicious user uploads a data package with a resource path like /etc/passwd. The user then requests the data for that resource and the server naively opens /etc/passwd and returns that data to the caller.

OriHoch self-assigned this Jun 29, 2017

OriHoch added this to the Current milestone Jun 29, 2017

pwalsh added the enhancement label Jun 29, 2017

roll modified the milestones: Current, Version-1 Nov 10, 2017

roll added the specs-update label Nov 10, 2017

roll removed the specs-update label May 20, 2019

roll added the contribute label Oct 2, 2019

roll added enhancement and removed enhancement labels Sep 26, 2020

OriHoch removed their assignment Oct 6, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

path security restrictions should be enforced #17

path security restrictions should be enforced #17

OriHoch commented Jun 29, 2017

path security restrictions should be enforced #17

path security restrictions should be enforced #17

Comments

OriHoch commented Jun 29, 2017