[manual][release-0.20] backport path validation #309
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Older versions will case the lane to auto-fail Signed-off-by: Francesco Romani <[email protected]> (cherry picked from commit 41aca66)
…lease-0.20 ghactions: bump upload-artifact to v4
we missed to update one instance to v4 Signed-off-by: Francesco Romani <[email protected]>
…ions-0.20 [release-0.20][manual] ghactions: fix missing upload-artifact reference
add validation and restrictions about configuration paths, to reduce the chance of path traversal vulnerabilities. Most notably: - config root path must be one of the allowed subpaths - configlet are expected not to escape the configuratio directories Signed-off-by: Francesco Romani <[email protected]> (cherry picked from commit 5dbc2c1)
Signed-off-by: Francesco Romani <[email protected]> (cherry picked from commit 6dca932)
Use more restrictive directory permissions for the notification file. We don't need a world accessible directory anyway. X-Gosec-Scan: 2.21.4 Signed-off-by: Francesco Romani <[email protected]> (cherry picked from commit 1ecd2c5)
we have some functions we call unchecked because we are highly confident they can't fail - or we can't deal with failure anyway. So we capture and discard the return value in these cases to make gosec happy. X-Gosec-Scan: 2.21.4 Signed-off-by: Francesco Romani <[email protected]> (cherry picked from commit 47d3955)
We recently added filepath sanitization before to feed it in the `os.ReadFile`. Turns out the linter was still unhappy because it seems it can't track the variable sanitization across function calls bonundaries. With this change we rework the validation to have them in the same function block of the `ReadFile` call. This is arguably (much) more wasteful (in relative terms) because we redo multiple times redundant validations, for example when we handle the config file directory. Still, this makes the linter demonstrably happier and it's (hopefully) safer because we can't call ReadFile by mistake with unsanitized input. In addition, configfile reading is done once at runtime, so the extra cost should be amortized. X-Gosec-Scan: 2.21.4 Signed-off-by: Francesco Romani <[email protected]> (cherry picked from commit 3a85191)
Add validation for `os.ReadDir` much like we did for `os.ReadFile`. This was not required by gosec, but we do for consistency and trying to be future-proof. Signed-off-by: Francesco Romani <[email protected]> (cherry picked from commit c712cce)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
manual backport of #304 and #308