fix(aztec-up): validate semver in uninstall to prevent path traversal#21892
Merged
nchamo merged 1 commit intomerge-train/fairiesfrom Mar 24, 2026
Merged
fix(aztec-up): validate semver in uninstall to prevent path traversal#21892nchamo merged 1 commit intomerge-train/fairiesfrom
nchamo merged 1 commit intomerge-train/fairiesfrom
Conversation
mverzilli
approved these changes
Mar 24, 2026
AztecBot
pushed a commit
that referenced
this pull request
Mar 24, 2026
Collaborator
|
✅ Successfully backported to backport-to-v4-next-staging #21899. |
AztecBot
added a commit
that referenced
this pull request
Mar 25, 2026
BEGIN_COMMIT_OVERRIDE fix(aztec-up): narrow PATH cleanup regex to avoid removing user PATH entries (#21828) fix: consolidate blob source test into single summary log with supernode detection (#21719) fix: use anchor block on getL1ToL2MsgWitness (#21872) fix: make sure queries are not made ahead of the anchor block (#21874) chore(docs): backport docs infrastructure changes to v4 (#21437) chore: backport PR #21836 (fix: explicitly handle initial block case for getBlockHashMembershipWitness) to v4-next (#21891) chore: backport PR #21813 (fix(aztec-up): strip leading v prefix from version strings) to v4-next (#21912) docs: document defi-wonderland immutable macro (#21764) fix: pin typescript and harden lockfile check in docs examples CI (v4 backport) (#21914) docs: expand circuit profiling guide and document kernel gate cost overhead (#21770) feat: cli-wallet (#21757) chore: sync backport staging with v4-next HEAD (#21931) fix: bot gas estimations (backport #21945) (#21947) refactor(aztec-nr): use logging wrappers in compute_note_hash_and_nullifier (#21897) fix: backport v4 next staging (#21934) fix: make PXE#getSyncedBlockHeader a concurrency=1 job to prevent IDB tx liveness issues (#21944) feat: add error page mapping for incompatible oracles (#21943) fix(aztec-up): validate semver in uninstall to prevent path traversal (#21892) chore: merge v4-next into backport staging (fix ancestry) (#21954) fix(aztec-up): add truncation protection to install scripts (#21896) fix: noir format in compute_note_hash_and_nullifier.nr (#21956) fix(stdlib): decode `EthAddress`, `FunctionSelector` and wrapped field structs in `AbiDecoder` (#21926) chore: update noir to nightly-2026-02-12-patch.1 (#21960) fix: ensure empty docs examples does not populate yarn lock backport (#21963) fix: docs examples does not build on simple bootstrap backport (#21964) fix: add rc/testnet version detection to API reference pages (#21966) docs: document EmbeddedWallet automatic gas estimation and private authwits (#21790) fix(pxe): robust error handling in message processing (backport #21093) (#21981) chore: manually recreate backport (#21969) chore: (A-779) load all accounts before calling LogService.#getSecretsForSenders (#21923) END_COMMIT_OVERRIDE
github-merge-queue bot
pushed a commit
that referenced
this pull request
Mar 25, 2026
BEGIN_COMMIT_OVERRIDE fix: interactions clean up (#21933) fix(stdlib): decode `EthAddress`, `FunctionSelector` and wrapped field structs in `AbiDecoder` (#21926) fix: bot gas estimations (#21945) refactor(aztec-nr): use logging wrappers in compute_note_hash_and_nullifier (#21897) feat: add error page mapping for incompatible oracles (#21943) fix(pxe): robust error handling in message processing (#21093) fix: make PXE#getSyncedBlockHeader a concurrency=1 job to prevent IDB tx liveness issues (#21944) fix(aztec-up): validate semver in uninstall to prevent path traversal (#21892) fix(aztec-up): add truncation protection to install scripts (#21896) feat!: scoped capsules (#21533) END_COMMIT_OVERRIDE
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
aztec-up uninstallpasses user input directly into anrm -rfpath without validating the format:rm -rf "$AZTEC_HOME/versions/$version"The existing
is_version_installedguard checks[ -d "$AZTEC_HOME/versions/$version" ], but this passes for path-traversal inputs like../because$AZTEC_HOME/versions/../resolves to$AZTEC_HOME/which is a valid directory.This means
aztec-up uninstall ../executesrm -rf "$AZTEC_HOME/", deleting the entire Aztec home directory including all installed versions, thecurrentsymlink, and shared binaries likeaztec-upitself.Fix
Added a semver validation check using the existing
is_semverfunction before therm -rfis reached. Since installed version directories are always named with concrete semver strings (aliases likenightlyare resolved to semver at install time), this rejects any input that isn't a valid version -- including path traversal attempts, typos, and other malformed strings.The check is placed after
is_version_installedso that the more user-friendly "not installed" message is shown first for valid-looking versions that simply aren't present.Fixes F-484