New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Validate PackageId in uploaded packages #3654

Closed
matt-richardson opened this Issue Jul 11, 2017 · 4 comments

Comments

Projects
None yet
2 participants
@matt-richardson
Contributor

matt-richardson commented Jul 11, 2017

source: https://secure.helpscout.net/conversation/393753664?folderId=557082

A vulnerability was reported where an authenticated user with the PackagePush permission could upload a malicious package with a malformed PackageId, causing the Built-In Feed to write the package outside of the Octopus package store.

We should fix this by validationg PackageId's according to the same rules as NuGet Gallery, specifically: ^\w+([_.-]\w+)*$.

@matt-richardson matt-richardson self-assigned this Jul 11, 2017

@matt-richardson

This comment has been minimized.

Contributor

matt-richardson commented Jul 11, 2017

@octoreleasebot octoreleasebot added this to the 3.15.4 milestone Jul 11, 2017

@octoreleasebot

This comment has been minimized.

octoreleasebot commented Jul 11, 2017

Release Note: Prevent directory traversal security vulnerability in Built-In Feed by validating supplied PackageId’s according to the same rules as NuGet.

@matt-richardson

This comment has been minimized.

Contributor

matt-richardson commented Jul 17, 2017

CVE ID is CVE-2017-11348

@lock

This comment has been minimized.

lock bot commented Nov 24, 2018

This thread has been automatically locked since there has not been any recent activity after it was closed. If you think you've found a related issue, please contact our support team so we can triage your issue, and make sure it's handled appropriately.

@lock lock bot locked as resolved and limited conversation to collaborators Nov 24, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.