Releases: cyphar/filepath-securejoin
v0.3.0
This release contains no changes to SecureJoin.
However, it does introduce a new *os.File
-based API which is much safer
to use for most usecases. These are adapted from libpathrs and are
the bare minimum to be able to operate more safely on an untrusted
rootfs where an attacker has write access (something that SecureJoin
cannot protect against). The new APIs are:
-
OpenInRoot, which resolves a path inside a rootfs and returns an
*os.File
handle to the path. Note that the file handle returned by
OpenInRoot is an O_PATH handle, which cannot be used for reading or
writing (as well as some other operations -- see open(2) for more
details). -
Reopen, which takes an O_PATH file handle and safely re-opens it to
"upgrade" it to a regular handle. -
MkdirAll, which is a safe implementation of os.MkdirAll that can be
used to create directory trees inside a rootfs.
As these are new APIs, it is possible they may change in the future.
However, they should be safe to start migrating to as we have extensive
tests ensuring they behave correctly and are safe against various races
and other attacks.
Signed-off-by: Aleksa Sarai cyphar@cyphar.com
v0.2.5
This release makes some minor improvements to SecureJoin:
-
Some changes were made to how lexical components are handled during
resolution. There is no change in behaviour, and both implementations
are safe, however the newer implementation is much easier to reason
about. -
The error returned when a symlink loop has been detected will now
reference the correct path. #10
Signed-off-by: Aleksa Sarai cyphar@cyphar.com
v0.2.4
This release fixes a potential security issue in filepath-securejoin
when used on Windows (GHSA-6xv5-86q9-7xr8, which could be used to
generate paths outside of the provided rootfs in certain cases), as well
as improving the overall behaviour of filepath-securejoin when dealing
with Windows paths that contain volume names. Thanks to Paulo Gomes for
discovering and fixing these issues.
In addition, we've switched (at long last) to GitHub Actions and have
continuous integration testing on Linux, MacOS, and Windows.
Thanks to the following contributors for making this release possible:
- Aleksa Sarai cyphar@cyphar.com
- Paulo Gomes pjbgf@linux.com
Signed-off-by: Aleksa Sarai cyphar@cyphar.com
v0.2.3
This release removes the dependency on github.com/pkg/errors in favour
of Go's built-in %w
error wrapping support (available since Go 1.13).
Thanks to the following contributors for making this release possible:
- Aleksa Sarai cyphar@cyphar.com
- Jakub Wilk jwilk@jwilk.net
- Kir Kolyshkin kolyshkin@gmail.com
Signed-off-by: Aleksa Sarai cyphar@cyphar.com
v0.2.2
This release just has a minor change to how symlink loops are indicated
to users (as a wrapped syscall.ELOOP rather than our own special error
message) so that users can just use errors.Cause and not care about our
error variable.
Signed-off-by: Aleksa Sarai asarai@suse.de
v0.2.1
This version adds our own IsNotExist implementation, which is necessary
for handling ENOTDIR properly with SecureJoin.
Signed-off-by: Aleksa Sarai asarai@suse.de
v0.2.0
This now has 100% test coverage, as well as providing a mockable
SecureJoinVFS API that can be used by end-users.
Signed-off-by: Aleksa Sarai asarai@suse.de
v0.1.0
First release of filepath-securejoin, containing a full implementation
with a coverage of 93.5% (the only missing cases are the error cases,
which are hard to mocktest).
Signed-off-by: Aleksa Sarai asarai@suse.de