Skip to content
This repository has been archived by the owner on Jun 30, 2023. It is now read-only.

release assets archives contain potentially dangerous "." folder #46

Closed
alexsaveliev opened this issue Jan 10, 2022 · 0 comments · Fixed by #53
Closed

release assets archives contain potentially dangerous "." folder #46

alexsaveliev opened this issue Jan 10, 2022 · 0 comments · Fixed by #53

Comments

@alexsaveliev
Copy link

How-to-repeat

make some folder FOLDER that belongs to USER:GROUP, assign 777 permissions to FOLDER, then

sudo -s
cd FOLDER
wget https://github.com/google/log4jscanner/releases/download/v0.2.0/log4jscanner-v0.2.0-linux-amd64.tar.gz
tar xfz log4jscanner-v0.2.0-linux-amd64.tar.gz

check new ownership and permissions of FOLDER, it's drwx------ 3 root root, because

tar -ztvf log4jscanner-v0.2.0-linux-amd64.tar.gz
drwx------ root/root         0 2022-01-05 23:14 ./
drwxr-xr-x root/root         0 2022-01-05 23:14 ./log4jscanner/
-rwxr-xr-x root/root   2637215 2022-01-05 23:14 ./log4jscanner/log4jscanner

I think that ./ shouldn't be a part of release assets archive, because as a result you might set incorrect permissions on your folder (think of /tmp without full access)

Thanks
alexsaveliev added a commit to alexsaveliev/log4jscanner that referenced this issue Jan 10, 2022
@alexsaveliev
addresses google#46
f59826e 
including only log4jscanner folder into the resulting tgz file and excluding ./
@ericchiang ericchiang mentioned this issue Jan 19, 2022
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

scripts: don't include '.' in the release TAR file ericchiang/log4jscanner
1 participant
@alexsaveliev