Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Should symlinks be followed in archives? #1475

Closed
anthonyharrison opened this issue Dec 23, 2021 · 1 comment
Closed

Should symlinks be followed in archives? #1475

anthonyharrison opened this issue Dec 23, 2021 · 1 comment

Comments

@anthonyharrison
Copy link
Contributor

Scan_file in version_scanner does not follow symlinks. Should the same restriction occur when extracting a file from an archive? Currently if the destination pointed to by the link does not exist, a warning is issued.
@terriko
Copy link
Contributor

terriko commented Dec 27, 2021

My gut says that we shouldn't follow symlinks because it'd be too easy to wind up with a loop or have a poorly formed package/directory scanning a much larger part of a system than expected or intended. Potentially this could even be a security issue for folk who later want to do cve-bin-tool as a service type applications?

A warning or info statement saying that the symlink wasn't followed sounds good, though, because I can see how this might not be expected behaviour to some users.

anthonyharrison added a commit to anthonyharrison/cve-bin-tool that referenced this issue Dec 28, 2021
@anthonyharrison
bug: don't follow symlinks in archives (intel#1475)
076c67c
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@terriko @anthonyharrison