Skip to content
This repository has been archived by the owner on Mar 29, 2023. It is now read-only.

fix: error when TAR has files outside of root #56

Merged
merged 3 commits into from
Nov 9, 2022

Conversation

hacdias
Copy link
Member

@hacdias hacdias commented Oct 5, 2022

See ipfs/kubo#9029 and the “Security” section added in IPIP-288 (ipfs/specs#288)

This will affect both ipfs get [--archive], as well as the new gateway TAR download format.

/cc @lidel

@ipfs ipfs deleted a comment from welcome bot Oct 5, 2022
@hacdias hacdias marked this pull request as ready for review October 6, 2022 11:40
@hacdias hacdias requested a review from lidel October 6, 2022 11:40
@hacdias hacdias requested a review from Jorropo October 10, 2022 09:25
tarwriter.go Outdated Show resolved Hide resolved
tarwriter_test.go Outdated Show resolved Hide resolved
tarwriter_test.go Outdated Show resolved Hide resolved
@hacdias
Copy link
Member Author

hacdias commented Nov 7, 2022

Thanks @Jorropo! Everything is addressed.

@hacdias hacdias requested a review from Jorropo November 7, 2022 13:57
@lidel lidel changed the title feat: error when TAR has files outside of root fix: error when TAR has files outside of root Nov 9, 2022
Copy link
Member

@lidel lidel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, @hacdias!

I believe this library is a good place to protect a wide array of users (not just Kubo) from issues described in ipfs/specs#288.

Hopefully does not impact legitimate use cases:

  • I was unable to think about a scenario where this additional validation would introduce regression, but we will also have Kubo 0.17-rc1 to confirm that.
  • If there are any issues, we can always add ipfs get --allow-unsafe-paths (similar to ipfs dag put --allow-big-block).

@lidel lidel merged commit e8cf9a3 into master Nov 9, 2022
@lidel lidel deleted the feat/error-tar-invalid-rel-paths branch November 9, 2022 15:53
@lidel lidel mentioned this pull request Nov 9, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
No open projects
Archived in project
Development

Successfully merging this pull request may close these issues.

3 participants