Skip to content

Fix path traversal vulnerabilities in update-readme tool #40

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Fix path traversal vulnerabilities in update-readme tool #40

wants to merge 1 commit into from

Conversation

harche
Copy link

@harche harche commented Oct 2, 2025
edited
Loading

Summary

Fix path traversal vulnerabilities detected by Snyk code scan in the internal/tools/update-readme tool.

🤖 Generated with Claude Code

@openshift-ci openshift-ci bot requested a review from ardaguclu October 2, 2025 02:32
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Oct 2, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: harche
Once this PR has been reviewed and has the lgtm label, please assign ardaguclu for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@harche
Copy link
Author

harche commented Oct 2, 2025

/hold until ci/prow/security passes.

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 2, 2025
@harche harche force-pushed the fix-security-path-traversal branch from 5c01dfe to 7172f3e Compare October 2, 2025 11:12
@harche harche changed the title Fix path traversal vulnerabilities in update-readme tool WIP: Fix path traversal vulnerabilities in update-readme tool Oct 2, 2025
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 2, 2025
@harche harche mentioned this pull request Oct 2, 2025
Open
@harche @claude
Fix path traversal vulnerabilities in update-readme tool
2516eac 
Add input validation to prevent path traversal attacks in the
update-readme internal tool:
- Clean file path using filepath.Clean to remove path traversal sequences
- Validate that only README.md files can be updated
- Add argument count validation

This fixes Snyk code scan findings:
- MEDIUM severity path traversal in os.ReadFile (line 28)
- MEDIUM severity path traversal in os.WriteFile (line 84)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@harche harche force-pushed the fix-security-path-traversal branch from 7172f3e to 2516eac Compare October 2, 2025 11:58
@harche
Copy link
Author

harche commented Oct 2, 2025

/test fips-image-scan-openshift-mcp-server

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Oct 2, 2025

@harche: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/lint 2516eac link true /test lint

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@harche harche changed the title WIP: Fix path traversal vulnerabilities in update-readme tool Fix path traversal vulnerabilities in update-readme tool Oct 2, 2025
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 2, 2025
@harche
Copy link
Author

harche commented Oct 2, 2025

/hold cancel

lint job failures are fixed in #39

@openshift-ci openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 2, 2025
@harche harche mentioned this pull request Oct 2, 2025
Closed
3 tasks
@ardaguclu
Copy link
Member

/cc @manusa

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Oct 2, 2025

@ardaguclu: GitHub didn't allow me to request PR reviews from the following users: manusa.

Note that only openshift members and repo collaborators can review this PR, and authors cannot review their own PRs.

In response to this:

/cc @manusa

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@Cali0707
Copy link

Cali0707 commented Oct 2, 2025

Hey @harche I think we fixed this on the upstream repo here: containers#345 and just need to backport that here (cc @ardaguclu @manusa)

@harche
Copy link
Author

harche commented Oct 2, 2025

Great, thanks.

/close

@manusa
Copy link

manusa commented Oct 2, 2025

IT's fixed, if snyk still complains we'll need to add the exception.

@openshift-ci openshift-ci bot closed this Oct 2, 2025
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Oct 2, 2025

@harche: Closed this PR.

In response to this:

Great, thanks.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ardaguclu ardaguclu Awaiting requested review from ardaguclu

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@harche @ardaguclu @Cali0707 @manusa