New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sonatype-2021-4646 #178
Comments
[sonatype-2021-4646] CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') rust-embed-impl - Path Traversal The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Hmm I don't know if the typical scenario Any ideas, should we normalize the input path and remove |
Maybe check if canonical path starts with crate root? If not, reject it. |
I thought we already patched this? |
Yep just saw the code. It was implemented by you in this commit e1720ce |
Can it just be that they have to recheck the project again? Maybe you should try to contact them as maintainers. |
@pyrossh I think the issue is that we didn't release the impl crate for the last two versions. It's still on 6.2.0: Edit: That or they mixed up the impl vs main crate versions. |
@AzureMarker the latest impl crate version is |
I think the confusion was that 6.2.0 of the main crate did have the bug (according to the changelog), but it was fixed in the 6.2.0 version of the impl crate. |
cargo pants reports the following vulnerability:
Vulnerable Dependencies
[1/1] pkg:cargo/rust-embed-impl@6.2.0
1 known vulnerability found
Vulnerability Title: 1 vulnerability found
╭─────────────┬─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ ID │ sonatype-2021-4646 │
├─────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Description │ 1 non-CVE vulnerability found. To see more details, please create a free account at https://ossindex.sonatype.org/ and request │
│ │ for this information using your registered account │
├─────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ CVSS Score │ 7.8 │
├─────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ CVSS Vector │ CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H │
├─────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Reference │ https://ossindex.sonatype.org │
╰─────────────┴─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
Inverse Dependency graph
rust-embed-impl 6.2.0 (git+https://github.com/pyrossh/rust-embed#451568cd0c93a9fd363829f54c17785e432bf4e8)
└── rust-embed 6.4.0 (git+https://github.com/pyrossh/rust-embed#451568cd0c93a9fd363829f54c17785e432bf4e8)
The text was updated successfully, but these errors were encountered: