Skip to content

security: use traversal safe os.Root for FS operations #1222

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
evict merged 3 commits into from
Dec 4, 2025
Merged

security: use traversal safe os.Root for FS operations #1222

evict merged 3 commits into from
Dec 4, 2025

Conversation

@evict
Copy link
Contributor

@evict evict commented Dec 1, 2025
edited
Loading

This implement a path traversal safe file system to be used with serve-git

Test plan

Tested cloning repositories with serve-git, works fine. Doesn't download symlinks.

@evict evict force-pushed the vr/servegit/use-traversal-safe-api branch 2 times, most recently from 4cc942a to 106ec65 Compare December 2, 2025 12:17
@evict evict force-pushed the vr/servegit/use-traversal-safe-api branch from 106ec65 to 6d2bdce Compare December 2, 2025 12:24
@evict evict marked this pull request as ready for review December 2, 2025 12:24
@evict evict requested review from a team and keegancsmith December 2, 2025 12:24
@evict evict self-assigned this Dec 2, 2025
@keegancsmith
Copy link
Member

keegancsmith commented Dec 2, 2025

I will review this closely tomorrow morning!

evict
evict commented Dec 4, 2025
View reviewed changes
keegancsmith
keegancsmith approved these changes Dec 4, 2025
View reviewed changes
@evict evict force-pushed the vr/servegit/use-traversal-safe-api branch from 6d2bdce to d53bf3a Compare December 4, 2025 15:35
@evict evict force-pushed the vr/servegit/use-traversal-safe-api branch from 47e7186 to b43f159 Compare December 4, 2025 15:42
@evict evict changed the title security: use traversal safe os.Root and limit request size security: use traversal safe os.Root Dec 4, 2025
@evict evict changed the title security: use traversal safe os.Root security: use traversal safe os.Root for FS operations Dec 4, 2025
@evict evict merged commit 08d669c into main Dec 4, 2025
9 of 11 checks passed
@evict evict deleted the vr/servegit/use-traversal-safe-api branch December 4, 2025 16:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@keegancsmith keegancsmith keegancsmith approved these changes

Assignees

@evict evict

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@evict @keegancsmith