-
Notifications
You must be signed in to change notification settings - Fork 397
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remediate zipslip #1817
Remediate zipslip #1817
Conversation
paths in the archives containing .. could creep out of directory they were being unpacked into. The fix is simple: given a base path and file path, instead of filepath.Join(base, file) do filepath.Join(base, filepath.Join("/", file)) Joining to / has the property of swallowing up and .. that may appear. Signed-off-by: Ronald G Minnich <rminnich@gmail.com>
I did file an issue with golang.org and everyone said "it's not a problem" so ... we fix it here. |
So in other words, this fixes a path traversal flaw? Could we add some fixtures to test that? Like https://github.com/jwilk/traversal-archives |
Just a note, this repo will work great for zip and tar, but not for cpio for your case. I needed to create a
|
Second note :) |
ETIMEDOUT |
One way to test this would be to use |
@rminnich should this be just matter of using |
Let's revive this. We're getting security alerts. |
Fixed in #2344 |
paths in the archives containing .. could creep out of directory
they were being unpacked into.
The fix is simple: given a base path and file path, instead of
filepath.Join(base, file)
do
filepath.Join(base, filepath.Join("/", file))
Joining to / has the property of swallowing up and .. that may appear.
Signed-off-by: Ronald G Minnich rminnich@gmail.com