Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixes arbitrary file write on fetch #7831

Merged
merged 1 commit into from Jan 31, 2020
Merged

Fixes arbitrary file write on fetch #7831

merged 1 commit into from Jan 31, 2020

Conversation

@arcanis
Copy link
Member

@arcanis arcanis commented Jan 22, 2020

Summary

In some circumstances it was possible to write files anywhere on the disk when running yarn install. Although it's not that much of an issue considering that most installs are done with postinstall scripts, we don't want that to happen precisely to guarantee some level of safety for people actually using --ignore-scripts.

Test plan

Will add tests after the release.

@arcanis arcanis merged commit 0e7133c into master Jan 31, 2020
18 of 19 checks passed
@jonm01
Copy link

@jonm01 jonm01 commented Feb 25, 2020

CVE-2020-8131 was assigned.
hackerone report: 730239

@gbl-peterk
Copy link

@gbl-peterk gbl-peterk commented Feb 27, 2020

CVE-2020-8131 was published 2020-02-24, updated 2020-02-27, and is now appearing as a reason-for-failure during a code promotion job in our CI as reported by Anchore.

How does a dependency-package (i.e. one installed with yarn) recover from this state? As a non-yarn user, I am unfamiliar with recovery options. With npm one would simply update npm, but since we aren't using yarn in our build cycle, I'm unsure what the best course of action is.

@arcanis
Copy link
Member Author

@arcanis arcanis commented Feb 27, 2020

@gbl-peter I'm sorry, I have no idea what you mean. I suggest asking your devops team where they use Yarn, and ask them to upgrade.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants