Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Remove path traversal CWE-23 #8331

Merged
merged 2 commits into from
Apr 7, 2022
Merged

fix: Remove path traversal CWE-23 #8331

merged 2 commits into from
Apr 7, 2022

Conversation

alexec
Copy link
Contributor

@alexec alexec commented Apr 7, 2022
edited
Loading

Signed-off-by: Alex Collins alex_collins@intuit.com

https://app.snyk.io/org/argoproj/project/e917d104-c0c4-477b-853c-9d1451b6f803

You can test these fixes locally:

$ snyk code test --severity-threshold=high ./workflow/executor 

Testing ./workflow/executor ...


✔ Test completed

Organization:      argoproj
Test type:         Static code analysis
Project path:      ./workflow/executor

✔ Awesome! No issues were found.

@alexec
fix: Remove path traversal CWE-23
5983302 
Signed-off-by: Alex Collins <alex_collins@intuit.com>
@alexec alexec enabled auto-merge (squash) April 7, 2022 16:19
@alexec
fix: bugs
e6f15e4 
Signed-off-by: Alex Collins <alex_collins@intuit.com>
terrytangyuan
terrytangyuan reviewed Apr 7, 2022
View reviewed changes
workflow/executor/executor.go
@@ -832,7 +836,7 @@ func untar(tarPath string, destPath string) error {
case header == nil:
continue
}
target := filepath.Join(dest, header.Name)
target := filepath.Join(dest, filepath.Clean(header.Name))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be clean instead of filepath.clean

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I accidentally pushed the clean func, I've reverted.

I wanted understand how Clean worked with values such as ../../foo

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got it.

terrytangyuan
terrytangyuan approved these changes Apr 7, 2022
View reviewed changes
workflow/executor/executor.go
@@ -832,7 +836,7 @@ func untar(tarPath string, destPath string) error {
case header == nil:
continue
}
target := filepath.Join(dest, header.Name)
target := filepath.Join(dest, filepath.Clean(header.Name))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got it.

@alexec alexec merged commit aa9ff17 into argoproj:master Apr 7, 2022
@alexec alexec deleted the snyk-fix branch April 7, 2022 17:43
@sarabala1979 sarabala1979 mentioned this pull request Apr 14, 2022
Closed
85 tasks
@alexec alexec mentioned this pull request May 3, 2022
Closed
@sarabala1979 sarabala1979 mentioned this pull request May 25, 2022
Closed
14 tasks
This was referenced Jun 20, 2022
Closed
Closed
@sarabala1979 sarabala1979 mentioned this pull request Jul 30, 2022
Closed
51 tasks
@sarabala1979 sarabala1979 mentioned this pull request Nov 8, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@terrytangyuan terrytangyuan terrytangyuan approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@alexec @terrytangyuan