chore(deps): update module github.com/cyphar/filepath-securejoin to v0.3.6 - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/cyphar/filepath-securejoin	v0.2.4 -> v0.3.6

---

Release Notes

cyphar/filepath-securejoin (github.com/cyphar/filepath-securejoin)

v0.3.6

Compare Source

This release lowers the minimum Go version to Go 1.18 as well as some
library dependencies, in order to make it easier for folks that need to
backport patches using the new filepath-securejoin API onto branches
that are stuck using old Go compilers. For users using Go >= 1.21, this
release contains no functional changes.

• The minimum Go version requirement for filepath-securejoin is now Go 1.18
  (we use generics internally).

  For reference, filepath-securejoin@v0.3.0 somewhat-arbitrarily bumped the
  Go version requirement to 1.21.

  While we did make some use of Go 1.21 stdlib features (and in principle Go
  versions <= 1.21 are no longer even supported by upstream anymore), some
  downstreams have complained that the version bump has meant that they have to
  do workarounds when backporting fixes that use the new filepath-securejoin
  API onto old branches. This is not an ideal situation, but since using this
  library is probably better for most downstreams than a hand-rolled
  workaround, we now have compatibility shims that allow us to build on older
  Go versions.

• Lower minimum version requirement for golang.org/x/sys to v0.18.0 (we
  need the wrappers for fsconfig(2)), which should also make backporting
  patches to older branches easier.

Signed-off-by: Aleksa Sarai cyphar@cyphar.com

v0.3.5

Compare Source

This release primarily includes a fix for an issue involving two
programs racing to MkdirAll the same directory, which caused a
regression with BuildKit.

• MkdirAll will now no longer return an EEXIST error if two racing
  processes are creating the same directory. We will still verify that the path
  is a directory, but this will avoid spurious errors when multiple threads or
  programs are trying to MkdirAll the same path. opencontainers/runc#4543

Signed-off-by: Aleksa Sarai cyphar@cyphar.com

v0.3.4

Compare Source

This release primarily includes a fix that blocked using
filepath-securejoin in Kubernetes.

• Previously, some testing mocks we had resulted in us doing import "testing"
  in non-_test.go code, which made some downstreams like Kubernetes unhappy.
  This has been fixed. (#​32)

Thanks to all of the contributors who made this release possible:

• Aleksa Sarai cyphar@cyphar.com
• Stephen Kitt skitt@redhat.com

Signed-off-by: Aleksa Sarai cyphar@cyphar.com

v0.3.3

Compare Source

This release primarily includes fixes for spurious errors we hit when
checking that directories created by MkdirAll "look right". Upon further
consideration, these checks were fundamentally buggy and didn't offer
any practical protection anyway.

• The mode and owner verification logic in MkdirAll has been removed. This
  was originally intended to protect against some theoretical attacks but upon
  further consideration these protections don't actually buy us anything and
  they were causing spurious errors with more complicated filesystem setups.
• The "is the created directory empty" logic in MkdirAll has also been
  removed. This was not causing us issues yet, but some pseudofilesystems (such
  as cgroup) create non-empty directories and so this logic would've been
  wrong for such cases.

Thanks to all of the contributors who made this release possible:

• Aleksa Sarai cyphar@cyphar.com
• Kir Kolyshkin kolyshkin@gmail.com

Signed-off-by: Aleksa Sarai cyphar@cyphar.com

v0.3.2

Compare Source

This release includes a few fixes for MkdirAll when dealing with S_ISUID
and S_ISGID, to solve a regression runc hit when switching to MkdirAll.

• Passing the S_ISUID or S_ISGID modes to MkdirAllInRoot will now return
  an explicit error saying that those bits are ignored by mkdirat(2). In
  the past a different error was returned, but since the silent ignoring
  behaviour is codified in the man pages a more explicit error seems
  apt. While silently ignoring these bits would be the most compatible
  option, it could lead to users thinking their code sets these bits
  when it doesn't. Programs that need to deal with compatibility can
  mask the bits themselves. (#​23, #​25)

• If a directory has S_ISGID set, then all child directories will have
  S_ISGID set when created and a different gid will be used for any
  inode created under the directory. Previously, the "expected owner and
  mode" validation in securejoin.MkdirAll did not correctly handle this.
  We now correctly handle this case. (#​24, #​25)

Signed-off-by: Aleksa Sarai cyphar@cyphar.com

v0.3.1

Compare Source

• By allowing Open(at)InRoot to opt-out of the extra work done by MkdirAll
  to do the necessary "partial lookups", Open(at)InRoot now does less work
  for both implementations (resulting in a many-fold decrease in the number of
  operations for openat2, and a modest improvement for non-openat2) and is
  far more guaranteed to match the correct openat2(RESOLVE_IN_ROOT)
  behaviour.

• We now use readlinkat(fd, "") where possible. For Open(at)InRoot this
  effectively just means that we no longer risk getting spurious errors during
  rename races. However, for our hardened procfs handler, this in theory should
  prevent mount attacks from tricking us when doing magic-link readlinks (even
  when using the unsafe host /proc handle). Unfortunately Reopen is still
  potentially vulnerable to those kinds of somewhat-esoteric attacks.

  Technically this will only work on post-2.6.39 kernels
  but it seems incredibly unlikely anyone is using filepath-securejoin on a
  pre-2011 kernel.

• Several improvements were made to the errors returned by Open(at)InRoot and
  MkdirAll when dealing with invalid paths under the emulated (ie.
  non-openat2) implementation. Previously, some paths would return the wrong
  error (ENOENT when the last component was a non-directory), and other paths
  would be returned as though they were acceptable (trailing-slash components
  after a non-directory would be ignored by Open(at)InRoot).

  These changes were done to match openat2's behaviour and purely is a
  consistency fix (most users are going to be using openat2 anyway).

Signed-off-by: Aleksa Sarai cyphar@cyphar.com

v0.3.0

Compare Source

This release contains no changes to SecureJoin.

However, it does introduce a new *os.File-based API which is much safer
to use for most usecases. These are adapted from libpathrs and are
the bare minimum to be able to operate more safely on an untrusted
rootfs where an attacker has write access (something that SecureJoin
cannot protect against). The new APIs are:

• OpenInRoot, which resolves a path inside a rootfs and returns an
  *os.File handle to the path. Note that the file handle returned by
  OpenInRoot is an O_PATH handle, which cannot be used for reading or
  writing (as well as some other operations -- see open(2) for more
  details).

• Reopen, which takes an O_PATH file handle and safely re-opens it to
  "upgrade" it to a regular handle.

• MkdirAll, which is a safe implementation of os.MkdirAll that can be
  used to create directory trees inside a rootfs.

As these are new APIs, it is possible they may change in the future.
However, they should be safe to start migrating to as we have extensive
tests ensuring they behave correctly and are safe against various races
and other attacks.

Signed-off-by: Aleksa Sarai cyphar@cyphar.com

v0.2.5

Compare Source

This release makes some minor improvements to SecureJoin:

• Some changes were made to how lexical components are handled during
  resolution. There is no change in behaviour, and both implementations
  are safe, however the newer implementation is much easier to reason
  about.

• The error returned when a symlink loop has been detected will now
  reference the correct path. #​10

Signed-off-by: Aleksa Sarai cyphar@cyphar.com

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 94.34%. Comparing base (407763a) to head (78b5614).
Report is 7 commits behind head on 4.x.

Additional details and impacted files

@@           Coverage Diff           @@
##              4.x     #134   +/-   ##
=======================================
  Coverage   94.34%   94.34%           
=======================================
  Files          11       11           
  Lines         690      690           
=======================================
  Hits          651      651           
  Misses         36       36           
  Partials        3        3           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.