fix: enforce path validation for push/attach and improve path traversal failure message for pull #988
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
suganyas
requested review from
sajayantony,
shizhMSFT,
SteveLasker,
qweeah and
TerryHowe
as code owners
suganyas
changed the title
|
Can you help rename the PR following the conventional commits? Thanks |
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #988 +/- ##
==========================================
- Coverage 81.26% 80.94% -0.33%
==========================================
Files 53 53
Lines 2776 2792 +16
==========================================
+ Hits 2256 2260 +4
- Misses 352 360 +8
- Partials 168 172 +4 ☔ View full report in Codecov by Sentry. |
suganyas
changed the title
qweeah
requested changes
Jun 27, 2023
qweeah
requested changes
Jun 27, 2023
qweeah
requested changes
Jun 27, 2023
qweeah
changed the title
…ttach Signed-off-by: suganyas <ssuganyatce@gmail.com>
Co-authored-by: Billy Zha <qweeah@gmail.com> Signed-off-by: suganyas <ssuganyatce@gmail.com>
Co-authored-by: Billy Zha <qweeah@gmail.com> Signed-off-by: suganyas <ssuganyatce@gmail.com>
Co-authored-by: Billy Zha <qweeah@gmail.com> Signed-off-by: suganyas <ssuganyatce@gmail.com>
Signed-off-by: suganyas <ssuganyatce@gmail.com>
Co-authored-by: Billy Zha <qweeah@gmail.com> Signed-off-by: suganyas <ssuganyatce@gmail.com>
Co-authored-by: Billy Zha <qweeah@gmail.com> Signed-off-by: suganyas <ssuganyatce@gmail.com>
Co-authored-by: Billy Zha <qweeah@gmail.com> Signed-off-by: suganyas <ssuganyatce@gmail.com>
Co-authored-by: Billy Zha <qweeah@gmail.com> Signed-off-by: suganyas <ssuganyatce@gmail.com>
Co-authored-by: Billy Zha <qweeah@gmail.com> Signed-off-by: suganyas <ssuganyatce@gmail.com>
Co-authored-by: Billy Zha <qweeah@gmail.com> Signed-off-by: suganyas <ssuganyatce@gmail.com>
Signed-off-by: suganyas <ssuganyatce@gmail.com>
shizhMSFT
reviewed
Jun 28, 2023
Co-authored-by: Shiwei Zhang <shizh@microsoft.com> Signed-off-by: suganyas <ssuganyatce@gmail.com>
Co-authored-by: Shiwei Zhang <shizh@microsoft.com> Signed-off-by: suganyas <ssuganyatce@gmail.com>
Co-authored-by: Shiwei Zhang <shizh@microsoft.com> Signed-off-by: suganyas <ssuganyatce@gmail.com>
This was referenced Jun 29, 2023
shizhMSFT
added a commit
to shizhMSFT/oras
that referenced
this pull request
Aug 3, 2023
…al failure message for pull (oras-project#988) Signed-off-by: suganyas <ssuganyatce@gmail.com> Co-authored-by: Billy Zha <qweeah@gmail.com> Co-authored-by: Shiwei Zhang <shizh@microsoft.com>
njelich
added a commit
to njelich/publish-feature
that referenced
this pull request
Jan 26, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it:
I just tried to push an artifact file from linux environment from a absolute path or from different directory. The path is implicitly taken by the oras cli or oras sdk when I pushed it. Like the file was in a directory /home/vts/1/a.exe. and I pushed from /home/test. I am ok if the push fails stating me that the file is not in the current directory and for security reasons you have to be in same working directory. But the push passes and pull fails . So disallow is a much better option. I am sure when I used ORAS python SDK it did fail with error stating as here https://github.com/oras-project/oras-py/blob/209c9b98043a00d1b04789cc2967ca7021dc5b2e/oras/provider.py#L651 . The CLI should have same behaviour as SDK. Then push and pull are coherent. It can be a bad experience when push is ok and pull fails and when different people do it can be hard for people to understand why it fails and also cross platform can fail if it is not intentional
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #
#980
#983
#978
Please check the following list:
Screenshot showing the scenarios tested