Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Artifact download path traversal check fails on valid path #10007

New issue
New issue
Closed
#10009
Closed
Artifact download path traversal check fails on valid path#10007
#10009
Assignees
andyfeller
Labels
bugSomething isn't workinggh-runrelating to the gh run commandneeds-triageneeds to be reviewedp2Affects more than a few users but doesn't prevent core functions
@Zordrak

Description

@Zordrak
Zordrak
opened on Dec 4, 2024

Describe the bug

8da27d2 introduced a path traversal check for artifact downloads in v2.63.1.

This traversal check appears to be hitting a false positive with .thing.output.json

Single file upload, followed by attempt to download fails with path traversal error. Not sure of the cause, perhaps two dots in the filename without being together, or the filename beginning with a dot?

Expected fails:
../foo
./../foo
foo/../bar
foo/bar/..

Expected successes:
foo..bar
foo.bar.baz
.foo
foo/.bar
.foo/.bar

Steps to reproduce the behavior

Using act to emulate GH Actions.

NOTE:

Artifact name: thing.output.json
File name in the artifact: .thing.output.json

      - name: 'Upload Outputs'
        uses: 'actions/upload-artifact@v4'
        with:
          name: 'thing.output.json'
          path: 'path/to/.thing.output.json'
      - name: 'Download'
        shell: 'bash'
        env:
          GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
        run: |
          set -x;
          ~/.local/opt/gh-v2.63.1/bin/gh run download -n thing.output.json --repo my/repo;

Result:

| + /root/.local/opt/gh-v2.63.1/bin/gh run download -n thing.output.json --repo my/repo
error downloading thing.output.json: would result in path traversal

Workaround:

Pass the -D option to specify a path to download to:

      - name: 'Download'
        shell: 'bash'
        env:
          GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
        run: |
          set -x;
          mkdir foo;
          ~/.local/opt/gh-v2.63.1/bin/gh run download -n thing.output.json --repo my/repo -D foo;

No longer errors.

Expected vs actual behavior

Expected: A single file called .thing.output.json in an artifact should successfully download to the local directory with no directory specified.

Actual: Artifact download fails due to false-positive detection of directory traversal.

Logs

| {
|   "total_count": 26,
|   "artifacts": [
|     {
|       "id": <redacted>,
|       "node_id": "<redacted>",
|       "name": "thing.output.json",
|       "size_in_bytes": 1706,
|       "url": "https://api.github.com/repos/<redacted>/<redacted>/actions/artifacts/<redacted>",
|       "archive_download_url": "https://api.github.com/repos/<redacted>/<redacted>/actions/artifacts/<redacted>/zip",
|       "expired": false,
|       "created_at": "2024-12-04T10:50:55Z",
|       "updated_at": "2024-12-04T10:50:55Z",
|       "expires_at": "2024-12-11T10:50:55Z",
|       "workflow_run": {
|         "id": <redacted>,
|         "repository_id": <redacted>,
|         "head_repository_id": <redacted>,
|         "head_branch": "<redacted>",
|         "head_sha": "<redacted>"
|       }
|     },
.....
error downloading thing.output.json: would result in path traversal

Metadata

Metadata

Assignees

Labels

bugSomething isn't workinggh-runrelating to the gh run commandneeds-triageneeds to be reviewedp2Affects more than a few users but doesn't prevent core functions

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions