Use safepaths for run download #10009
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
There was a problem hiding this comment.
Copilot reviewed 5 out of 10 changed files in this pull request and generated no suggestions.
Files not reviewed (5)
- acceptance/testdata/workflow/run-download-traversal.txtar: Language not supported
- acceptance/testdata/workflow/run-download.txtar: Language not supported
- pkg/cmd/run/download/http_test.go: Evaluated as low risk
- pkg/cmd/run/download/zip.go: Evaluated as low risk
- pkg/cmd/run/download/http.go: Evaluated as low risk
Comments skipped due to low confidence (1)
internal/safepaths/absolute.go:67
- [nitpick] The Absolute type does not have a method to convert it to a string representation that includes its fields, which could make debugging more difficult.
type PathTraversalError struct {
Tip: Copilot only keeps its highest confidence comments to reduce noise and keep you focused. Learn more
bc29a08 to
420974e
Compare
andyfeller
reviewed
Dec 4, 2024
Member
andyfeller
left a comment
There was a problem hiding this comment.
Looks good with only 1 significant concern
pkg/cmd/run/download/zip.go
Outdated
Comment on lines
52
to
54
| if dir := filepath.Dir(dest.String()); dir != "." { | ||
| if extractErr = os.MkdirAll(dir, dirMode); extractErr != nil { | ||
| return | ||
| } | ||
| } |
Member
There was a problem hiding this comment.
With dest becoming an absolute path, is there any possibility it would be .?
Member
Author
There was a problem hiding this comment.
Good call out. The only place this makes sense is when dest is filepath that has no dir e.g. file.txt, in which case we would get back . from filepath.Dir. Since we're working in absolute paths now, this doesn't matter.
420974e to
9bd8f09
Compare
andyfeller
approved these changes
Dec 4, 2024
Member
andyfeller
left a comment
There was a problem hiding this comment.
Fantastic work as always! ✨
tmeijn
pushed a commit
to tmeijn/dotfiles
that referenced
this pull request
Dec 6, 2024
This MR contains the following updates: | Package | Update | Change | |---|---|---| | [cli/cli](https://github.com/cli/cli) | patch | `v2.63.1` -> `v2.63.2` | MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot). **Proposed changes to behavior should be submitted there as MRs.** --- ### Release Notes <details> <summary>cli/cli (cli/cli)</summary> ### [`v2.63.2`](https://github.com/cli/cli/releases/tag/v2.63.2): GitHub CLI 2.63.2 [Compare Source](cli/cli@v2.63.1...v2.63.2) #### What's Changed - Use consistent slice ordering in run download tests by [@​williammartin](https://github.com/williammartin) in cli/cli#10006 - Fix bug when fetching bundles from OCI registry by [@​malancas](https://github.com/malancas) in cli/cli#10019 - Use safepaths for run download by [@​williammartin](https://github.com/williammartin) in cli/cli#10009 - Error for mutually exclusive json and watch flags by [@​andyfeller](https://github.com/andyfeller) in cli/cli#10016 **Full Changelog**: cli/cli@v2.63.1...v2.63.2 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40NDAuNyIsInVwZGF0ZWRJblZlciI6IjM3LjQ0MC43IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJSZW5vdmF0ZSBCb3QiXX0=-->
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Fixes #10007
Implementation
As described in #10007 (comment), the issue at hand is that when a specific artifact is targeted,
ghwill unpack it in the directory specified by--dir. If unspecified, it defaults to the current dir.. Therefore, we were checking whether.descended from.and determined that it did not, incorrectly reporting a file traversal.In my opinion, it's extremely challenging to reason about all the combinations of relative paths that could be provided (just look at these tests. I think it's better for us to work with absolute paths where possible.
I've previously proposed canonicalization of paths (also resolving symlinks) but for the moment enforcing absolute paths seems sufficient. We rely on a new type
safepaths.Absolutethat can be joined with elements to create new absolute paths, or will error if the new path would result in a traversal.Testing
I added a new acceptance test that asserts correct traversal failure.
I update the previous acceptance test to cover a few more cases, one of which is the same as #10007. If this test is run against
trunk, it will fail.