Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cachi2: allow only relative paths #2137

Merged
merged 1 commit into from
Dec 10, 2024
Merged

cachi2: allow only relative paths #2137

merged 1 commit into from
Dec 10, 2024

Conversation

MartinBasti
Copy link
Contributor

For security reasons, only relative paths within cloned remote source can be specified by users

Maintainers will complete the following section

  • Commit messages are descriptive enough
  • Code coverage from testing does not decrease and new code is covered
  • Python type annotations added to new code
  • JSON/YAML configuration changes are updated in the relevant schema
  • Changes to metadata also update the documentation for the metadata
  • Pull request has a link to an osbs-docs PR for user documentation updates
  • New feature can be disabled from a configuration file

chmeliik
chmeliik reviewed Dec 6, 2024
View reviewed changes
atomic_reactor/utils/cachi2.py Outdated
return False

fake_root = Path("/fake_root")
full_path = (fake_root/path).resolve()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A path may be OK within a fake root but not within a real root (if it's a symlink in the real root)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ben-alkov is working on symlink check, no symlinks out of cloned repo allowed.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

but I can rework it to use real cloned data, not a big issue to be sure that validation is complete

Copy link
Contributor

@chmeliik chmeliik Dec 6, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is working on symlink check, no symlinks out of cloned repo allowed.

Hmm, ok

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But yeah, if it's not a big change to run on the real repo, that would be nicer

@MartinBasti
cachi2: allow only relative paths
9bd3a64 
For security reasons, only relative paths within cloned remote source
can be specified by users

Don't allow to point to symlink pointing out of cloned remote source

Signed-off-by: Martin Basti <[email protected]>
@MartinBasti MartinBasti force-pushed the cachi2_relative_paths_only branch from 2198483 to 9bd3a64 Compare December 6, 2024 13:58
@MartinBasti
Copy link
Contributor Author

Updated to check symlinks, PTAL

@MartinBasti MartinBasti merged commit 4246270 into containerbuildsystem:feature_cachi2 Dec 10, 2024
14 of 15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chmeliik chmeliik chmeliik approved these changes

@mkosiarc mkosiarc mkosiarc approved these changes

@ben-alkov ben-alkov Awaiting requested review from ben-alkov

@rcerven rcerven Awaiting requested review from rcerven

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@MartinBasti @mkosiarc @chmeliik