Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add fix for zip slip siva vulnerability #30

Merged
merged 1 commit into from
Jun 11, 2018
Merged

add fix for zip slip siva vulnerability #30

merged 1 commit into from
Jun 11, 2018

Conversation

smola
Copy link
Contributor

@smola smola commented Jun 8, 2018
edited
Loading

  • document IndexEntry.Name, including security notes.
  • siva unpack now fails if it would result in a file being extracted outside the output directory.
  • Index.ToSafePaths convenience function is provided for users who write siva extraction code and want a quick way to make it safe.

For users: If you are just packing or reading siva files, there is no risk. If you are using entry names as file paths to extract them to the local filesystem you should either validate them youself, or call ToSafePaths() on the Index before using it.

We'll need to add a note to release notes, something like:

**SECURITY NOTICE:** anyone using `siva unpack` CLI on siva files created by arbitrary 3rd parties should upgrade to this version as soon as possible.

Thanks to Toni Cárdenas (@tcard) for notifying us about the vulnerability.

@smola smola requested a review from mcuadros June 8, 2018 12:17
@smola smola mentioned this pull request Jun 8, 2018
Merged
@smola
add fix for zip slip siva vulnerability
909adc8 
* document `IndexEntry.Name`, including security notes.
* `siva unpack` now fails if it would result in a file being extracted outside the output directory.
* `Index.ToSafePaths` convenience function is provided for users who write siva extraction code and want a quick way to make it safe.

Thanks to Toni Cárdenas (@tcard) for notifying us about the vulnerability and proposing a fixed.

Signed-off-by: Santiago M. Mola <[email protected]>
@mcuadros mcuadros merged commit 7b77947 into src-d:master Jun 11, 2018
smola added a commit to smola/go-siva that referenced this pull request Jun 25, 2018
@smola
fix tests build
4177fdc 
Code was broken after merging src-d#30 and src-d#31 together.

Signed-off-by: Santiago M. Mola <[email protected]>
@smola smola mentioned this pull request Jun 25, 2018
Merged
smola added a commit to smola/go-siva that referenced this pull request Aug 1, 2018
@smola
fix tests build
2afc097 
Code was broken after merging src-d#30 and src-d#31 together.

Signed-off-by: Santiago M. Mola <[email protected]>
smola added a commit that referenced this pull request Sep 28, 2018
@smola
fix tests build (#35)
a31824b 
* fix tests build

Code was broken after merging #30 and #31 together.

Signed-off-by: Santiago M. Mola <[email protected]>

* fix paths on Windows, ensure closing

Signed-off-by: Santiago M. Mola <[email protected]>

* travis: update go versions

Signed-off-by: Santiago M. Mola <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mcuadros mcuadros Awaiting requested review from mcuadros

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@smola @mcuadros