You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We don't use https://github.com/cyphar/filepath-securejoin nor any alternative to minimize possible attacks when joining strings for a path. As some strings might be supplied by a user (so far is trusted, though), we might end up writing to an unexpected location if what we expect to be a suffix is something like "/../../etc/passwd".
Impact
We can inadvertently create files in other places of the filesystem rather than the expected ones. As we run as root, there are lot of places we can write to.
Ideal future situation
Use some helper to minimize chances of writing files to unexpected locations when joining strings for the name of the file we will create. Specially, for files that take user input.
Current situation
We don't use https://github.com/cyphar/filepath-securejoin nor any alternative to minimize possible attacks when joining strings for a path. As some strings might be supplied by a user (so far is trusted, though), we might end up writing to an unexpected location if what we expect to be a suffix is something like
"/../../etc/passwd"
.Impact
We can inadvertently create files in other places of the filesystem rather than the expected ones. As we run as root, there are lot of places we can write to.
Ideal future situation
Use some helper to minimize chances of writing files to unexpected locations when joining strings for the name of the file we will create. Specially, for files that take user input.
**Implementation options
Use https://github.com/cyphar/filepath-securejoin and
filepath.Base
to sanitize input, as done in the example agent in this PR: opencontainers/runc#2682The text was updated successfully, but these errors were encountered: