vendor: github.com/cyphar/filepath-securejoin v0.2.4
update the dependency to v0.2.4 to prevent scanners from flagging the vulnerability (GHSA-6xv5-86q9-7xr8 / GO-2023-2048). Note that that vulnerability only affects Windows, and is currently only used in runc/libcontainer, so should not impact our use (as that code is Linux-only). full diff: https://github.com/cyphar/filepath-securejoin/compare/v0.2.3...v0.2.4 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
parent
86cd6da76e
commit
291eaf0a77
7 changed files with 17 additions and 28 deletions
|
@ -141,7 +141,7 @@ require (
|
|||
github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
|
||||
github.com/containerd/ttrpc v1.2.2 // indirect
|
||||
github.com/containernetworking/cni v1.1.2 // indirect
|
||||
github.com/cyphar/filepath-securejoin v0.2.3 // indirect
|
||||
github.com/cyphar/filepath-securejoin v0.2.4 // indirect
|
||||
github.com/dimchansky/utfbom v1.1.1 // indirect
|
||||
github.com/dustin/go-humanize v1.0.0 // indirect
|
||||
github.com/felixge/httpsnoop v1.0.4 // indirect
|
||||
|
|
|
@ -378,8 +378,8 @@ github.com/creack/pty v1.1.11/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ
|
|||
github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY=
|
||||
github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
|
||||
github.com/cyphar/filepath-securejoin v0.2.2/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2G9VLXONKD9G7QGMM+4=
|
||||
github.com/cyphar/filepath-securejoin v0.2.3 h1:YX6ebbZCZP7VkM3scTTokDgBL2TY741X51MTk3ycuNI=
|
||||
github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
|
||||
github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg=
|
||||
github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
|
||||
github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
||||
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
||||
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
|
||||
|
|
21
vendor/github.com/cyphar/filepath-securejoin/.travis.yml
generated
vendored
21
vendor/github.com/cyphar/filepath-securejoin/.travis.yml
generated
vendored
|
@ -1,21 +0,0 @@
|
|||
# Copyright (C) 2017 SUSE LLC. All rights reserved.
|
||||
# Use of this source code is governed by a BSD-style
|
||||
# license that can be found in the LICENSE file.
|
||||
|
||||
language: go
|
||||
go:
|
||||
- 1.13.x
|
||||
- 1.16.x
|
||||
- tip
|
||||
arch:
|
||||
- AMD64
|
||||
- ppc64le
|
||||
os:
|
||||
- linux
|
||||
- osx
|
||||
|
||||
script:
|
||||
- go test -cover -v ./...
|
||||
|
||||
notifications:
|
||||
email: false
|
2
vendor/github.com/cyphar/filepath-securejoin/README.md
generated
vendored
2
vendor/github.com/cyphar/filepath-securejoin/README.md
generated
vendored
|
@ -1,6 +1,6 @@
|
|||
## `filepath-securejoin` ##
|
||||
|
||||
[![Build Status](https://travis-ci.org/cyphar/filepath-securejoin.svg?branch=master)](https://travis-ci.org/cyphar/filepath-securejoin)
|
||||
[![Build Status](https://github.com/cyphar/filepath-securejoin/actions/workflows/ci.yml/badge.svg)](https://github.com/cyphar/filepath-securejoin/actions/workflows/ci.yml)
|
||||
|
||||
An implementation of `SecureJoin`, a [candidate for inclusion in the Go
|
||||
standard library][go#20126]. The purpose of this function is to be a "secure"
|
||||
|
|
2
vendor/github.com/cyphar/filepath-securejoin/VERSION
generated
vendored
2
vendor/github.com/cyphar/filepath-securejoin/VERSION
generated
vendored
|
@ -1 +1 @@
|
|||
0.2.3
|
||||
0.2.4
|
||||
|
|
12
vendor/github.com/cyphar/filepath-securejoin/join.go
generated
vendored
12
vendor/github.com/cyphar/filepath-securejoin/join.go
generated
vendored
|
@ -39,17 +39,27 @@ func IsNotExist(err error) bool {
|
|||
// components in the returned string are not modified (in other words are not
|
||||
// replaced with symlinks on the filesystem) after this function has returned.
|
||||
// Such a symlink race is necessarily out-of-scope of SecureJoin.
|
||||
//
|
||||
// Volume names in unsafePath are always discarded, regardless if they are
|
||||
// provided via direct input or when evaluating symlinks. Therefore:
|
||||
//
|
||||
// "C:\Temp" + "D:\path\to\file.txt" results in "C:\Temp\path\to\file.txt"
|
||||
func SecureJoinVFS(root, unsafePath string, vfs VFS) (string, error) {
|
||||
// Use the os.* VFS implementation if none was specified.
|
||||
if vfs == nil {
|
||||
vfs = osVFS{}
|
||||
}
|
||||
|
||||
unsafePath = filepath.FromSlash(unsafePath)
|
||||
var path bytes.Buffer
|
||||
n := 0
|
||||
for unsafePath != "" {
|
||||
if n > 255 {
|
||||
return "", &os.PathError{Op: "SecureJoin", Path: root + "/" + unsafePath, Err: syscall.ELOOP}
|
||||
return "", &os.PathError{Op: "SecureJoin", Path: root + string(filepath.Separator) + unsafePath, Err: syscall.ELOOP}
|
||||
}
|
||||
|
||||
if v := filepath.VolumeName(unsafePath); v != "" {
|
||||
unsafePath = unsafePath[len(v):]
|
||||
}
|
||||
|
||||
// Next path component, p.
|
||||
|
|
2
vendor/modules.txt
vendored
2
vendor/modules.txt
vendored
|
@ -400,7 +400,7 @@ github.com/cpuguy83/tar2go
|
|||
# github.com/creack/pty v1.1.18
|
||||
## explicit; go 1.13
|
||||
github.com/creack/pty
|
||||
# github.com/cyphar/filepath-securejoin v0.2.3
|
||||
# github.com/cyphar/filepath-securejoin v0.2.4
|
||||
## explicit; go 1.13
|
||||
github.com/cyphar/filepath-securejoin
|
||||
# github.com/deckarep/golang-set/v2 v2.3.0
|
||||
|
|
Loading…
Reference in a new issue