From 57abc5cae7d35689c50ddaba2458929591d70b7e Mon Sep 17 00:00:00 2001 From: "cilium-renovate[bot]" <134692979+cilium-renovate[bot]@users.noreply.github.com> Date: Thu, 5 Oct 2023 08:25:49 +0000 Subject: [PATCH] chore(deps): update module github.com/cyphar/filepath-securejoin to v0.2.4 [security] Signed-off-by: cilium-renovate[bot] <134692979+cilium-renovate[bot]@users.noreply.github.com> --- contrib/rthooks/tetragon-oci-hook/go.mod | 2 +- contrib/rthooks/tetragon-oci-hook/go.sum | 4 ++-- .../cyphar/filepath-securejoin/.travis.yml | 21 ------------------- .../cyphar/filepath-securejoin/README.md | 2 +- .../cyphar/filepath-securejoin/VERSION | 2 +- .../cyphar/filepath-securejoin/join.go | 12 ++++++++++- .../tetragon-oci-hook/vendor/modules.txt | 2 +- 7 files changed, 17 insertions(+), 28 deletions(-) delete mode 100644 contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/.travis.yml diff --git a/contrib/rthooks/tetragon-oci-hook/go.mod b/contrib/rthooks/tetragon-oci-hook/go.mod index 5bd282f801e..24cbb606f67 100644 --- a/contrib/rthooks/tetragon-oci-hook/go.mod +++ b/contrib/rthooks/tetragon-oci-hook/go.mod @@ -18,7 +18,7 @@ require ( github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df // indirect github.com/cilium/ebpf v0.7.0 // indirect github.com/coreos/go-systemd/v22 v22.3.2 // indirect - github.com/cyphar/filepath-securejoin v0.2.3 // indirect + github.com/cyphar/filepath-securejoin v0.2.4 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/godbus/dbus/v5 v5.0.6 // indirect github.com/golang/protobuf v1.5.3 // indirect diff --git a/contrib/rthooks/tetragon-oci-hook/go.sum b/contrib/rthooks/tetragon-oci-hook/go.sum index 5cf717412a1..7ac35cd325f 100644 --- a/contrib/rthooks/tetragon-oci-hook/go.sum +++ b/contrib/rthooks/tetragon-oci-hook/go.sum @@ -8,8 +8,8 @@ github.com/cilium/lumberjack/v2 v2.3.0 h1:IhVJMvPpqDYmQzC0KDhAoy7KlaRsyOsZnT97Ns github.com/cilium/lumberjack/v2 v2.3.0/go.mod h1:yfbtPGmg4i//5oEqzaMxDqSWqgfZFmMoV70Mc2k6v0A= github.com/coreos/go-systemd/v22 v22.3.2 h1:D9/bQk5vlXQFZ6Kwuu6zaiXJ9oTPe68++AzAJc1DzSI= github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= -github.com/cyphar/filepath-securejoin v0.2.3 h1:YX6ebbZCZP7VkM3scTTokDgBL2TY741X51MTk3ycuNI= -github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= +github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg= +github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/.travis.yml b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/.travis.yml deleted file mode 100644 index b94ff8cf92a..00000000000 --- a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/.travis.yml +++ /dev/null @@ -1,21 +0,0 @@ -# Copyright (C) 2017 SUSE LLC. All rights reserved. -# Use of this source code is governed by a BSD-style -# license that can be found in the LICENSE file. - -language: go -go: - - 1.13.x - - 1.16.x - - tip -arch: - - AMD64 - - ppc64le -os: - - linux - - osx - -script: - - go test -cover -v ./... - -notifications: - email: false diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/README.md b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/README.md index 3624617c89b..4eca0f23550 100644 --- a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/README.md +++ b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/README.md @@ -1,6 +1,6 @@ ## `filepath-securejoin` ## -[![Build Status](https://travis-ci.org/cyphar/filepath-securejoin.svg?branch=master)](https://travis-ci.org/cyphar/filepath-securejoin) +[![Build Status](https://github.com/cyphar/filepath-securejoin/actions/workflows/ci.yml/badge.svg)](https://github.com/cyphar/filepath-securejoin/actions/workflows/ci.yml) An implementation of `SecureJoin`, a [candidate for inclusion in the Go standard library][go#20126]. The purpose of this function is to be a "secure" diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/VERSION b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/VERSION index 7179039691c..abd410582de 100644 --- a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/VERSION +++ b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/VERSION @@ -1 +1 @@ -0.2.3 +0.2.4 diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/join.go b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/join.go index 7dd08dbbdf7..aa32b85fb84 100644 --- a/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/join.go +++ b/contrib/rthooks/tetragon-oci-hook/vendor/github.com/cyphar/filepath-securejoin/join.go @@ -39,17 +39,27 @@ func IsNotExist(err error) bool { // components in the returned string are not modified (in other words are not // replaced with symlinks on the filesystem) after this function has returned. // Such a symlink race is necessarily out-of-scope of SecureJoin. +// +// Volume names in unsafePath are always discarded, regardless if they are +// provided via direct input or when evaluating symlinks. Therefore: +// +// "C:\Temp" + "D:\path\to\file.txt" results in "C:\Temp\path\to\file.txt" func SecureJoinVFS(root, unsafePath string, vfs VFS) (string, error) { // Use the os.* VFS implementation if none was specified. if vfs == nil { vfs = osVFS{} } + unsafePath = filepath.FromSlash(unsafePath) var path bytes.Buffer n := 0 for unsafePath != "" { if n > 255 { - return "", &os.PathError{Op: "SecureJoin", Path: root + "/" + unsafePath, Err: syscall.ELOOP} + return "", &os.PathError{Op: "SecureJoin", Path: root + string(filepath.Separator) + unsafePath, Err: syscall.ELOOP} + } + + if v := filepath.VolumeName(unsafePath); v != "" { + unsafePath = unsafePath[len(v):] } // Next path component, p. diff --git a/contrib/rthooks/tetragon-oci-hook/vendor/modules.txt b/contrib/rthooks/tetragon-oci-hook/vendor/modules.txt index 33a0470c755..ae6f346b77d 100644 --- a/contrib/rthooks/tetragon-oci-hook/vendor/modules.txt +++ b/contrib/rthooks/tetragon-oci-hook/vendor/modules.txt @@ -18,7 +18,7 @@ github.com/cilium/tetragon/api/v1/tetragon # github.com/coreos/go-systemd/v22 v22.3.2 ## explicit; go 1.12 github.com/coreos/go-systemd/v22/dbus -# github.com/cyphar/filepath-securejoin v0.2.3 +# github.com/cyphar/filepath-securejoin v0.2.4 ## explicit; go 1.13 github.com/cyphar/filepath-securejoin # github.com/davecgh/go-spew v1.1.1