Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(deps): update module github.com/cyphar/filepath-securejoin to v0.3.1 #2096

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jul 23, 2024

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/cyphar/filepath-securejoin v0.3.0 -> v0.3.1 age adoption passing confidence

Release Notes

cyphar/filepath-securejoin (github.com/cyphar/filepath-securejoin)

v0.3.1

Compare Source

  • By allowing Open(at)InRoot to opt-out of the extra work done by MkdirAll
    to do the necessary "partial lookups", Open(at)InRoot now does less work
    for both implementations (resulting in a many-fold decrease in the number of
    operations for openat2, and a modest improvement for non-openat2) and is
    far more guaranteed to match the correct openat2(RESOLVE_IN_ROOT)
    behaviour.

  • We now use readlinkat(fd, "") where possible. For Open(at)InRoot this
    effectively just means that we no longer risk getting spurious errors during
    rename races. However, for our hardened procfs handler, this in theory should
    prevent mount attacks from tricking us when doing magic-link readlinks (even
    when using the unsafe host /proc handle). Unfortunately Reopen is still
    potentially vulnerable to those kinds of somewhat-esoteric attacks.

    Technically this will only work on post-2.6.39 kernels
    but it seems incredibly unlikely anyone is using filepath-securejoin on a
    pre-2011 kernel.

  • Several improvements were made to the errors returned by Open(at)InRoot and
    MkdirAll when dealing with invalid paths under the emulated (ie.
    non-openat2) implementation. Previously, some paths would return the wrong
    error (ENOENT when the last component was a non-directory), and other paths
    would be returned as though they were acceptable (trailing-slash components
    after a non-directory would be ignored by Open(at)InRoot).

    These changes were done to match openat2's behaviour and purely is a
    consistency fix (most users are going to be using openat2 anyway).

Signed-off-by: Aleksa Sarai cyphar@cyphar.com


Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate bot added the dependencies Pull requests that update a dependency file label Jul 23, 2024
Copy link
Member

@Luap99 Luap99 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm label Jul 23, 2024
Copy link
Contributor

openshift-ci bot commented Jul 23, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Luap99, renovate[bot]

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot openshift-merge-bot bot merged commit 67b51f0 into main Jul 23, 2024
14 checks passed
@saschagrunert saschagrunert deleted the renovate/git.luolix.top-cyphar-filepath-securejoin-0.x branch July 23, 2024 15:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved dependencies Pull requests that update a dependency file lgtm
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants