diff options
| author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2021-07-06 04:31:54 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-07-06 04:31:54 -0400 |
| commit | c583d4dd8c34bab1d5c72123aa3914b1269cb57b (patch) | |
| tree | caaab69f1e8cdaf262a492e5b953a7e839eddf33 /vendor/github.com/cyphar/filepath-securejoin/README.md | |
| parent | ba29b30d7432a1c598df7f6dc84999045efc8805 (diff) | |
| parent | 518457b3546e87bd7a8fe9f9a917b8b9c7bcaad6 (diff) | |
| download | podman-c583d4dd8c34bab1d5c72123aa3914b1269cb57b.tar.gz podman-c583d4dd8c34bab1d5c72123aa3914b1269cb57b.tar.bz2 podman-c583d4dd8c34bab1d5c72123aa3914b1269cb57b.zip | |
Merge pull request #10860 from containers/dependabot/go_modules/github.com/cyphar/filepath-securejoin-0.2.3
Bump github.com/cyphar/filepath-securejoin from 0.2.2 to 0.2.3
Diffstat (limited to 'vendor/github.com/cyphar/filepath-securejoin/README.md')
| -rw-r--r-- | vendor/github.com/cyphar/filepath-securejoin/README.md | 20 |
1 files changed, 17 insertions, 3 deletions
diff --git a/vendor/github.com/cyphar/filepath-securejoin/README.md b/vendor/github.com/cyphar/filepath-securejoin/README.md index 49b2baa9f..3624617c8 100644 --- a/vendor/github.com/cyphar/filepath-securejoin/README.md +++ b/vendor/github.com/cyphar/filepath-securejoin/README.md @@ -7,6 +7,19 @@ standard library][go#20126]. The purpose of this function is to be a "secure" alternative to `filepath.Join`, and in particular it provides certain guarantees that are not provided by `filepath.Join`. +> **NOTE**: This code is *only* safe if you are not at risk of other processes +> modifying path components after you've used `SecureJoin`. If it is possible +> for a malicious process to modify path components of the resolved path, then +> you will be vulnerable to some fairly trivial TOCTOU race conditions. [There +> are some Linux kernel patches I'm working on which might allow for a better +> solution.][lwn-obeneath] +> +> In addition, with a slightly modified API it might be possible to use +> `O_PATH` and verify that the opened path is actually the resolved one -- but +> I have not done that yet. I might add it in the future as a helper function +> to help users verify the path (we can't just return `/proc/self/fd/<foo>` +> because that doesn't always work transparently for all users). + This is the function prototype: ```go @@ -16,8 +29,8 @@ func SecureJoin(root, unsafePath string) (string, error) This library **guarantees** the following: * If no error is set, the resulting string **must** be a child path of - `SecureJoin` and will not contain any symlink path components (they will all - be expanded). + `root` and will not contain any symlink path components (they will all be + expanded). * When expanding symlinks, all symlink path components **must** be resolved relative to the provided root. In particular, this can be considered a @@ -25,7 +38,7 @@ This library **guarantees** the following: these symlinks will **not** be expanded lexically (`filepath.Clean` is not called on the input before processing). -* Non-existant path components are unaffected by `SecureJoin` (similar to +* Non-existent path components are unaffected by `SecureJoin` (similar to `filepath.EvalSymlinks`'s semantics). * The returned path will always be `filepath.Clean`ed and thus not contain any @@ -57,6 +70,7 @@ func SecureJoin(root, unsafePath string) (string, error) { } ``` +[lwn-obeneath]: https://lwn.net/Articles/767547/ [go#20126]: https://github.com/golang/go/issues/20126 ### License ### |