8000 Fix tar/untar to never add current dir entry and avoid traversal attacks by jonesbusy · Pull Request #283 · oras-project/oras-java · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Fix tar/untar to never add current dir entry and avoid traversal attacks #283

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 25, 2025
8000 Merged

Fix tar/untar to never add current dir entry and avoid traversal attacks #283

merged 1 commit into from
Apr 25, 2025

Conversation

jonesbusy
Copy link
Collaborator

Description

Fix: #147

Testing done

mvn clean install

Check also created archive

tar xvsf /tmp/oras12228838129694979415.tar                                                                                                                                 [2
dir2/
dir2/file2
dir2/dir3/
dir2/dir3/file4
empty/
dir1/
dir1/file3
dir1/file1

Submitter checklist

  • I have read and understood the CONTRIBUTING guide
  • I have run mvn license:update-file-header, mvn spotless:apply, pre-commit run -a, mvn clean install before opening the PR

@jonesbusy jonesbusy added bug Something isn't working security labels Apr 25, 2025
@codecov Codecov
Copy link
codecov bot commented Apr 25, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 87.98%. Comparing base (9fb09b6) to head (a1ac398).
Report is 10 commits behind head on main.

Additional details and impacted files 
@@             Coverage Diff              @@
##               main     #283      +/-   ##
============================================
- Coverage     88.02%   87.98%   -0.05%     
- Complexity      548      549       +1     
============================================
  Files            39       39              
  Lines          1729     1739      +10     
  Branches        191      193       +2     
============================================
+ Hits           1522     1530       +8     
  Misses          132      132              
- Partials         75       77       +2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@jonesbusy jonesbusy force-pushed the feature/never-add-current-directory-tar branch from 974a230 to a1ac398 Compare April 25, 2025 09:12
@jonesbusy
Fix tar/untar to never add current dir entry and avoid traversal attacks
a1ac398 
Signed-off-by: Valentin Delaye <jonesbusy@users.noreply.github.com>
@jonesbusy jonesbusy merged commit 10433ac into oras-project:main Apr 25, 2025
4 checks passed
@jonesbusy jonesbusy deleted the feature/never-add-current-directory-tar branch April 25, 2025 09:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
bug Something isn't working security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Fix code scanning alert - Arbitrary file access during archive extraction ("Zip Slip")
1 participant
@jonesbusy
0