Skip to content

feat: only allow paths to be in working directory#572

Merged
matthiasbruns merged 6 commits into
open-component-model:mainfrom
matthiasbruns:feat/565_relative_file_pointers_blob
Aug 15, 2025
Merged

feat: only allow paths to be in working directory#572
matthiasbruns merged 6 commits into
open-component-model:mainfrom
matthiasbruns:feat/565_relative_file_pointers_blob

Conversation

@matthiasbruns

@matthiasbruns matthiasbruns commented Aug 15, 2025
edited
Loading

Copy link
Copy Markdown
Contributor

Based on the comment #557 (comment)

What this PR does / why we need it

Resolve file/dir inputs relative to the constructor file by wiring a filesystem working directory through input methods; default-deny path escapes with an explicit opt-out.

Changes (high level):

  • Added WorkingDirectory handling to the input bindings

Which issue(s) this PR fixes

Fixes #565

Copilot AI review requested due to automatic review settings August 15, 2025 06:55
@matthiasbruns matthiasbruns requested a review from a team as a code owner August 15, 2025 06:55
@github-actions github-actions Bot added kind/feature new feature, enhancement, improvement, extension size/m Medium labels Aug 15, 2025
Copilot AI reviewed Aug 15, 2025
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR implements security improvements for file path handling by restricting file access to a working directory and preventing path traversal attacks. The changes add a new function to safely resolve file paths within a specified working directory with default-deny behavior for path escapes.

  • Added GetBlobInWorkingDirectory function with working directory validation
  • Implemented ensureWdOrPath helper function using os.OpenInRoot for secure path resolution
  • Added comprehensive test coverage for various path scenarios including valid and invalid cases

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
bindings/go/blob/filesystem/file.go Adds new functions for working directory-constrained file access
bindings/go/blob/filesystem/file_test.go Adds test coverage for working directory validation scenarios

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

Comment thread bindings/go/blob/filesystem/file.go Outdated
@matthiasbruns matthiasbruns force-pushed the feat/565_relative_file_pointers_blob branch from 6cdf89c to 845e14a Compare August 15, 2025 06:57
@matthiasbruns matthiasbruns mentioned this pull request Aug 15, 2025
Merged
@matthiasbruns matthiasbruns force-pushed the feat/565_relative_file_pointers_blob branch 3 times, most recently from 717c4a6 to 1c817f1 Compare August 15, 2025 07:22
@github-actions github-actions Bot added the size/l Large label Aug 15, 2025
@jakobmoellerdev @matthiasbruns
feat: only allow paths to be in working directory
1dd6726 
Signed-off-by: Matthias Bruns <git@matthiasbruns.com>
@matthiasbruns matthiasbruns force-pushed the feat/565_relative_file_pointers_blob branch from 1c817f1 to 1dd6726 Compare August 15, 2025 07:24
@matthiasbruns
feat: only allow paths to be in working directory
04093e4 
Signed-off-by: Matthias Bruns <git@matthiasbruns.com>
fabianburth
fabianburth requested changes Aug 15, 2025
View reviewed changes

@fabianburth fabianburth left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good now!
I'd like to propose two more tiny changes (which are arguably kind of nits), then we are ready to merge.

Comment thread bindings/go/blob/filesystem/file_test.go Outdated
Comment thread bindings/go/blob/filesystem/file_unix_test.go
fabianburth
fabianburth reviewed Aug 15, 2025
View reviewed changes
Comment thread bindings/go/blob/filesystem/file.go
@matthiasbruns
Update bindings/go/blob/filesystem/file.go
c92da96 
Co-authored-by: Fabian Burth <fabian.burth@sap.com>

Update bindings/go/blob/filesystem/file_test.go

Co-authored-by: Fabian Burth <fabian.burth@sap.com>

Signed-off-by: Matthias Bruns <git@matthiasbruns.com>
@matthiasbruns matthiasbruns force-pushed the feat/565_relative_file_pointers_blob branch from 06c8a30 to c92da96 Compare August 15, 2025 08:38
matthiasbruns and others added 2 commits August 15, 2025 10:47
@matthiasbruns
feat: only allow paths to be in working directory
15f9b5c 
Signed-off-by: Matthias Bruns <git@matthiasbruns.com>
@matthiasbruns
feat: only allow paths to be in working directory
39a706b 
Signed-off-by: Matthias Bruns <git@matthiasbruns.com>
fabianburth
fabianburth reviewed Aug 15, 2025
View reviewed changes

@fabianburth fabianburth left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please wrap the errors before returning. This makes it way easier to search for the concrete places in code later.

Comment thread bindings/go/blob/filesystem/file_unix_test.go
Comment thread bindings/go/blob/filesystem/file.go Outdated
Comment thread bindings/go/blob/filesystem/file.go Outdated
Comment thread bindings/go/blob/filesystem/file.go Outdated
Comment thread bindings/go/blob/filesystem/file.go Outdated
@matthiasbruns matthiasbruns force-pushed the feat/565_relative_file_pointers_blob branch from 56bf739 to bd2b842 Compare August 15, 2025 09:09
@matthiasbruns
feat: only allow paths to be in working directory
7cdd838 
Signed-off-by: Matthias Bruns <git@matthiasbruns.com>
@matthiasbruns matthiasbruns force-pushed the feat/565_relative_file_pointers_blob branch from bd2b842 to 7cdd838 Compare August 15, 2025 09:16
@matthiasbruns matthiasbruns merged commit 3fce461 into open-component-model:main Aug 15, 2025
17 checks passed
@matthiasbruns matthiasbruns deleted the feat/565_relative_file_pointers_blob branch August 15, 2025 09:19
jakobmoellerdev
jakobmoellerdev reviewed Aug 15, 2025
View reviewed changes
Comment thread bindings/go/blob/filesystem/file.go
// If the path is absolute, it checks if the path is valid within the working directory.
// If the path is relative, it resolves it against the working directory and prevents escaping the working directory.
// If the path cannot be resolved or is invalid, it returns an error.
func EnsurePathInWorkingDirectory(path, workingDirectory string) (_ string, err error) {

@jakobmoellerdev jakobmoellerdev Aug 15, 2025

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why was this function exported, is it needed elsewhere?? IMO our blob package should deal with blobs and not expose functions on filepaths.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jakobmoellerdev jakobmoellerdev jakobmoellerdev left review comments

Copilot code review Copilot Copilot left review comments

@fabianburth fabianburth fabianburth approved these changes

Assignees

No one assigned

Labels

kind/feature new feature, enhancement, improvement, extension size/l Large size/m Medium

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

make file and dir inputs support relative paths

4 participants

@matthiasbruns @fabianburth @jakobmoellerdev