Skip to content

deps: update to github.com/cyphar/filepath-securejoin@v0.4.1#4590

Merged
AkihiroSuda merged 1 commit intoopencontainers:mainfrom
cyphar:securejoin-0.4.0
Jan 29, 2025
Merged

deps: update to github.com/cyphar/filepath-securejoin@v0.4.1#4590
AkihiroSuda merged 1 commit intoopencontainers:mainfrom
cyphar:securejoin-0.4.0

Conversation

@cyphar
Copy link
Member

@cyphar cyphar commented Jan 13, 2025

This release includes a minor breaking API change that requires us to
rework the types of our wrappers, but there is no practical behaviour
change.

Signed-off-by: Aleksa Sarai cyphar@cyphar.com

@cyphar cyphar mentioned this pull request Jan 13, 2025
Closed
kolyshkin
kolyshkin approved these changes Jan 13, 2025
View reviewed changes
Copy link
Contributor

@kolyshkin kolyshkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@kolyshkin
Copy link
Contributor

kolyshkin commented Jan 13, 2025

tests/cmd/seccompagent fails in SecureJoin; with added diagnostics, here's the error

time="2025-01-13T12:47:39-08:00" level=error msg="securejoin("/proc/1279734/root/", "/dev/shm/foo-bar") error: root path provided to SecureJoin was not filepath.Clean"

I think this is about trailing / in the first argument; indeed, the following fix helps (I've also left the added diagnostics in place as otherwise the error is not shown anywhere):

diff --git a/tests/cmd/seccompagent/seccompagent.go b/tests/cmd/seccompagent/seccompagent.go
index be1e6c25..9d070474 100644
--- a/tests/cmd/seccompagent/seccompagent.go
+++ b/tests/cmd/seccompagent/seccompagent.go
@@ -144,15 +144,16 @@ func runMkdirForContainer(pid uint32, fileName string, mode uint32, metadata str
        // We validated before that metadata is not a string that can make
        // newFile a file in a different location other than root.
        newFile := fmt.Sprintf("%s-%s", fileName, metadata)
-       root := fmt.Sprintf("/proc/%d/cwd/", pid)
+       root := fmt.Sprintf("/proc/%d/cwd", pid)
 
        if strings.HasPrefix(fileName, "/") {
                // If it starts with /, use the rootfs as base
-               root = fmt.Sprintf("/proc/%d/root/", pid)
+               root = fmt.Sprintf("/proc/%d/root", pid)
        }
 
        path, err := securejoin.SecureJoin(root, newFile)
        if err != nil {
+               logrus.Errorf("securejoin(%q, %q) error: %v", root, newFile, err)
                return err
        }

I'm not sure how many other real users cyphar/filepath-securejoin#43 breaks; if there will be more, maybe it makes sense to relax the validation slightly (e.g. do not allow ../ and /.., but allow extra slashes).

@kolyshkin kolyshkin self-requested a review January 13, 2025 20:57
@kolyshkin
Copy link
Contributor

kolyshkin commented Jan 13, 2025

e.g. do not allow ../ and /.., but allow extra slashes

Oh well, it's not that easy of course.

@jsafrane jsafrane mentioned this pull request Jan 14, 2025
Closed
mtrmac added a commit to mtrmac/libpod that referenced this pull request Jan 14, 2025
@mtrmac
DO NOT MERGE: Update runc for securejoin API change
b95daee 
> go mod edit -replace github.com/opencontainers/runc=github.com/cyphar/runc@securejoin-0.4.0
per opencontainers/runc#4590 .

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
mtrmac added a commit to mtrmac/libpod that referenced this pull request Jan 14, 2025
@mtrmac
DO NOT MERGE: Update runc for securejoin API change
2588f69 
> go mod edit -replace github.com/opencontainers/runc=github.com/cyphar/runc@securejoin-0.4.0
per opencontainers/runc#4590 .

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
mtrmac added a commit to mtrmac/libpod that referenced this pull request Jan 14, 2025
@mtrmac
DO NOT MERGE: Update runc for securejoin API change
767890c 
> go mod edit -replace github.com/opencontainers/runc=github.com/cyphar/runc@securejoin-0.4.0
per opencontainers/runc#4590 .

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
@mtrmac mtrmac mentioned this pull request Jan 14, 2025
Closed
1 task
mtrmac added a commit to mtrmac/libpod that referenced this pull request Jan 14, 2025
@mtrmac
DO NOT MERGE: Update runc for securejoin API change
1403016 
> go mod edit -replace github.com/opencontainers/runc=github.com/cyphar/runc@securejoin-0.4.0
per opencontainers/runc#4590 .

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
mtrmac added a commit to mtrmac/libpod that referenced this pull request Jan 14, 2025
@mtrmac
DO NOT MERGE: Update runc for securejoin API change
77cf164 
> go mod edit -replace github.com/opencontainers/runc=github.com/cyphar/runc@securejoin-0.4.0
per opencontainers/runc#4590 .

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
mtrmac added a commit to mtrmac/libpod that referenced this pull request Jan 14, 2025
@mtrmac
DO NOT MERGE: Update runc for securejoin API change
2ce0c53 
> go mod edit -replace github.com/opencontainers/runc=github.com/cyphar/runc@securejoin-0.4.0
per opencontainers/runc#4590 .

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
mtrmac added a commit to mtrmac/libpod that referenced this pull request Jan 14, 2025
@mtrmac
DO NOT MERGE: Update runc for securejoin API change
55adb5b 
> go mod edit -replace github.com/opencontainers/runc=github.com/cyphar/runc@securejoin-0.4.0
per opencontainers/runc#4590 .

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
mtrmac added a commit to mtrmac/libpod that referenced this pull request Jan 15, 2025
@mtrmac
DO NOT MERGE: Update runc for securejoin API change
7ec87e0 
> go mod edit -replace github.com/opencontainers/runc=github.com/cyphar/runc@securejoin-0.4.0
per opencontainers/runc#4590 .

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
@kolyshkin kolyshkin mentioned this pull request Jan 16, 2025
Merged
mtrmac added a commit to mtrmac/libpod that referenced this pull request Jan 16, 2025
@mtrmac
DO NOT MERGE: Update runc for securejoin API change
59a9e0c 
> go mod edit -replace github.com/opencontainers/runc=github.com/cyphar/runc@securejoin-0.4.0
per opencontainers/runc#4590 .

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
mtrmac added a commit to mtrmac/libpod that referenced this pull request Jan 16, 2025
@mtrmac
DO NOT MERGE: Update runc for securejoin API change
d913224 
> go mod edit -replace github.com/opencontainers/runc=github.com/cyphar/runc@securejoin-0.4.0
per opencontainers/runc#4590 .

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
mtrmac added a commit to mtrmac/storage that referenced this pull request Jan 20, 2025
@mtrmac
Downgrade filepath-securejoin
ab30d56 
opencontainers/runc#4590 is needed for Podman
to be able to use it, so stay on the previous version for now.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Luap99 added a commit to Luap99/storage that referenced this pull request Jan 21, 2025
@Luap99
Revert "fix(deps): update module github.com/cyphar/filepath-securejoi…
d9ab9df 
…n to v0.4.0"

This reverts commit 05dcfd3.

In particular this commit doesn't build when vendored into podman
because runc fails to build with it.
opencontainers/runc#4590

This is not visible in storage because runc is not imported here.

Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This was referenced Jan 21, 2025
Merged
Closed
@mtrmac mtrmac mentioned this pull request Jan 21, 2025
Merged
1 task
@saschagrunert saschagrunert mentioned this pull request Jan 27, 2025
Closed
@cyphar cyphar changed the title deps: update to github.com/cyphar/filepath-securejoin@v0.4.0 deps: update to github.com/cyphar/filepath-securejoin@v0.4.1 Jan 28, 2025
@cyphar
Copy link
Member Author

cyphar commented Jan 28, 2025

Updated to v0.4.1 which includes a fix for the non-clean paths issue.

@cyphar
deps: update to github.com/cyphar/filepath-securejoin@v0.4.1
70e500e 
This release includes a minor breaking API change that requires us to
rework the types of our wrappers, but there is no practical behaviour
change.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
kolyshkin
kolyshkin approved these changes Jan 29, 2025
View reviewed changes
Copy link
Contributor

@kolyshkin kolyshkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@cyphar cyphar mentioned this pull request Jan 29, 2025
Closed
@AkihiroSuda AkihiroSuda merged commit f1c0e63 into opencontainers:main Jan 29, 2025
40 checks passed
@cyphar cyphar deleted the securejoin-0.4.0 branch January 29, 2025 09:03
@cyphar cyphar mentioned this pull request Jan 31, 2025
Closed
@kolyshkin
Copy link
Contributor

kolyshkin commented Jan 31, 2025

Should we backport this to release-1.2?

@kolyshkin kolyshkin added the backport/1.2-todo A PR in main branch which needs to be backported to release-1.2 label Jan 31, 2025
@kolyshkin kolyshkin mentioned this pull request Jan 31, 2025
Merged
@kolyshkin kolyshkin added backport/1.2-done A PR in main branch which has been backported to release-1.2 and removed backport/1.2-todo A PR in main branch which needs to be backported to release-1.2 labels Jan 31, 2025
@kolyshkin
Copy link
Contributor

kolyshkin commented Jan 31, 2025

Should we backport this to release-1.2?

Looks like we should, otherwise those who vendor runc could not bump filepath-securejoin.

@DrDaveD DrDaveD mentioned this pull request Feb 4, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kolyshkin kolyshkin kolyshkin approved these changes

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

Assignees

No one assigned

Labels

backport/1.2-done A PR in main branch which has been backported to release-1.2

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cyphar @kolyshkin @AkihiroSuda