Patch malicious tarballs directory traversal vuln #7057
Conversation
chrisdoherty4
changed the title
eks-distro-bot
added
the
size/XS
eks-distro-bot
added
lgtm
size/M
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #7057 +/- ##
=======================================
Coverage 71.34% 71.35%
=======================================
Files 544 544
Lines 41963 41966 +3
=======================================
+ Hits 29940 29943 +3
Misses 10345 10345
Partials 1678 1678 ☔ View full report in Codecov by Sentry. |
Tarballs with files containing directory traversal components can write files to unintended locations. This change ensures the Untar function will error when a given tarball has a traversal component (..). See https://cwe.mitre.org/data/definitions/22.html
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: chrisdoherty4 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/test eks-anywhere-e2e-presubmit |
|
/cherry-pick release-0.18 |
|
@chrisdoherty4: new pull request created: #7077 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Tarballs with files containing directory traversal components can write files to unintended locations. This change ensures the Untar function will error when a given tarball has a traversal component (..).
See https://cwe.mitre.org/data/definitions/22.html
Fixes https://github.com/aws/eks-anywhere/security/code-scanning/1