You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
It's a bit fishy, not sure if it can be bypassed by encoding the dots. Using https://pkg.go.dev/net/url#URL.ResolveReference and seeing if the result is different than the input would be a more bulletproof way to do it. Also, it could be applied to the whole u := fmt.Sprintf("repos/%s/%s/contents/%s", owner, repo, escapedPath) path, to ensure there is no ../ in any of the other parameters either.
Could we get more information on the actual vulnerability this is protecting from, and the timeline to its resolution, if any ? Right now, I am considering multiple options:
submitting a PR to use a catchable sentinel error
submitting a PR to make that protection an opt-out
waiting for the vulnerability to be fixed, then submitting a PR to remove that protection
As I cannot find any reference to the vulnerability in the GitHub API documentation, I have difficulty making an informed decision 🙂 .
@mrbobbytables : Would you happen to know (1) whether this vulnerability still exists and (2) whether the vulnerability affects any paths that literally contain .. as a substring (as this change implies), rather than just paths that contain .. as a path component (which is more understandable IMHO)? I ask because there's no good way to work around this check in cases where a file– or directory-name happens to actually include .., so if the check can safely be narrowed, that would be very helpful.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.