Skip to content
This repository was archived by the owner on Mar 29, 2023. It is now read-only.

fix: error when TAR has files outside of root#56

Merged
lidel merged 3 commits intomasterfrom
feat/error-tar-invalid-rel-paths
Nov 9, 2022
Merged

fix: error when TAR has files outside of root#56
lidel merged 3 commits intomasterfrom
feat/error-tar-invalid-rel-paths

Conversation

@hacdias
Copy link
Member

@hacdias hacdias commented Oct 5, 2022
edited by lidel
Loading

See ipfs/kubo#9029 and the “Security” section added in IPIP-288 (ipfs/specs#288)

This will affect both ipfs get [--archive], as well as the new gateway TAR download format.

/cc @lidel

@hacdias hacdias mentioned this pull request Oct 5, 2022
Merged
6 tasks
@ipfs ipfs deleted a comment from welcome bot Oct 5, 2022
@hacdias hacdias marked this pull request as ready for review October 6, 2022 11:40
@hacdias hacdias requested a review from lidel October 6, 2022 11:40
@hacdias hacdias requested a review from Jorropo October 10, 2022 09:25
@hacdias hacdias requested review from galargh and guseggert November 7, 2022 11:42
Jorropo
Jorropo reviewed Nov 7, 2022
View reviewed changes
@hacdias
Copy link
Member Author

hacdias commented Nov 7, 2022

Thanks @Jorropo! Everything is addressed.

@hacdias hacdias requested a review from Jorropo November 7, 2022 13:57
@lidel lidel changed the title feat: error when TAR has files outside of root fix: error when TAR has files outside of root Nov 9, 2022
lidel
lidel approved these changes Nov 9, 2022
View reviewed changes
Copy link
Member

@lidel lidel left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, @hacdias!

I believe this library is a good place to protect a wide array of users (not just Kubo) from issues described in ipfs/specs#288.

Hopefully does not impact legitimate use cases:

  • I was unable to think about a scenario where this additional validation would introduce regression, but we will also have Kubo 0.17-rc1 to confirm that.
  • If there are any issues, we can always add ipfs get --allow-unsafe-paths (similar to ipfs dag put --allow-big-block).

@lidel lidel merged commit e8cf9a3 into master Nov 9, 2022
@lidel lidel deleted the feat/error-tar-invalid-rel-paths branch November 9, 2022 15:53
@lidel lidel mentioned this pull request Nov 9, 2022
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@guseggert guseggert Awaiting requested review from guseggert

@galargh galargh Awaiting requested review from galargh

@Jorropo Jorropo Awaiting requested review from Jorropo

1 more reviewer

@lidel lidel lidel approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@hacdias hacdias

Labels

None yet

Projects

No open projects
IPFS Shipyard Team
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@hacdias @lidel @Jorropo