Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Draft - path traversal #3577

Closed
wants to merge 5 commits into from
Closed

Draft - path traversal #3577

wants to merge 5 commits into from

Conversation

noklam
Copy link
Contributor

@noklam noklam commented Jan 30, 2024
edited
Loading

Description

Draft for #3474

Common strategies https://www.stackhawk.com/blog/spring-path-traversal-guide-examples-and-prevention/:

  1. Validate Prefix Path
  2. Safelist

If we take 1., we should read logging automatically from conf_source because this is the most natural location logging.yml sits.

  1. is not really possible, since it's up to user to decide.

Base on what I have read, it seems that injecting full path with environment variable is a bad idea. If we do 1. we need to make sure settings is read before _ProjectLogging (it's reverse now, we should check if this causes any problem).

Development notes

https://docs.snyk.io/snyk-cli/getting-started-with-the-snyk-cli
Run snyk code test to test it on local.

Developer Certificate of Origin

We need all contributions to comply with the Developer Certificate of Origin (DCO). All commits must be signed off by including a Signed-off-by line in the commit message. See our wiki for guidance.

If your PR is blocked due to unsigned commits, then you must follow the instructions under "Rebase the branch" on the GitHub Checks page for your PR. This will retroactively add the sign-off to all unsigned commits and allow the DCO check to pass.

Checklist

  • Read the contributing guidelines
  • Signed off each commit with a Developer Certificate of Origin (DCO)
  • Opened this PR as a 'Draft Pull Request' if it is work-in-progress
  • Updated the documentation to reflect the code changes
  • Added a description of this change in the RELEASE.md file
  • Added tests to cover my changes
  • Checked if this change will affect Kedro-Viz, and if so, communicated that with the Viz team

@noklam noklam linked an issue Jan 30, 2024 that may be closed by this pull request
(security) Path Traversal #3474
Closed
@noklam
update
347c69d 
Signed-off-by: Nok Lam Chan <[email protected]>
@noklam noklam closed this Jan 31, 2024
@noklam
Copy link
Contributor Author

noklam commented Jan 31, 2024

Closed as not planned.

@noklam noklam mentioned this pull request Mar 26, 2024
Closed
@merelcht merelcht deleted the noklam/#3474-path-traversal branch May 20, 2024 14:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yetudada yetudada Awaiting requested review from yetudada yetudada will be requested when the pull request is marked ready for review yetudada is a code owner

@astrojuanlu astrojuanlu Awaiting requested review from astrojuanlu astrojuanlu will be requested when the pull request is marked ready for review astrojuanlu is a code owner

@merelcht merelcht Awaiting requested review from merelcht merelcht will be requested when the pull request is marked ready for review merelcht is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

(security) Path Traversal
1 participant
@noklam