Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove global clients #1014

Draft
wants to merge 3 commits into
base: datarace-on-config-access
Choose a base branch
from
Draft

Remove global clients #1014

wants to merge 3 commits into from

Conversation

dido18
Copy link
Contributor

@dido18 dido18 commented Jan 27, 2025

Please check if the PR fulfills these requirements

  • The PR has no duplicates (please search among the Pull Requests
    before creating one)
  • Tests for the changes have been added (for bug fixes / features)
  • What kind of change does this PR introduce?
  • What is the current behavior?
  • What is the new behavior?
  • Does this PR introduce a breaking change?
  • Other information:

github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 27, 2025
View reviewed changes
conn.go
}
log.Printf("Saving %s on %s", extraFile.Filename, path)

err = os.MkdirAll(filepath.Dir(path), 0744)

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression High

This path depends on a
user-provided value
Loading
.

Copilot Autofix AI about 1 month ago

To fix the problem, we need to ensure that the user-provided filenames in extraFile.Filename do not contain any path separators or parent directory references. This can be done by validating the filenames before using them to construct file paths. We will add a validation step to check for the presence of "/" or "\" or ".." in the filenames and reject the input if any are found.

Suggested changeset 1
conn.go

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/conn.go b/conn.go
--- a/conn.go
+++ b/conn.go
@@ -136,2 +136,7 @@
 		for _, extraFile := range data.ExtraFiles {
+			if strings.Contains(extraFile.Filename, "/") || strings.Contains(extraFile.Filename, "\\") || strings.Contains(extraFile.Filename, "..") {
+				c.String(http.StatusBadRequest, "Invalid file name")
+				return
+			}
+
 			path, err := utilities.SafeJoin(tmpdir, extraFile.Filename)
EOF
@@ -136,2 +136,7 @@
for _, extraFile := range data.ExtraFiles {
if strings.Contains(extraFile.Filename, "/") || strings.Contains(extraFile.Filename, "\\") || strings.Contains(extraFile.Filename, "..") {
c.String(http.StatusBadRequest, "Invalid file name")
return
}

path, err := utilities.SafeJoin(tmpdir, extraFile.Filename)
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
conn.go
return
}

err = os.WriteFile(path, extraFile.Hex, 0644)

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression High

This path depends on a
user-provided value
Loading
.

Copilot Autofix AI about 1 month ago

To fix the problem, we need to ensure that the extraFile.Filename does not contain any path traversal characters or sequences. We can achieve this by validating the filename to ensure it does not contain any path separators ("/" or "\") or ".." sequences. This validation should be done before using the filename to construct the path.

  1. Add a validation step to check that extraFile.Filename does not contain any path separators or ".." sequences.
  2. If the validation fails, return an error response to the client.
  3. If the validation passes, proceed with the existing logic to save the file.
Suggested changeset 1
conn.go

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/conn.go b/conn.go
--- a/conn.go
+++ b/conn.go
@@ -136,2 +136,6 @@
 		for _, extraFile := range data.ExtraFiles {
+			if strings.Contains(extraFile.Filename, "/") || strings.Contains(extraFile.Filename, "\\") || strings.Contains(extraFile.Filename, "..") {
+				c.String(http.StatusBadRequest, "Invalid file name")
+				return
+			}
 			path, err := utilities.SafeJoin(tmpdir, extraFile.Filename)
EOF
@@ -136,2 +136,6 @@
for _, extraFile := range data.ExtraFiles {
if strings.Contains(extraFile.Filename, "/") || strings.Contains(extraFile.Filename, "\\") || strings.Contains(extraFile.Filename, "..") {
c.String(http.StatusBadRequest, "Invalid file name")
return
}
path, err := utilities.SafeJoin(tmpdir, extraFile.Filename)
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
@per1234 per1234 added type: enhancement Proposed improvement topic: code Related to content of the project itself labels Jan 29, 2025
@dido18 dido18 changed the base branch from main to datarace-on-config-access January 29, 2025 10:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
topic: code Related to content of the project itself type: enhancement Proposed improvement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dido18 @per1234