-
Notifications
You must be signed in to change notification settings - Fork 79
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sanitize symlink target #768
base: main
Are you sure you want to change the base?
Conversation
We can rewrite symlinks to ensure they are always relative and remain within the extraction directory.
fd0365f
to
cd167e8
Compare
We can rewrite symlinks to ensure they are always relative and remain within the extraction directory.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll mark the PR as draft until ruff is back and we have a cleaner view on what are the logic changes being applied.
I believe there is still a bug in b11fe46: when extracting in a (host) directory within |
@qkaiser I wanted to make this PR just to have a place to discuss. It was extracted from a larger PR, and wanted to see CI test results, which our code checks (ruff) prevented, to push through the commit I have made some hacky fixes to be thrown away in the final version. This definitely needs a rewrite, so should have made it draft initially. I do not plan working on this soon, especially as the |
Split off of #763 . There are still problems to solve here, see 954c1cd#commitcomment-138623089 but tests should run with the exception of 2 failures.