From 8c3d01e30b307ca71fb7b08feffdac3bfdab565b Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 13 Jan 2025 08:57:26 +0100 Subject: [PATCH] chore(deps): update module github.com/cyphar/filepath-securejoin to v0.4.0 (#6157) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [github.com/cyphar/filepath-securejoin](https://redirect.github.com/cyphar/filepath-securejoin) | `v0.3.6` -> `v0.4.0` | [![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fcyphar%2ffilepath-securejoin/v0.4.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2fcyphar%2ffilepath-securejoin/v0.4.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2fcyphar%2ffilepath-securejoin/v0.3.6/v0.4.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fcyphar%2ffilepath-securejoin/v0.3.6/v0.4.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes
cyphar/filepath-securejoin (github.com/cyphar/filepath-securejoin) ### [`v0.4.0`](https://redirect.github.com/cyphar/filepath-securejoin/releases/tag/v0.4.0) [Compare Source](https://redirect.github.com/cyphar/filepath-securejoin/compare/v0.3.6...v0.4.0) This release primarily includes a few minor breaking changes to make the MkdirAll and SecureJoin interfaces more robust against accidental misuse. - `SecureJoin(VFS)` will now return an error if the provided `root` is not a `filepath.Clean`'d path. While it is ultimately the responsibility of the caller to ensure the root is a safe path to use, passing a path like `/symlink/..` as a root would result in the `SecureJoin`'d path being placed in `/` even though `/symlink/..` might be a different directory, and so we should more strongly discourage such usage. All major users of `securejoin.SecureJoin` already ensure that the paths they provide are safe (and this is ultimately a question of user error), but removing this foot-gun is probably a good idea. Of course, this is necessarily a breaking API change (though we expect no real users to be affected by it). Thanks to [Erik Sjölund](https://redirect.github.com/eriksjolund), who initially reported this issue as a possible security issue. - `MkdirAll` and `MkdirHandle` now take an `os.FileMode`-style mode argument instead of a raw `unix.S_*`-style mode argument, which may cause compile-time type errors depending on how you use `filepath-securejoin`. For most users, there will be no change in behaviour aside from the type change (as the bottom `0o777` bits are the same in both formats, and most users are probably only using those bits). However, if you were using `unix.S_ISVTX` to set the sticky bit with `MkdirAll(Handle)` you will need to switch to `os.ModeSticky` otherwise you will get a runtime error with this update. In addition, the error message you will get from passing `unix.S_ISUID` and `unix.S_ISGID` will be different as they are treated as invalid bits now (note that previously passing said bits was also an error). Thanks to the following contributors for helping make this release possible: - Aleksa Sarai - Erik Sjölund Signed-off-by: Aleksa Sarai
--- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/open-telemetry/opentelemetry-go). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- internal/tools/go.mod | 2 +- internal/tools/go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/internal/tools/go.mod b/internal/tools/go.mod index 99338f1911f..1a5b15018a6 100644 --- a/internal/tools/go.mod +++ b/internal/tools/go.mod @@ -57,7 +57,7 @@ require ( github.com/ckaznocha/intrange v0.3.0 // indirect github.com/cloudflare/circl v1.5.0 // indirect github.com/curioswitch/go-reassign v0.3.0 // indirect - github.com/cyphar/filepath-securejoin v0.3.6 // indirect + github.com/cyphar/filepath-securejoin v0.4.0 // indirect github.com/daixiang0/gci v0.13.5 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/denis-tingaikin/go-header v0.5.0 // indirect diff --git a/internal/tools/go.sum b/internal/tools/go.sum index 6997c33de7b..e741c2c3ebc 100644 --- a/internal/tools/go.sum +++ b/internal/tools/go.sum @@ -88,8 +88,8 @@ github.com/cloudflare/circl v1.5.0/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZ github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/curioswitch/go-reassign v0.3.0 h1:dh3kpQHuADL3cobV/sSGETA8DOv457dwl+fbBAhrQPs= github.com/curioswitch/go-reassign v0.3.0/go.mod h1:nApPCCTtqLJN/s8HfItCcKV0jIPwluBOvZP+dsJGA88= -github.com/cyphar/filepath-securejoin v0.3.6 h1:4d9N5ykBnSp5Xn2JkhocYDkOpURL/18CYMpo6xB9uWM= -github.com/cyphar/filepath-securejoin v0.3.6/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI= +github.com/cyphar/filepath-securejoin v0.4.0 h1:PioTG9TBRSApBpYGnDU8HC+miIsX8vitBH9LGNNMoLQ= +github.com/cyphar/filepath-securejoin v0.4.0/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI= github.com/daixiang0/gci v0.13.5 h1:kThgmH1yBmZSBCh1EJVxQ7JsHpm5Oms0AMed/0LaH4c= github.com/daixiang0/gci v0.13.5/go.mod h1:12etP2OniiIdP4q+kjUGrC/rUagga7ODbqsom5Eo5Yk= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=