forked from toolshed/abra
chore: make deps, go mod vendor
This commit is contained in:
go.modgo.summodules.txt
vendor
dario.cat
github.com
ProtonMail
go-crypto
ocb
openpgp
armor
canonical_text.goecdh
ed25519
ed448
errors
internal
key_generation.gokeys.gopacket
aead_crypter.gocompressed.goconfig.goconfig_v5.goencrypted_key.goliteral.gomarker.goone_pass_signature.goopaque.gopacket.gopacket_sequence.gopacket_unsupported.gopadding.goprivate_key.gopublic_key.goreader.gorecipient.gosignature.gosymmetric_key_encrypted.gosymmetrically_encrypted.gosymmetrically_encrypted_aead.gosymmetrically_encrypted_mdc.gouserattribute.gouserid.go
read.goread_write_test_data.gos2k
write.gox25519
x448
charmbracelet
lipgloss
x
ansi
cloudflare
containerd
containerd
cyphar
filepath-securejoin
docker
cli
docker
go-git
go-billy
go-viper
mapstructure
grpc-ecosystem
grpc-gateway
klauspost
compress
mattn
go-runewidth
moby
sys
prometheus
schollz
progressbar
skeema
knownhosts
stretchr
go.opentelemetry.io
contrib
instrumentation
net
http
otelhttp
otel
.gitignore.golangci.ymlCHANGELOG.mdCODEOWNERSCONTRIBUTING.mdMakefileREADME.mdRELEASING.md
attribute
baggage
codes
doc.goexporters
otlp
otlpmetric
otlpmetricgrpc
otlptrace
internal
metric
renovate.jsonsdk
instrumentation
metric
config.godoc.goexemplar.gomanual_reader.gometer.goperiodic_reader.gopipeline.goprovider.goreader.goversion.goview.go
exemplar
README.mddoc.goexemplar.gofilter.gofixed_size_reservoir.gohistogram_reservoir.goreservoir.gostorage.govalue.go
instrument.gointernal
aggregate
aggregate.godrop.goexemplar.goexponential_histogram.gofiltered_reservoir.gohistogram.golastvalue.gosum.go
exemplar
x
resource
trace
version.gosemconv
trace
verify_examples.shverify_released_changelog.shversion.goversions.yamlgolang.org
x
crypto
exp
net
LICENSE
http2
sync
sys
LICENSE
cpu
asm_darwin_x86_gc.scpu.gocpu_arm64.gocpu_darwin_x86.gocpu_gc_x86.gocpu_gc_x86.scpu_gccgo_x86.gocpu_linux_arm64.gocpu_linux_noinit.gocpu_linux_riscv64.gocpu_other_x86.gocpu_riscv64.gocpu_x86.gosyscall_darwin_x86_gc.go
unix
README.mdioctl_linux.gomkerrors.shsyscall_aix.gosyscall_darwin.gosyscall_hurd.gosyscall_linux.gosyscall_linux_arm64.gosyscall_linux_loong64.gosyscall_linux_riscv64.gosyscall_openbsd.gosyscall_zos_s390x.govgetrandom_linux.govgetrandom_unsupported.gozerrors_darwin_amd64.gozerrors_darwin_arm64.gozerrors_linux.gozerrors_linux_386.gozerrors_linux_amd64.gozerrors_linux_arm.gozerrors_linux_arm64.gozerrors_linux_loong64.gozerrors_linux_mips.gozerrors_linux_mips64.gozerrors_linux_mips64le.gozerrors_linux_mipsle.gozerrors_linux_ppc.gozerrors_linux_ppc64.gozerrors_linux_ppc64le.gozerrors_linux_riscv64.gozerrors_linux_s390x.gozerrors_linux_sparc64.gozerrors_zos_s390x.gozsyscall_darwin_amd64.gozsyscall_darwin_amd64.szsyscall_darwin_arm64.gozsyscall_darwin_arm64.szsyscall_linux.gozsyscall_openbsd_386.gozsyscall_openbsd_386.szsyscall_openbsd_amd64.gozsyscall_openbsd_amd64.szsyscall_openbsd_arm.gozsyscall_openbsd_arm.szsyscall_openbsd_arm64.gozsyscall_openbsd_arm64.szsyscall_openbsd_mips64.gozsyscall_openbsd_mips64.szsyscall_openbsd_ppc64.gozsyscall_openbsd_ppc64.szsyscall_openbsd_riscv64.gozsyscall_openbsd_riscv64.szsysnum_linux_386.gozsysnum_linux_amd64.gozsysnum_linux_arm.gozsysnum_linux_arm64.gozsysnum_linux_loong64.gozsysnum_linux_mips.gozsysnum_linux_mips64.gozsysnum_linux_mips64le.gozsysnum_linux_mipsle.gozsysnum_linux_ppc.gozsysnum_linux_ppc64.gozsysnum_linux_ppc64le.gozsysnum_linux_riscv64.gozsysnum_linux_s390x.gozsysnum_linux_sparc64.goztypes_darwin_amd64.goztypes_darwin_arm64.goztypes_freebsd_386.goztypes_freebsd_amd64.goztypes_freebsd_arm.goztypes_freebsd_arm64.goztypes_freebsd_riscv64.goztypes_linux.goztypes_linux_riscv64.goztypes_zos_s390x.go
windows
term
text
time
google.golang.org
grpc
CONTRIBUTING.mdMAINTAINERS.mdSECURITY.mdclientconn.gocodec.go
backoff
balancer
balancer_wrapper.gobinarylog
grpc_binarylog_v1
credentials
dialoptions.godoc.goencoding
experimental
grpclog
health
grpc_health_v1
internal
balancer
gracefulswitch
binarylog
channelz
envconfig
experimental.gogrpclog
grpcsync
grpcutil
idle
internal.goresolver
stats
status
syscall
tcp_keepalive_unix.gotcp_keepalive_windows.gotransport
keepalive
mem
metadata
preloader.goregenerate.shresolver_wrapper.gorpc_util.goserver.goshared_buffer_pool.gostats
stream.gostream_interfaces.goversion.goprotobuf
encoding
internal
descopts
editiondefaults
filedesc
genid
impl
codec_extension.gocodec_field.gocodec_message.gocodec_reflect.gocodec_unsafe.goconvert.goencode.goequal.golegacy_extension.gomessage.gopointer_reflect.gopointer_unsafe.go
strs
version
proto
reflect
runtime
protoiface
types
known
anypb
durationpb
fieldmaskpb
structpb
timestamppb
wrapperspb
128
vendor/github.com/cyphar/filepath-securejoin/openat2_linux.go
generated
vendored
Normal file
128
vendor/github.com/cyphar/filepath-securejoin/openat2_linux.go
generated
vendored
Normal file
@ -0,0 +1,128 @@
|
||||
//go:build linux
|
||||
|
||||
// Copyright (C) 2024 SUSE LLC. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
package securejoin
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"fmt"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
"sync"
|
||||
|
||||
"golang.org/x/sys/unix"
|
||||
)
|
||||
|
||||
var hasOpenat2 = sync.OnceValue(func() bool {
|
||||
fd, err := unix.Openat2(unix.AT_FDCWD, ".", &unix.OpenHow{
|
||||
Flags: unix.O_PATH | unix.O_CLOEXEC,
|
||||
Resolve: unix.RESOLVE_NO_SYMLINKS | unix.RESOLVE_IN_ROOT,
|
||||
})
|
||||
if err != nil {
|
||||
return false
|
||||
}
|
||||
_ = unix.Close(fd)
|
||||
return true
|
||||
})
|
||||
|
||||
func scopedLookupShouldRetry(how *unix.OpenHow, err error) bool {
|
||||
// RESOLVE_IN_ROOT (and RESOLVE_BENEATH) can return -EAGAIN if we resolve
|
||||
// ".." while a mount or rename occurs anywhere on the system. This could
|
||||
// happen spuriously, or as the result of an attacker trying to mess with
|
||||
// us during lookup.
|
||||
//
|
||||
// In addition, scoped lookups have a "safety check" at the end of
|
||||
// complete_walk which will return -EXDEV if the final path is not in the
|
||||
// root.
|
||||
return how.Resolve&(unix.RESOLVE_IN_ROOT|unix.RESOLVE_BENEATH) != 0 &&
|
||||
(errors.Is(err, unix.EAGAIN) || errors.Is(err, unix.EXDEV))
|
||||
}
|
||||
|
||||
const scopedLookupMaxRetries = 10
|
||||
|
||||
func openat2File(dir *os.File, path string, how *unix.OpenHow) (*os.File, error) {
|
||||
fullPath := dir.Name() + "/" + path
|
||||
// Make sure we always set O_CLOEXEC.
|
||||
how.Flags |= unix.O_CLOEXEC
|
||||
var tries int
|
||||
for tries < scopedLookupMaxRetries {
|
||||
fd, err := unix.Openat2(int(dir.Fd()), path, how)
|
||||
if err != nil {
|
||||
if scopedLookupShouldRetry(how, err) {
|
||||
// We retry a couple of times to avoid the spurious errors, and
|
||||
// if we are being attacked then returning -EAGAIN is the best
|
||||
// we can do.
|
||||
tries++
|
||||
continue
|
||||
}
|
||||
return nil, &os.PathError{Op: "openat2", Path: fullPath, Err: err}
|
||||
}
|
||||
// If we are using RESOLVE_IN_ROOT, the name we generated may be wrong.
|
||||
// NOTE: The procRoot code MUST NOT use RESOLVE_IN_ROOT, otherwise
|
||||
// you'll get infinite recursion here.
|
||||
if how.Resolve&unix.RESOLVE_IN_ROOT == unix.RESOLVE_IN_ROOT {
|
||||
if actualPath, err := rawProcSelfFdReadlink(fd); err == nil {
|
||||
fullPath = actualPath
|
||||
}
|
||||
}
|
||||
return os.NewFile(uintptr(fd), fullPath), nil
|
||||
}
|
||||
return nil, &os.PathError{Op: "openat2", Path: fullPath, Err: errPossibleAttack}
|
||||
}
|
||||
|
||||
func lookupOpenat2(root *os.File, unsafePath string, partial bool) (*os.File, string, error) {
|
||||
if !partial {
|
||||
file, err := openat2File(root, unsafePath, &unix.OpenHow{
|
||||
Flags: unix.O_PATH | unix.O_CLOEXEC,
|
||||
Resolve: unix.RESOLVE_IN_ROOT | unix.RESOLVE_NO_MAGICLINKS,
|
||||
})
|
||||
return file, "", err
|
||||
}
|
||||
return partialLookupOpenat2(root, unsafePath)
|
||||
}
|
||||
|
||||
// partialLookupOpenat2 is an alternative implementation of
|
||||
// partialLookupInRoot, using openat2(RESOLVE_IN_ROOT) to more safely get a
|
||||
// handle to the deepest existing child of the requested path within the root.
|
||||
func partialLookupOpenat2(root *os.File, unsafePath string) (*os.File, string, error) {
|
||||
// TODO: Implement this as a git-bisect-like binary search.
|
||||
|
||||
unsafePath = filepath.ToSlash(unsafePath) // noop
|
||||
endIdx := len(unsafePath)
|
||||
var lastError error
|
||||
for endIdx > 0 {
|
||||
subpath := unsafePath[:endIdx]
|
||||
|
||||
handle, err := openat2File(root, subpath, &unix.OpenHow{
|
||||
Flags: unix.O_PATH | unix.O_CLOEXEC,
|
||||
Resolve: unix.RESOLVE_IN_ROOT | unix.RESOLVE_NO_MAGICLINKS,
|
||||
})
|
||||
if err == nil {
|
||||
// Jump over the slash if we have a non-"" remainingPath.
|
||||
if endIdx < len(unsafePath) {
|
||||
endIdx += 1
|
||||
}
|
||||
// We found a subpath!
|
||||
return handle, unsafePath[endIdx:], lastError
|
||||
}
|
||||
if errors.Is(err, unix.ENOENT) || errors.Is(err, unix.ENOTDIR) {
|
||||
// That path doesn't exist, let's try the next directory up.
|
||||
endIdx = strings.LastIndexByte(subpath, '/')
|
||||
lastError = err
|
||||
continue
|
||||
}
|
||||
return nil, "", fmt.Errorf("open subpath: %w", err)
|
||||
}
|
||||
// If we couldn't open anything, the whole subpath is missing. Return a
|
||||
// copy of the root fd so that the caller doesn't close this one by
|
||||
// accident.
|
||||
rootClone, err := dupFile(root)
|
||||
if err != nil {
|
||||
return nil, "", err
|
||||
}
|
||||
return rootClone, unsafePath, lastError
|
||||
}
|
||||
Reference in New Issue
Block a user