forked from toolshed/abra
chore: make deps, go mod vendor
This commit is contained in:
go.modgo.summodules.txt
vendor
dario.cat
github.com
ProtonMail
go-crypto
ocb
openpgp
armor
canonical_text.goecdh
ed25519
ed448
errors
internal
key_generation.gokeys.gopacket
aead_crypter.gocompressed.goconfig.goconfig_v5.goencrypted_key.goliteral.gomarker.goone_pass_signature.goopaque.gopacket.gopacket_sequence.gopacket_unsupported.gopadding.goprivate_key.gopublic_key.goreader.gorecipient.gosignature.gosymmetric_key_encrypted.gosymmetrically_encrypted.gosymmetrically_encrypted_aead.gosymmetrically_encrypted_mdc.gouserattribute.gouserid.go
read.goread_write_test_data.gos2k
write.gox25519
x448
charmbracelet
lipgloss
x
ansi
cloudflare
containerd
containerd
cyphar
filepath-securejoin
docker
cli
docker
go-git
go-billy
go-viper
mapstructure
grpc-ecosystem
grpc-gateway
klauspost
compress
mattn
go-runewidth
moby
sys
prometheus
schollz
progressbar
skeema
knownhosts
stretchr
go.opentelemetry.io
contrib
instrumentation
net
http
otelhttp
otel
.gitignore.golangci.ymlCHANGELOG.mdCODEOWNERSCONTRIBUTING.mdMakefileREADME.mdRELEASING.md
attribute
baggage
codes
doc.goexporters
otlp
otlpmetric
otlpmetricgrpc
otlptrace
internal
metric
renovate.jsonsdk
instrumentation
metric
config.godoc.goexemplar.gomanual_reader.gometer.goperiodic_reader.gopipeline.goprovider.goreader.goversion.goview.go
exemplar
README.mddoc.goexemplar.gofilter.gofixed_size_reservoir.gohistogram_reservoir.goreservoir.gostorage.govalue.go
instrument.gointernal
aggregate
aggregate.godrop.goexemplar.goexponential_histogram.gofiltered_reservoir.gohistogram.golastvalue.gosum.go
exemplar
x
resource
trace
version.gosemconv
trace
verify_examples.shverify_released_changelog.shversion.goversions.yamlgolang.org
x
crypto
exp
net
LICENSE
http2
sync
sys
LICENSE
cpu
asm_darwin_x86_gc.scpu.gocpu_arm64.gocpu_darwin_x86.gocpu_gc_x86.gocpu_gc_x86.scpu_gccgo_x86.gocpu_linux_arm64.gocpu_linux_noinit.gocpu_linux_riscv64.gocpu_other_x86.gocpu_riscv64.gocpu_x86.gosyscall_darwin_x86_gc.go
unix
README.mdioctl_linux.gomkerrors.shsyscall_aix.gosyscall_darwin.gosyscall_hurd.gosyscall_linux.gosyscall_linux_arm64.gosyscall_linux_loong64.gosyscall_linux_riscv64.gosyscall_openbsd.gosyscall_zos_s390x.govgetrandom_linux.govgetrandom_unsupported.gozerrors_darwin_amd64.gozerrors_darwin_arm64.gozerrors_linux.gozerrors_linux_386.gozerrors_linux_amd64.gozerrors_linux_arm.gozerrors_linux_arm64.gozerrors_linux_loong64.gozerrors_linux_mips.gozerrors_linux_mips64.gozerrors_linux_mips64le.gozerrors_linux_mipsle.gozerrors_linux_ppc.gozerrors_linux_ppc64.gozerrors_linux_ppc64le.gozerrors_linux_riscv64.gozerrors_linux_s390x.gozerrors_linux_sparc64.gozerrors_zos_s390x.gozsyscall_darwin_amd64.gozsyscall_darwin_amd64.szsyscall_darwin_arm64.gozsyscall_darwin_arm64.szsyscall_linux.gozsyscall_openbsd_386.gozsyscall_openbsd_386.szsyscall_openbsd_amd64.gozsyscall_openbsd_amd64.szsyscall_openbsd_arm.gozsyscall_openbsd_arm.szsyscall_openbsd_arm64.gozsyscall_openbsd_arm64.szsyscall_openbsd_mips64.gozsyscall_openbsd_mips64.szsyscall_openbsd_ppc64.gozsyscall_openbsd_ppc64.szsyscall_openbsd_riscv64.gozsyscall_openbsd_riscv64.szsysnum_linux_386.gozsysnum_linux_amd64.gozsysnum_linux_arm.gozsysnum_linux_arm64.gozsysnum_linux_loong64.gozsysnum_linux_mips.gozsysnum_linux_mips64.gozsysnum_linux_mips64le.gozsysnum_linux_mipsle.gozsysnum_linux_ppc.gozsysnum_linux_ppc64.gozsysnum_linux_ppc64le.gozsysnum_linux_riscv64.gozsysnum_linux_s390x.gozsysnum_linux_sparc64.goztypes_darwin_amd64.goztypes_darwin_arm64.goztypes_freebsd_386.goztypes_freebsd_amd64.goztypes_freebsd_arm.goztypes_freebsd_arm64.goztypes_freebsd_riscv64.goztypes_linux.goztypes_linux_riscv64.goztypes_zos_s390x.go
windows
term
text
time
google.golang.org
grpc
CONTRIBUTING.mdMAINTAINERS.mdSECURITY.mdclientconn.gocodec.go
backoff
balancer
balancer_wrapper.gobinarylog
grpc_binarylog_v1
credentials
dialoptions.godoc.goencoding
experimental
grpclog
health
grpc_health_v1
internal
balancer
gracefulswitch
binarylog
channelz
envconfig
experimental.gogrpclog
grpcsync
grpcutil
idle
internal.goresolver
stats
status
syscall
tcp_keepalive_unix.gotcp_keepalive_windows.gotransport
keepalive
mem
metadata
preloader.goregenerate.shresolver_wrapper.gorpc_util.goserver.goshared_buffer_pool.gostats
stream.gostream_interfaces.goversion.goprotobuf
encoding
internal
descopts
editiondefaults
filedesc
genid
impl
codec_extension.gocodec_field.gocodec_message.gocodec_reflect.gocodec_unsafe.goconvert.goencode.goequal.golegacy_extension.gomessage.gopointer_reflect.gopointer_unsafe.go
strs
version
proto
reflect
runtime
protoiface
types
known
anypb
durationpb
fieldmaskpb
structpb
timestamppb
wrapperspb
103
vendor/github.com/cyphar/filepath-securejoin/open_linux.go
generated
vendored
Normal file
103
vendor/github.com/cyphar/filepath-securejoin/open_linux.go
generated
vendored
Normal file
@ -0,0 +1,103 @@
|
||||
//go:build linux
|
||||
|
||||
// Copyright (C) 2024 SUSE LLC. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style
|
||||
// license that can be found in the LICENSE file.
|
||||
|
||||
package securejoin
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"os"
|
||||
"strconv"
|
||||
|
||||
"golang.org/x/sys/unix"
|
||||
)
|
||||
|
||||
// OpenatInRoot is equivalent to [OpenInRoot], except that the root is provided
|
||||
// using an *[os.File] handle, to ensure that the correct root directory is used.
|
||||
func OpenatInRoot(root *os.File, unsafePath string) (*os.File, error) {
|
||||
handle, err := completeLookupInRoot(root, unsafePath)
|
||||
if err != nil {
|
||||
return nil, &os.PathError{Op: "securejoin.OpenInRoot", Path: unsafePath, Err: err}
|
||||
}
|
||||
return handle, nil
|
||||
}
|
||||
|
||||
// OpenInRoot safely opens the provided unsafePath within the root.
|
||||
// Effectively, OpenInRoot(root, unsafePath) is equivalent to
|
||||
//
|
||||
// path, _ := securejoin.SecureJoin(root, unsafePath)
|
||||
// handle, err := os.OpenFile(path, unix.O_PATH|unix.O_CLOEXEC)
|
||||
//
|
||||
// But is much safer. The above implementation is unsafe because if an attacker
|
||||
// can modify the filesystem tree between [SecureJoin] and [os.OpenFile], it is
|
||||
// possible for the returned file to be outside of the root.
|
||||
//
|
||||
// Note that the returned handle is an O_PATH handle, meaning that only a very
|
||||
// limited set of operations will work on the handle. This is done to avoid
|
||||
// accidentally opening an untrusted file that could cause issues (such as a
|
||||
// disconnected TTY that could cause a DoS, or some other issue). In order to
|
||||
// use the returned handle, you can "upgrade" it to a proper handle using
|
||||
// [Reopen].
|
||||
func OpenInRoot(root, unsafePath string) (*os.File, error) {
|
||||
rootDir, err := os.OpenFile(root, unix.O_PATH|unix.O_DIRECTORY|unix.O_CLOEXEC, 0)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
defer rootDir.Close()
|
||||
return OpenatInRoot(rootDir, unsafePath)
|
||||
}
|
||||
|
||||
// Reopen takes an *[os.File] handle and re-opens it through /proc/self/fd.
|
||||
// Reopen(file, flags) is effectively equivalent to
|
||||
//
|
||||
// fdPath := fmt.Sprintf("/proc/self/fd/%d", file.Fd())
|
||||
// os.OpenFile(fdPath, flags|unix.O_CLOEXEC)
|
||||
//
|
||||
// But with some extra hardenings to ensure that we are not tricked by a
|
||||
// maliciously-configured /proc mount. While this attack scenario is not
|
||||
// common, in container runtimes it is possible for higher-level runtimes to be
|
||||
// tricked into configuring an unsafe /proc that can be used to attack file
|
||||
// operations. See [CVE-2019-19921] for more details.
|
||||
//
|
||||
// [CVE-2019-19921]: https://github.com/advisories/GHSA-fh74-hm69-rqjw
|
||||
func Reopen(handle *os.File, flags int) (*os.File, error) {
|
||||
procRoot, err := getProcRoot()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// We can't operate on /proc/thread-self/fd/$n directly when doing a
|
||||
// re-open, so we need to open /proc/thread-self/fd and then open a single
|
||||
// final component.
|
||||
procFdDir, closer, err := procThreadSelf(procRoot, "fd/")
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("get safe /proc/thread-self/fd handle: %w", err)
|
||||
}
|
||||
defer procFdDir.Close()
|
||||
defer closer()
|
||||
|
||||
// Try to detect if there is a mount on top of the magic-link we are about
|
||||
// to open. If we are using unsafeHostProcRoot(), this could change after
|
||||
// we check it (and there's nothing we can do about that) but for
|
||||
// privateProcRoot() this should be guaranteed to be safe (at least since
|
||||
// Linux 5.12[1], when anonymous mount namespaces were completely isolated
|
||||
// from external mounts including mount propagation events).
|
||||
//
|
||||
// [1]: Linux commit ee2e3f50629f ("mount: fix mounting of detached mounts
|
||||
// onto targets that reside on shared mounts").
|
||||
fdStr := strconv.Itoa(int(handle.Fd()))
|
||||
if err := checkSymlinkOvermount(procRoot, procFdDir, fdStr); err != nil {
|
||||
return nil, fmt.Errorf("check safety of /proc/thread-self/fd/%s magiclink: %w", fdStr, err)
|
||||
}
|
||||
|
||||
flags |= unix.O_CLOEXEC
|
||||
// Rather than just wrapping openatFile, open-code it so we can copy
|
||||
// handle.Name().
|
||||
reopenFd, err := unix.Openat(int(procFdDir.Fd()), fdStr, flags, 0)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("reopen fd %d: %w", handle.Fd(), err)
|
||||
}
|
||||
return os.NewFile(uintptr(reopenFd), handle.Name()), nil
|
||||
}
|
Reference in New Issue
Block a user