fabric icon indicating copy to clipboard operation
fabric copied to clipboard
verified publisher icon hyperledger

Fix(security): Path traversal Bug

Open bhaskarvilles opened this issue 3 years ago • 1 comments

Description

Unsanitized input from open tar file flows into os.Open, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to open arbitrary files.

Data flow:

22 steps in 1 file vendor/github.com/docker/docker/pkg/archive/diff.go

bhaskarvilles avatar Jul 14 '22 13:07 bhaskarvilles

@bhaskarvilles Fabric is just a consumer of this dependency. Please report the issue in the dependency's repository, or submit a PR to the dependency's repository. It looks like that is at https://github.com/moby/moby now. Once it is fixed in the dependency stack then Fabric can pull it in.

I don't think the offending dependency code is even called during Fabric runtime though. Did you find a code path where this is called?

denyeart avatar Jul 29 '22 18:07 denyeart