Skip to content

web_editor: prohibit CRUD to symbolic files #7981

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Jun 8, 2025
Merged

web_editor: prohibit CRUD to symbolic files #7981

merged 4 commits into from
Jun 8, 2025

Conversation

unknwon
Copy link
Member

@unknwon unknwon commented Jun 8, 2025

@unknwon unknwon requested a review from Copilot June 8, 2025 22:05
Copilot
Copilot AI reviewed Jun 8, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds a check to block CRUD operations on symbolic links in the web editor, addressing the GHSA advisory.

  • Introduces IsSymlink in osutil and corresponding tests.
  • Adds security guards in repo_editor.go to prevent creating, updating, moving, deleting, or uploading through symlinks.
  • Renames test fields from expVal to want and updates imports.

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File Description
internal/osutil/osutil.go Added IsSymlink function to detect symbolic links.
internal/osutil/osutil_test.go Added TestIsSymlink and renamed expVal to want in existing tests.
internal/database/repo_editor.go Inserted symlink checks before filesystem operations in editor methods.
Comments suppressed due to low confidence (1)

internal/database/repo_editor.go:167

  • Add tests for the repository editor methods to confirm that operations against symlinked paths are properly rejected, ensuring these new security branches are covered.
if com.IsExist(filePath) {

@unknwon unknwon added this to the 0.13.3 milestone Jun 8, 2025
unknwon and others added 2 commits June 8, 2025 18:14
@unknwon
check before action
fc1cbb2
@deepsource-autofix @unknwon
web_editor: prohibit CRUD to symbolic files
2503dde 
Resolved issues in internal/osutil/osutil_test.go with DeepSource Autofix
@unknwon unknwon force-pushed the jc/GHSA-wj44-9vcg-wjq7 branch from b767ca1 to 2503dde Compare June 8, 2025 22:23
@unknwon unknwon merged commit 591810e into main Jun 8, 2025
12 checks passed
@unknwon unknwon deleted the jc/GHSA-wj44-9vcg-wjq7 branch June 8, 2025 22:28
unknwon added a commit that referenced this pull request Jun 8, 2025
@unknwon @deepsource-autofix
web_editor: prohibit CRUD to symbolic files (#7981)
1cba9bc 
Fixes
[GHSA-wj44-9vcg-wjq7](GHSA-wj44-9vcg-wjq7)

---------

Co-authored-by: deepsource-autofix[bot] <62050782+deepsource-autofix[bot]@users.noreply.github.com>
@unknwon
Copy link
Member Author

unknwon commented Jun 9, 2025

The 0.13.3 has been released that includes this patch.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.13.3
Development

Successfully merging this pull request may close these issues.
1 participant
@unknwon