Conversation
|
Warning Rate limit exceeded
To continue reviewing without waiting, purchase usage credits in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (10)
WalkthroughThe PR implements path traversal protection across the codebase by introducing a new 🚥 Pre-merge checks | ✅ 3 | ❌ 2❌ Failed checks (2 warnings)
✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
This PR introduces a shared SafeJoinPath helper to prevent path traversal/absolute-path writes when joining untrusted path fragments, and applies it in several file-creation/extraction code paths (template rendering, blob cache/index handling, and installer package/job extraction).
Changes:
- Add
common/util.SafeJoinPath(base, untrusted)built onfilepath.IsLocal, plus unit tests. - Use
SafeJoinPathto validate/join template destination paths, blob cache filenames, blobs index entries, and installer target directories. - Add/adjust tests to assert errors are returned for traversal/absolute/empty paths.
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| templatescompiler/job_renderer.go | Validates template destination paths with SafeJoinPath before rendering. |
| templatescompiler/job_renderer_test.go | Adds coverage for rejecting non-local template destination paths. |
| releasedir/index/fs_index_blobs.go | Uses SafeJoinPath to prevent blob cache path traversal via digest strings. |
| releasedir/index/fs_index_blobs_test.go | Adds/updates tests for traversal/empty digest strings being rejected early. |
| releasedir/fs_blobs_dir.go | Validates blob paths from blobs.yml cannot escape the blobs directory. |
| releasedir/fs_blobs_dir_test.go | Adds tests for rejecting traversal/absolute blob paths in blobs.yml. |
| installation/installer.go | Validates package/job names before extracting blobs into target directories. |
| installation/installer_test.go | Adds tests ensuring traversal in package/job names is rejected. |
| common/util/file_helper.go | Adds SafeJoinPath helper. |
| common/util/file_helper_test.go | Adds unit tests for SafeJoinPath behavior. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@releasedir/fs_blobs_dir.go`:
- Around line 104-107: TrackBlob and UntrackBlob currently join caller-provided
path directly and can escape d.dirPath; update both functions to call
util.SafeJoinPath(d.dirPath, path) at their entry, check the returned error and
return a bosherr.Errorf (matching the pattern in Blobs) if invalid, then use the
safe joined path for all subsequent file writes/removals instead of the raw path
or direct joins; ensure you reference d.dirPath, util.SafeJoinPath, and the
TrackBlob/UntrackBlob functions when making the change.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 35074d7f-f88f-42c4-9eb8-6d7e1aa984f2
📒 Files selected for processing (10)
common/util/file_helper.gocommon/util/file_helper_test.goinstallation/installer.goinstallation/installer_test.goreleasedir/fs_blobs_dir.goreleasedir/fs_blobs_dir_test.goreleasedir/index/fs_index_blobs.goreleasedir/index/fs_index_blobs_test.gotemplatescompiler/job_renderer.gotemplatescompiler/job_renderer_test.go
ai-assisted=yes [TNZ-94638] [TNZ-93973] Signed-off-by: Chris Selzo <chris.selzo@broadcom.com> Signed-off-by: Aram Price <aram.price@broadcom.com>
selzoc
force-pushed
the
refactor-path-traversal
branch
from
024dcea to
513ecef
Compare
No description provided.