[pull] master from eirslett:master #37
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![pull[bot]](https://avatars.githubusercontent.com/in/12910?s=60&v=4){kind=small}
Adds http_proxy and https_proxy for npm runs, useful for npm postinstalls that use pure node <postinstall-script>.js to get the proxy without workarounds.
Those variables are needed for postinstall steps using node scripts
This fixes a Zip-Slip vulnerability.
This change does one of two things. This change either
1. Inserts a guard to protect against Zip Slip.
OR
2. Replaces `dir.getCanonicalPath().startsWith(parent.getCanonicalPath())`, which is vulnerable to partial path traversal attacks, with the more secure `dir.getCanonicalFile().toPath().startsWith(parent.getCanonicalFile().toPath())`.
For number 2, consider `"/usr/outnot".startsWith("/usr/out")`.
The check is bypassed although `/outnot` is not under the `/out` directory.
It's important to understand that the terminating slash may be removed when using various `String` representations of the `File` object.
For example, on Linux, `println(new File("/var"))` will print `/var`, but `println(new File("/var", "/")` will print `/var/`;
however, `println(new File("/var", "/").getCanonicalPath())` will print `/var`.
Weakness: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Severity: High
CVSSS: 7.4
Detection: CodeQL (https://codeql.github.com/codeql-query-help/java/java-zipslip/) & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.ZipSlip)
Reported-by: Jonathan Leitschuh <[email protected]>
Signed-off-by: Jonathan Leitschuh <[email protected]>
Bug-tracker: JLLeitschuh/security-research#16
Co-authored-by: Moderne <[email protected]>
This commit fixes the following issues for pnpm: - Comment mismatch - pnpm is never "provided" by Node.js, so <pnpmVersion> is required. - Java class name camel casing: PNPMInstaller -> PnpmInstaller
…zip-slip-vulnerability [SECURITY] Fix Zip Slip Vulnerability
|
|
Bumps [jackson-databind](https://github.com/FasterXML/jackson) from 2.13.0 to 2.13.2.1. - [Release notes](https://github.com/FasterXML/jackson/releases) - [Commits](https://github.com/FasterXML/jackson/commits) --- updated-dependencies: - dependency-name: com.fasterxml.jackson.core:jackson-databind dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>
…in-core/com.fasterxml.jackson.core-jackson-databind-2.13.2.1 Bump jackson-databind from 2.13.0 to 2.13.2.1 in /frontend-plugin-core
Edit integration test to reproduce #967
Fix issues for pnpm
When no pnpm or pnpm.cmd are available, create a symlink to node_modules/pnpm/bin/pnpm.cjs
Fix #967 : Add pnpm executable to PATH
…ng-directory IT: custom-working-directory: bump deps etc.
…ll-directory IT custom-install-directory-bump-deps
…fore-write Download files fully before write to disk
Otherwise, relative installDirectory paths cannot be used because the zip-slip check fails with "Bad zip entry" exception even the zip is fine. Closes #1124
* initial bun integration * fixing integration tests * fixing integration tests * fixing integration tests * adding invoker properties * bun install * fix log output * update bun integration test to version 1.0.10
Furthermore, prevent errors in case of berry usage and attempt to add arguments, which are not supported by berry.
Support Java 8 still
Java 11 (because Java 8 causes issues on GitHub Actions)
Add npx to lifecycle-mapping-metadata.xml. Fixes #1150.
This adds some basic support for using corepack to manage the tooling via the 'packageManager' field in the package.json. Here we add the ability to download a version of it along with a node version, along with the ability to execute command via corepack such as 'pnpm install' or 'yarn install' depending on the selected package manager. Later we ought to work out how to use the version packaged with the node runtime, but this was inspired by the pnpm download which is downloaded separately, and so this is too.
In most uses, users will want to ues the version of corepack provided with the NodeJS version they are using, and the plugin now supports this mode of usage by default if no corepack version is explicitly provided.
…ead of the installation directory
This disables TLSv1.3 and changes global state that shouldn't be changed. Fixes #1170.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot]
Can you help keep this open source service alive? 💖 Please sponsor : )