From 24531b843d7310bf0477b6d15cb2f41876d78772 Mon Sep 17 00:00:00 2001 From: Yahav Itzhak Date: Fri, 21 Apr 2023 14:05:12 +0300 Subject: [PATCH 1/6] Add missing clean in GetLocalPathAndFile (#750) --- utils/io/fileutils/files.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/utils/io/fileutils/files.go b/utils/io/fileutils/files.go index ffbde3ffd..4024eb9d8 100644 --- a/utils/io/fileutils/files.go +++ b/utils/io/fileutils/files.go @@ -144,7 +144,7 @@ func GetFileAndDirFromPath(path string) (fileName, dir string) { func GetLocalPathAndFile(originalFileName, relativePath, targetPath string, flat bool, placeholdersUsed bool) (localTargetPath, fileName string) { targetFileName, targetDirPath := GetFileAndDirFromPath(targetPath) // Remove double slashes and double backslashes that may appear in the path - localTargetPath = targetDirPath + localTargetPath = filepath.Clean(targetDirPath) // When placeholders are used, the file path shouldn't be taken into account (or in other words, flat = true). if !flat && !placeholdersUsed { localTargetPath = filepath.Join(targetDirPath, relativePath) From def5242e8ac867035c8b56ecef8d59bcdff25b81 Mon Sep 17 00:00:00 2001 From: Yahav Itzhak Date: Sun, 23 Apr 2023 09:17:43 +0300 Subject: [PATCH 2/6] Improve unarchive inspection (#735) --- artifactory/services/download.go | 25 ++- go.mod | 2 +- go.sum | 4 +- http/httpclient/client.go | 41 ++-- http/jfroghttpclient/client.go | 8 +- utils/archiveutils.go | 30 +-- utils/io/fileutils/archive.go | 207 ------------------ utils/io/fileutils/archive_test.go | 86 -------- .../testdata/archives/softlink-rel.tar | Bin 4608 -> 0 bytes .../testdata/archives/softlink-rel.tar.gz | Bin 234 -> 0 bytes .../testdata/archives/softlink-rel.zip | Bin 1189 -> 0 bytes utils/io/fileutils/testdata/archives/unix.tar | Bin 3072 -> 0 bytes .../fileutils/testdata/archives/unix.tar.gz | Bin 181 -> 0 bytes utils/io/fileutils/testdata/archives/unix.zip | Bin 452 -> 0 bytes utils/io/fileutils/testdata/archives/win.tar | Bin 4608 -> 0 bytes .../io/fileutils/testdata/archives/win.tar.gz | Bin 753 -> 0 bytes utils/io/fileutils/testdata/archives/win.zip | Bin 807 -> 0 bytes utils/io/fileutils/testdata/zipslip/abs.tar | Bin 2048 -> 0 bytes .../io/fileutils/testdata/zipslip/abs.tar.gz | Bin 130 -> 0 bytes .../testdata/zipslip/hardlink-tilde.tar | Bin 10240 -> 0 bytes .../testdata/zipslip/hardlink-tilde.tar.gz | Bin 135 -> 0 bytes utils/io/fileutils/testdata/zipslip/rel.tar | Bin 2048 -> 0 bytes .../io/fileutils/testdata/zipslip/rel.tar.gz | Bin 122 -> 0 bytes utils/io/fileutils/testdata/zipslip/rel.zip | Bin 170 -> 0 bytes .../testdata/zipslip/softlink-abs.tar | Bin 2048 -> 0 bytes .../testdata/zipslip/softlink-abs.tar.gz | Bin 157 -> 0 bytes .../testdata/zipslip/softlink-abs.zip | Bin 367 -> 0 bytes .../testdata/zipslip/softlink-rel.tar | Bin 2048 -> 0 bytes .../testdata/zipslip/softlink-rel.tar.gz | Bin 150 -> 0 bytes .../testdata/zipslip/softlink-rel.zip | Bin 364 -> 0 bytes 30 files changed, 60 insertions(+), 343 deletions(-) delete mode 100644 utils/io/fileutils/archive.go delete mode 100644 utils/io/fileutils/archive_test.go delete mode 100644 utils/io/fileutils/testdata/archives/softlink-rel.tar delete mode 100644 utils/io/fileutils/testdata/archives/softlink-rel.tar.gz delete mode 100644 utils/io/fileutils/testdata/archives/softlink-rel.zip delete mode 100644 utils/io/fileutils/testdata/archives/unix.tar delete mode 100644 utils/io/fileutils/testdata/archives/unix.tar.gz delete mode 100644 utils/io/fileutils/testdata/archives/unix.zip delete mode 100644 utils/io/fileutils/testdata/archives/win.tar delete mode 100644 utils/io/fileutils/testdata/archives/win.tar.gz delete mode 100644 utils/io/fileutils/testdata/archives/win.zip delete mode 100644 utils/io/fileutils/testdata/zipslip/abs.tar delete mode 100644 utils/io/fileutils/testdata/zipslip/abs.tar.gz delete mode 100644 utils/io/fileutils/testdata/zipslip/hardlink-tilde.tar delete mode 100644 utils/io/fileutils/testdata/zipslip/hardlink-tilde.tar.gz delete mode 100644 utils/io/fileutils/testdata/zipslip/rel.tar delete mode 100644 utils/io/fileutils/testdata/zipslip/rel.tar.gz delete mode 100644 utils/io/fileutils/testdata/zipslip/rel.zip delete mode 100644 utils/io/fileutils/testdata/zipslip/softlink-abs.tar delete mode 100644 utils/io/fileutils/testdata/zipslip/softlink-abs.tar.gz delete mode 100644 utils/io/fileutils/testdata/zipslip/softlink-abs.zip delete mode 100644 utils/io/fileutils/testdata/zipslip/softlink-rel.tar delete mode 100644 utils/io/fileutils/testdata/zipslip/softlink-rel.tar.gz delete mode 100644 utils/io/fileutils/testdata/zipslip/softlink-rel.zip diff --git a/artifactory/services/download.go b/artifactory/services/download.go index f14d0dee6..618e22063 100644 --- a/artifactory/services/download.go +++ b/artifactory/services/download.go @@ -381,7 +381,7 @@ func (ds *DownloadService) downloadFile(downloadFileDetails *httpclient.Download if bulkDownload { var resp *http.Response resp, err := ds.client.DownloadFileWithProgress(downloadFileDetails, logMsgPrefix, &httpClientsDetails, - downloadParams.IsExplode(), ds.Progress) + downloadParams.IsExplode(), downloadParams.IsBypassArchiveInspection(), ds.Progress) if err != nil { return err } @@ -547,7 +547,7 @@ func (ds *DownloadService) downloadFileIfNeeded(downloadPath, localPath, localFi if isEqual { log.Debug(logMsgPrefix, "File already exists locally.") if downloadParams.IsExplode() { - e = clientutils.ExtractArchive(localPath, localFileName, downloadData.Dependency.Name, logMsgPrefix) + e = clientutils.ExtractArchive(localPath, localFileName, downloadData.Dependency.Name, logMsgPrefix, downloadParams.IsBypassArchiveInspection()) } return e } @@ -589,14 +589,15 @@ type DownloadData struct { type DownloadParams struct { *utils.CommonParams - Symlink bool - ValidateSymlink bool - Flat bool - Explode bool - MinSplitSize int64 - SplitCount int - PublicGpgKey string - SkipChecksum bool + Symlink bool + ValidateSymlink bool + Flat bool + Explode bool + BypassArchiveInspection bool + MinSplitSize int64 + SplitCount int + PublicGpgKey string + SkipChecksum bool } func (ds *DownloadParams) IsFlat() bool { @@ -607,6 +608,10 @@ func (ds *DownloadParams) IsExplode() bool { return ds.Explode } +func (ds *DownloadParams) IsBypassArchiveInspection() bool { + return ds.BypassArchiveInspection +} + func (ds *DownloadParams) GetFile() *utils.CommonParams { return ds.CommonParams } diff --git a/go.mod b/go.mod index 85f6ea353..dff3e8089 100644 --- a/go.mod +++ b/go.mod @@ -57,4 +57,4 @@ require ( // replace github.com/jfrog/build-info-go => github.com/jfrog/build-info-go v1.8.9-0.20230418123708-71a0dbbcb331 -// replace github.com/jfrog/gofrog => github.com/jfrog/gofrog v1.2.5-0.20221107113836-a4c9225c690e +replace github.com/jfrog/gofrog => github.com/jfrog/gofrog v1.2.6-0.20230418122323-2bf299dd6d27 diff --git a/go.sum b/go.sum index 2e9d2d0a1..3bace9a1b 100644 --- a/go.sum +++ b/go.sum @@ -57,8 +57,8 @@ github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i github.com/jessevdk/go-flags v1.5.0/go.mod h1:Fw0T6WPc1dYxT4mKEZRfG5kJhaTDP9pj1c2EWnYs/m4= github.com/jfrog/build-info-go v1.9.2 h1:gSX9PH3whFcAMtM9dlPxRE7u9YuYcx8IkfVXQKRjWw0= github.com/jfrog/build-info-go v1.9.2/go.mod h1:hHXyLsG0SW1jQa4g6q8x2LGAvvX/MMqWVFTcIUAF2PI= -github.com/jfrog/gofrog v1.2.5 h1:jCgJC0iGQ8bU7jCC+YEFJTNINyngApIrhd8BjZAVRIE= -github.com/jfrog/gofrog v1.2.5/go.mod h1:o00tSRff6IapTgaCMuX1Cs9MH08Y1JqnsKgRtx91Gc4= +github.com/jfrog/gofrog v1.2.6-0.20230418122323-2bf299dd6d27 h1:jX3UD9qVfj9cuyOe7pN7LlB9JKH5A/3vctjnBpWCKsU= +github.com/jfrog/gofrog v1.2.6-0.20230418122323-2bf299dd6d27/go.mod h1:IFMc+V/yf7rA5WZ74CSbXe+Lgf0iApEQLxRZVzKRUR0= github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4= github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM= github.com/klauspost/compress v1.4.1/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A= diff --git a/http/httpclient/client.go b/http/httpclient/client.go index 7281c39dc..2baa213a1 100644 --- a/http/httpclient/client.go +++ b/http/httpclient/client.go @@ -326,31 +326,31 @@ func (jc *HttpClient) ReadRemoteFile(downloadPath string, httpClientsDetails htt // Bulk downloads a file. // You may implement the log.Progress interface, or pass nil to run without progress display. func (jc *HttpClient) DownloadFileWithProgress(downloadFileDetails *DownloadFileDetails, logMsgPrefix string, - httpClientsDetails httputils.HttpClientDetails, isExplode bool, progress ioutils.ProgressMgr) (*http.Response, error) { - resp, _, err := jc.downloadFile(downloadFileDetails, logMsgPrefix, true, httpClientsDetails, isExplode, progress) + httpClientsDetails httputils.HttpClientDetails, isExplode, isBypassArchiveInspection bool, progress ioutils.ProgressMgr) (*http.Response, error) { + resp, _, err := jc.downloadFile(downloadFileDetails, logMsgPrefix, true, httpClientsDetails, isExplode, isBypassArchiveInspection, progress) return resp, err } // Bulk downloads a file. func (jc *HttpClient) DownloadFile(downloadFileDetails *DownloadFileDetails, logMsgPrefix string, - httpClientsDetails httputils.HttpClientDetails, isExplode bool) (*http.Response, error) { - return jc.DownloadFileWithProgress(downloadFileDetails, logMsgPrefix, httpClientsDetails, isExplode, nil) + httpClientsDetails httputils.HttpClientDetails, isExplode, bypassArchiveInspection bool) (*http.Response, error) { + return jc.DownloadFileWithProgress(downloadFileDetails, logMsgPrefix, httpClientsDetails, isExplode, bypassArchiveInspection, nil) } func (jc *HttpClient) DownloadFileNoRedirect(downloadPath, localPath, fileName string, httpClientsDetails httputils.HttpClientDetails) (*http.Response, string, error) { downloadFileDetails := &DownloadFileDetails{DownloadPath: downloadPath, LocalPath: localPath, FileName: fileName} - return jc.downloadFile(downloadFileDetails, "", false, httpClientsDetails, false, nil) + return jc.downloadFile(downloadFileDetails, "", false, httpClientsDetails, false, false, nil) } func (jc *HttpClient) downloadFile(downloadFileDetails *DownloadFileDetails, logMsgPrefix string, followRedirect bool, - httpClientsDetails httputils.HttpClientDetails, isExplode bool, progress ioutils.ProgressMgr) (resp *http.Response, redirectUrl string, err error) { + httpClientsDetails httputils.HttpClientDetails, isExplode, bypassArchiveInspection bool, progress ioutils.ProgressMgr) (resp *http.Response, redirectUrl string, err error) { retryExecutor := utils.RetryExecutor{ MaxRetries: jc.retries, RetriesIntervalMilliSecs: jc.retryWaitMilliSecs, ErrorMessage: fmt.Sprintf("Failure occurred while downloading %s", downloadFileDetails.DownloadPath), LogMsgPrefix: logMsgPrefix, ExecutionHandler: func() (bool, error) { - resp, redirectUrl, err = jc.doDownloadFile(downloadFileDetails, logMsgPrefix, followRedirect, httpClientsDetails, isExplode, progress) + resp, redirectUrl, err = jc.doDownloadFile(downloadFileDetails, logMsgPrefix, followRedirect, httpClientsDetails, isExplode, bypassArchiveInspection, progress) // In case followRedirect is 'false' and doDownloadFile did redirect, an error is returned and redirectUrl // receives the redirect address. This case should not retry. if err != nil && !followRedirect && redirectUrl != "" { @@ -379,7 +379,7 @@ func (jc *HttpClient) downloadFile(downloadFileDetails *DownloadFileDetails, log } func (jc *HttpClient) doDownloadFile(downloadFileDetails *DownloadFileDetails, logMsgPrefix string, followRedirect bool, - httpClientsDetails httputils.HttpClientDetails, isExplode bool, progress ioutils.ProgressMgr) (resp *http.Response, redirectUrl string, err error) { + httpClientsDetails httputils.HttpClientDetails, isExplode, bypassArchiveInspection bool, progress ioutils.ProgressMgr) (resp *http.Response, redirectUrl string, err error) { resp, redirectUrl, err = jc.sendGetForFileDownload(downloadFileDetails.DownloadPath, followRedirect, httpClientsDetails, "") if err != nil { return @@ -404,7 +404,7 @@ func (jc *HttpClient) doDownloadFile(downloadFileDetails *DownloadFileDetails, l // Extract archive. if isExplode { - err = utils.ExtractArchive(downloadFileDetails.LocalPath, downloadFileDetails.LocalFileName, downloadFileDetails.FileName, logMsgPrefix) + err = utils.ExtractArchive(downloadFileDetails.LocalPath, downloadFileDetails.LocalFileName, downloadFileDetails.FileName, logMsgPrefix, bypassArchiveInspection) } return } @@ -517,7 +517,7 @@ func (jc *HttpClient) DownloadFileConcurrently(flags ConcurrentDownloadFlags, lo } if flags.Explode { - if err = utils.ExtractArchive(flags.LocalPath, flags.LocalFileName, flags.FileName, logMsgPrefix); err != nil { + if err = utils.ExtractArchive(flags.LocalPath, flags.LocalFileName, flags.FileName, logMsgPrefix, flags.BypassArchiveInspection); err != nil { return } } @@ -798,14 +798,15 @@ type DownloadFileDetails struct { } type ConcurrentDownloadFlags struct { - FileName string - DownloadPath string - RelativePath string - LocalFileName string - LocalPath string - ExpectedSha1 string - FileSize int64 - SplitCount int - Explode bool - SkipChecksum bool + FileName string + DownloadPath string + RelativePath string + LocalFileName string + LocalPath string + ExpectedSha1 string + FileSize int64 + SplitCount int + Explode bool + BypassArchiveInspection bool + SkipChecksum bool } diff --git a/http/jfroghttpclient/client.go b/http/jfroghttpclient/client.go index 28b19d7b8..ba0a70fc3 100644 --- a/http/jfroghttpclient/client.go +++ b/http/jfroghttpclient/client.go @@ -118,17 +118,17 @@ func (rtc *JfrogHttpClient) ReadRemoteFile(downloadPath string, httpClientsDetai } func (rtc *JfrogHttpClient) DownloadFileWithProgress(downloadFileDetails *httpclient.DownloadFileDetails, logMsgPrefix string, - httpClientsDetails *httputils.HttpClientDetails, isExplode bool, progress ioutils.ProgressMgr) (resp *http.Response, err error) { + httpClientsDetails *httputils.HttpClientDetails, isExplode, bypassArchiveInspection bool, progress ioutils.ProgressMgr) (resp *http.Response, err error) { err = rtc.runPreRequestInterceptors(httpClientsDetails) if err != nil { return } - return rtc.httpClient.DownloadFileWithProgress(downloadFileDetails, logMsgPrefix, *httpClientsDetails, isExplode, progress) + return rtc.httpClient.DownloadFileWithProgress(downloadFileDetails, logMsgPrefix, *httpClientsDetails, isExplode, bypassArchiveInspection, progress) } func (rtc *JfrogHttpClient) DownloadFile(downloadFileDetails *httpclient.DownloadFileDetails, logMsgPrefix string, - httpClientsDetails *httputils.HttpClientDetails, isExplode bool) (resp *http.Response, err error) { - return rtc.DownloadFileWithProgress(downloadFileDetails, logMsgPrefix, httpClientsDetails, isExplode, nil) + httpClientsDetails *httputils.HttpClientDetails, isExplode, bypassArchiveInspection bool) (resp *http.Response, err error) { + return rtc.DownloadFileWithProgress(downloadFileDetails, logMsgPrefix, httpClientsDetails, isExplode, bypassArchiveInspection, nil) } func (rtc *JfrogHttpClient) DownloadFileConcurrently(flags httpclient.ConcurrentDownloadFlags, diff --git a/utils/archiveutils.go b/utils/archiveutils.go index bf3983f03..014828e78 100644 --- a/utils/archiveutils.go +++ b/utils/archiveutils.go @@ -1,21 +1,26 @@ package utils import ( - "github.com/jfrog/jfrog-client-go/utils/errorutils" - "github.com/jfrog/jfrog-client-go/utils/io/fileutils" - "github.com/jfrog/jfrog-client-go/utils/log" "os" "path/filepath" "strings" + + "github.com/jfrog/gofrog/unarchive" + "github.com/jfrog/jfrog-client-go/utils/errorutils" + "github.com/jfrog/jfrog-client-go/utils/log" ) // localPath - The path of the downloaded archive file. -// localFileName - name of the archive file. -// originFileName - name of the archive file in Artifactory. -// logMsgPrefix - prefix log message. +// localFileName - The name of the archive file. +// originFileName - The name of the archive file in Artifactory. +// logMsgPrefix - A prefix to the log message. +// bypassInspection - Set to true to bypass archive inspection against ZipSlip // Extract an archive file to the 'localPath'. -func ExtractArchive(localPath, localFileName, originFileName, logMsgPrefix string) error { - if !fileutils.IsSupportedArchive(originFileName) { +func ExtractArchive(localPath, localFileName, originFileName, logMsgPrefix string, bypassInspection bool) error { + unarchiver := &unarchive.Unarchiver{ + BypassInspection: bypassInspection, + } + if !unarchiver.IsSupportedArchive(originFileName) { return nil } extractionPath, err := getExtractionPath(localPath) @@ -37,13 +42,12 @@ func ExtractArchive(localPath, localFileName, originFileName, logMsgPrefix strin return err } log.Info(logMsgPrefix+"Extracting archive:", archivePath, "to", extractionPath) - return extract(archivePath, originFileName, extractionPath) + return errorutils.CheckError(extract(archivePath, originFileName, extractionPath, unarchiver)) } -func extract(localFilePath, originArchiveName, extractionPath string) error { - err := fileutils.Unarchive(localFilePath, originArchiveName, extractionPath) - if err != nil { - return err +func extract(localFilePath, originArchiveName, extractionPath string, unarchiver *unarchive.Unarchiver) error { + if err := unarchiver.Unarchive(localFilePath, originArchiveName, extractionPath); err != nil{ + return errorutils.CheckError(err) } // If the file was extracted successfully, remove it from the file system return errorutils.CheckError(os.Remove(localFilePath)) diff --git a/utils/io/fileutils/archive.go b/utils/io/fileutils/archive.go deleted file mode 100644 index 0e385900b..000000000 --- a/utils/io/fileutils/archive.go +++ /dev/null @@ -1,207 +0,0 @@ -package fileutils - -import ( - "encoding/json" - "fmt" - "io" - "os" - "path/filepath" - "strings" - - "github.com/jfrog/jfrog-client-go/utils/errorutils" - "github.com/mholt/archiver/v3" -) - -func IsSupportedArchive(filePath string) bool { - iArchiver, err := archiver.ByExtension(filePath) - if err != nil { - return false - } - _, ok := iArchiver.(archiver.Unarchiver) - return ok -} - -// The 'archiver' dependency includes an API called 'Unarchive' to extract archive files. This API uses the archive file -// extension to determine the archive type. -// We therefore need to use the file name as it was in Artifactory, and not the file name which was downloaded. To achieve this, -// we added a new implementation of the 'Unarchive' func and use it instead of the default one. -// localArchivePath - The local file path to extract the archive -// originArchiveName - The archive file name -// destinationPath - The extraction destination directory -func Unarchive(localArchivePath, originArchiveName, destinationPath string) error { - archive, err := byExtension(originArchiveName) - if err != nil { - return err - } - u, ok := archive.(archiver.Unarchiver) - if !ok { - return errorutils.CheckErrorf("format specified by source filename is not an archive format: " + originArchiveName) - } - if err = inspectArchive(archive, localArchivePath, destinationPath); err != nil { - return err - } - return u.Unarchive(localArchivePath, destinationPath) -} - -// Instead of using 'archiver.byExtension' that by default sets OverwriteExisting to false, we implement our own. -func byExtension(filename string) (interface{}, error) { - var ec interface{} - for _, c := range extCheckers { - if err := c.CheckExt(filename); err == nil { - ec = c - break - } - } - switch ec.(type) { - case *archiver.Rar: - archiveInstance := archiver.NewRar() - archiveInstance.OverwriteExisting = true - return archiveInstance, nil - case *archiver.Tar: - archiveInstance := archiver.NewTar() - archiveInstance.OverwriteExisting = true - return archiveInstance, nil - case *archiver.TarBrotli: - archiveInstance := archiver.NewTarBrotli() - archiveInstance.OverwriteExisting = true - return archiveInstance, nil - case *archiver.TarBz2: - archiveInstance := archiver.NewTarBz2() - archiveInstance.OverwriteExisting = true - return archiveInstance, nil - case *archiver.TarGz: - archiveInstance := archiver.NewTarGz() - archiveInstance.OverwriteExisting = true - return archiveInstance, nil - case *archiver.TarLz4: - archiveInstance := archiver.NewTarLz4() - archiveInstance.OverwriteExisting = true - return archiveInstance, nil - case *archiver.TarSz: - archiveInstance := archiver.NewTarSz() - archiveInstance.OverwriteExisting = true - return archiveInstance, nil - case *archiver.TarXz: - archiveInstance := archiver.NewTarXz() - archiveInstance.OverwriteExisting = true - return archiveInstance, nil - case *archiver.TarZstd: - archiveInstance := archiver.NewTarZstd() - archiveInstance.OverwriteExisting = true - return archiveInstance, nil - case *archiver.Zip: - archiveInstance := archiver.NewZip() - archiveInstance.OverwriteExisting = true - return archiveInstance, nil - case *archiver.Gz: - return archiver.NewGz(), nil - case *archiver.Bz2: - return archiver.NewBz2(), nil - case *archiver.Lz4: - return archiver.NewLz4(), nil - case *archiver.Snappy: - return archiver.NewSnappy(), nil - case *archiver.Xz: - return archiver.NewXz(), nil - case *archiver.Zstd: - return archiver.NewZstd(), nil - } - return nil, fmt.Errorf("format unrecognized by filename: %s", filename) -} - -var extCheckers = []archiver.ExtensionChecker{ - &archiver.TarBrotli{}, - &archiver.TarBz2{}, - &archiver.TarGz{}, - &archiver.TarLz4{}, - &archiver.TarSz{}, - &archiver.TarXz{}, - &archiver.TarZstd{}, - &archiver.Rar{}, - &archiver.Tar{}, - &archiver.Zip{}, - &archiver.Brotli{}, - &archiver.Gz{}, - &archiver.Bz2{}, - &archiver.Lz4{}, - &archiver.Snappy{}, - &archiver.Xz{}, - &archiver.Zstd{}, -} - -// Make sure the archive is free from Zip Slip and Zip symlinks attacks -func inspectArchive(archive interface{}, localArchivePath, destinationDir string) error { - walker, ok := archive.(archiver.Walker) - if !ok { - return errorutils.CheckErrorf("couldn't inspect archive: " + localArchivePath) - } - return walker.Walk(localArchivePath, func(archiveEntry archiver.File) error { - header, err := extractArchiveEntryHeader(archiveEntry) - if err != nil { - return err - } - if !isEntryInDestination(destinationDir, "", header.EntryPath) { - return errorutils.CheckErrorf( - "illegal path in archive: '%s'. To prevent Zip Slip exploit, the path can't lead to an entry outside '%s'", - header.EntryPath, destinationDir) - } - - if (archiveEntry.Mode()&os.ModeSymlink) != 0 || len(header.TargetLink) > 0 { - err = checkSymlinkEntry(header, archiveEntry, destinationDir) - } - return err - }) -} - -// Make sure the extraction path of the symlink entry target is under the destination dir -func checkSymlinkEntry(header *archiveHeader, archiveEntry archiver.File, destinationDir string) error { - targetLinkPath := header.TargetLink - if targetLinkPath == "" { - // The link destination path is not always in the archive header - // In that case, we will look at the link content to get the link destination path - content, err := io.ReadAll(archiveEntry.ReadCloser) - if err != nil { - return errorutils.CheckError(err) - } - targetLinkPath = string(content) - } - - if !isEntryInDestination(destinationDir, filepath.Dir(header.EntryPath), targetLinkPath) { - return errorutils.CheckErrorf( - "illegal link path in archive: '%s'. To prevent Zip Slip Symlink exploit, the path can't lead to an entry outside '%s'", - targetLinkPath, destinationDir) - } - return nil -} - -// Make sure the extraction path of the archive entry is under the destination dir -func isEntryInDestination(destinationDir, entryDirInArchive, pathInArchive string) bool { - // If pathInArchive starts with '/' and we are on Windows, the path is illegal - pathInArchive = strings.TrimSpace(pathInArchive) - if os.IsPathSeparator('\\') && strings.HasPrefix(pathInArchive, "/") { - return false - } - - pathInArchive = filepath.Clean(pathInArchive) - if !filepath.IsAbs(pathInArchive) { - // If path is relative, concatenate it to the destination dir - pathInArchive = filepath.Join(destinationDir, entryDirInArchive, pathInArchive) - } - return strings.HasPrefix(pathInArchive, destinationDir) -} - -// Extract the header of the archive entry -func extractArchiveEntryHeader(f archiver.File) (*archiveHeader, error) { - headerBytes, err := json.Marshal(f.Header) - if err != nil { - return nil, err - } - archiveHeader := &archiveHeader{} - err = json.Unmarshal(headerBytes, archiveHeader) - return archiveHeader, err -} - -type archiveHeader struct { - EntryPath string `json:"Name,omitempty"` - TargetLink string `json:"Linkname,omitempty"` -} diff --git a/utils/io/fileutils/archive_test.go b/utils/io/fileutils/archive_test.go deleted file mode 100644 index d9da14a8d..000000000 --- a/utils/io/fileutils/archive_test.go +++ /dev/null @@ -1,86 +0,0 @@ -package fileutils - -import ( - "path/filepath" - "testing" - - "github.com/stretchr/testify/assert" -) - -func TestUnarchive(t *testing.T) { - tests := []string{"zip", "tar", "tar.gz"} - for _, extension := range tests { - t.Run(extension, func(t *testing.T) { - // Create temp directory - tmpDir, createTempDirCallback := createTempDirWithCallbackAndAssert(t) - defer createTempDirCallback() - // Run unarchive on archive created on Unix - err := runUnarchive("unix."+extension, "archives", filepath.Join(tmpDir, "unix")) - assert.NoError(t, err) - assert.FileExists(t, filepath.Join(tmpDir, "unix", "link")) - assert.FileExists(t, filepath.Join(tmpDir, "unix", "dir", "file")) - - // Run unarchive on archive created on Windows - err = runUnarchive("win."+extension, "archives", filepath.Join(tmpDir, "win")) - assert.NoError(t, err) - assert.FileExists(t, filepath.Join(tmpDir, "win", "link.lnk")) - assert.FileExists(t, filepath.Join(tmpDir, "win", "dir", "file.txt")) - }) - } -} - -func TestUnarchiveSymlink(t *testing.T) { - tests := []string{"zip", "tar", "tar.gz"} - for _, extension := range tests { - t.Run(extension, func(t *testing.T) { - // Create temp directory - tmpDir, createTempDirCallback := createTempDirWithCallbackAndAssert(t) - defer createTempDirCallback() - - // Run unarchive - err := runUnarchive("softlink-rel."+extension, "archives", tmpDir) - assert.NoError(t, err) - assert.FileExists(t, filepath.Join(tmpDir, "softlink-rel", "a", "softlink-rel")) - assert.FileExists(t, filepath.Join(tmpDir, "softlink-rel", "b", "c", "d", "file")) - }) - } -} - -func TestUnarchiveZipSlip(t *testing.T) { - tests := []struct { - testType string - archives []string - errorSuffix string - }{ - {"rel", []string{"zip", "tar", "tar.gz"}, "illegal path in archive: '../file'"}, - {"abs", []string{"tar", "tar.gz"}, "illegal path in archive: '/tmp/bla/file'"}, - {"softlink-abs", []string{"zip", "tar", "tar.gz"}, "illegal link path in archive: '/tmp/bla/file'"}, - {"softlink-rel", []string{"zip", "tar", "tar.gz"}, "illegal link path in archive: '../../file'"}, - {"hardlink-tilde", []string{"tar", "tar.gz"}, "walking hardlink: illegal link path in archive: '~/../../../../../../../../../Users/Shared/sharedFile.txt'"}, - } - for _, test := range tests { - t.Run(test.testType, func(t *testing.T) { - // Create temp directory - tmpDir, createTempDirCallback := createTempDirWithCallbackAndAssert(t) - defer createTempDirCallback() - for _, archive := range test.archives { - // Unarchive and make sure an error returns - err := runUnarchive(test.testType+"."+archive, "zipslip", tmpDir) - assert.Error(t, err) - assert.Contains(t, err.Error(), test.errorSuffix) - } - }) - } -} - -func runUnarchive(archiveFileName, sourceDir, targetDir string) error { - return Unarchive(filepath.Join("testdata", sourceDir, archiveFileName), archiveFileName, targetDir) -} - -func createTempDirWithCallbackAndAssert(t *testing.T) (string, func()) { - tempDirPath, err := CreateTempDir() - assert.NoError(t, err, "Couldn't create temp dir") - return tempDirPath, func() { - assert.NoError(t, RemoveTempDir(tempDirPath), "Couldn't remove temp dir") - } -} diff --git a/utils/io/fileutils/testdata/archives/softlink-rel.tar b/utils/io/fileutils/testdata/archives/softlink-rel.tar deleted file mode 100644 index dc4189f426a6b952b378e36ae2e6c6a7b30b6596..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 4608 zcmeH}YYKxf497i+7nn`chv(^hpiDMUx3SwVb!Pwd7L3C5BQ0YRP@zl5^?#YMpfYuimTLl$6@bWag3g@4C@5 zOOm2{Fz}l)ent6%+uep$m%mx314x?5{8iZS7eYJ!|7e;X|ML#`Bii{FLOA{#@Q>E$ zfLZg8+VWSLJN}#SkC*R&S^R|{{t5sc|Bd*kd66voYvQk^oVNd|4}UF)KP;NX$YXB* xYxjS{y6eD*VDpb>&A;9M5H!;Mhe5#3EMhTRyd~Qr4$i+7!g)>sr@+w^cmuDYyv+ar diff --git a/utils/io/fileutils/testdata/archives/softlink-rel.tar.gz b/utils/io/fileutils/testdata/archives/softlink-rel.tar.gz deleted file mode 100644 index 69f5f50b529a9eb201fecafce8faf7aa1e5ee149..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 234 zcmV7qJAcv+s-t; zm7A%|rJg@`t*muF?wLM{#BMVc?byFbGXWv~rSAQ6uF!uDCjPg7;GeOi7~1n++g6!ZHZD~ePj`C{Sz5d>K-cj!{tmH-j}05#-v^#A|> diff --git a/utils/io/fileutils/testdata/archives/softlink-rel.zip b/utils/io/fileutils/testdata/archives/softlink-rel.zip deleted file mode 100644 index 0168336dd7166e51f2d5e70e3a1c2fabc36a865e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1189 zcma*my-or_6b0b3?5+k4QDcEdV`XPx=&h(MDBKv=#>y2)2pdiONz~59+E*a4@&$Yl zpM!?R)_Z4MXPBSBkh@DkzB!pWWW6|91F!tFp35(Pj|TQ}e>;3AM>pfv-Jlftc^&a2 zofV%nk5B7}lAj1j`1jdA)3ullo4HcZGa)aFps(Gs(;%K_&xOo*G99BlR=Rdu6yjR+ z#c)&(bkw6oQ41CIj6@zw)lkcVw(O|9y9{_i3{Q~iSk$(U>MQJ$AfBbMrXS-|k?De9 zR6B@6E!pAwr?rV`m*3{4P|j3!#>uEjw=pJpVw2n-LOs`<_2$v}_Eab^oxHoK8GD%x z-11Z#@IlP%4Y*2_+FK)?+AWfa9@D?gj44YkS#PB@>z2x7-+U}rjPiQx6^5IrVBq8R W+YhU{h46HRjt;Bz8P|YA8sHa!+SoS$ diff --git a/utils/io/fileutils/testdata/archives/unix.tar b/utils/io/fileutils/testdata/archives/unix.tar deleted file mode 100644 index 87fa0fdd9f201596dbc0e03f6c2b940a230f2fe8..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 3072 zcmeHHO9}%a40YX8c!MVKcZFU<7|Tedh3SvpzHz`V3Nv(L8BjMb5{WPGkqmL#i^>N8 zoH0^lv~ETY3v$R8)JRGxFcu{skx@dL%Dm?C_v_71Ozq`I|A@;!KF1K!aymDc`}p9> z(=DY2_Wu}DsL6?Sv0AVBZ@>Ikh$tk~BvooR?*AdAblDX#I<}@jisw`9o_YR%-v1Ve a_rG$Mgrt8gr^e^Mw)ee$SD-7fT?O7>>_yA~ diff --git a/utils/io/fileutils/testdata/archives/unix.tar.gz b/utils/io/fileutils/testdata/archives/unix.tar.gz deleted file mode 100644 index acd45a3d73318ddac48e3738552d6df10130448e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 181 zcmV;m080NKiwFRGyiH*M1MQSe3c@fDg|qe)xq&m2W^x6u5on~rpiuwt_NFaeC|D32 zyGXvxBM>rg@|bC3zg5BjfU{PQ%5K!mtkVG-Bx4L%Mh!@0jnY=y*ueFC@qM=P@SVTK z&-dCS&I~p j2k9E$?0*It=HD?XP5)RP4YC7n0>~6J zcX*`cQp|^tFhc05o}@r4421BdAH?c8I%n1&a05YDk(vYN-aF@<`oY5FfR>05(+m3G39pT+JQNI*#8#4 zstDm|I8pSN$TsP}eXaiz69MBbHaqa!(v$zZ|E-Fub|k9tI_{3Ifa(vl32LA%kwiCn z|1Hcat-SwMX0=)IV=US1`um^AmaJjd;EKyg(w?Vd){0>;0FUcl;c2~fVvf6=(sY&P zCHco$np0wNz^%-y(=W(?yxIl#4FARHH{E-0fI`OZI6=5FP?-5n8SJeXY8&WuzA=m! z;NAjQdTGY3+3xwS7vE>O!B>*WR5Hgo`+S)TPv*D`s0LAkcE~9n6X2f;9AJcG+~<(N zLskL(712~2H*z`udl-D+hamd)LjzcVSUY5+hlln5-HA24WW+OSc#D60%Bb0>#DL}^RFc!EbiQ4vmFb6rCY+(%>8%eb!H_n3T^-Glb|nxFdGT=G zby{hd!n;D>8<+MFl!Fuf^$CjvAvssvSf5@6ShxS|wAar8B zwVKCwk1$C}P$}_5X1i+$+eK$5|-R#p%M>=pdiYdUA;EIe-! zssv)Mvf*^v1}Q)&5bW|}NJvkR`uBKci3x^-kR-4io1p%-Sp5Z-Bl9g*8_+4KNt)OH zk|fLhpd(!&dwso(?CXUjBEkK)u)Lt&f1c&7JlX}TO~3ysK?@3%pP}eWo2G^-FanLr z2=lz1pI@c!8oI8NKI-~)j`RlAm)gel2lAn`HR4>RzuCQ}2Oo`4!Ls-4z+4-zDEJ^v zj5JL4jt|)18RyE;w;ZCc&FEF+TpN7#bA_6CBbZDztCW4zQxJK!O65Z{a0+j=%OIM_ zO9j=C4O!?{?E;Zl8Io=|XNO!a{G9?1c)^eQ0q6h=7!;;#k%q1J?qrNFOT;mSZ+%BT z^Ghf6AfF5pFc5?=3P2%>i>!fosC}jCafW!IWTG_Y9r2rpvEJ@(4@mxi(z+e}-Jw3o z7Yw*@aqg|OaxsKkP2U|C_Au0g9qsK9K&v0yn2wqQ`k@;_(1+hXoE?ZUb#5keUsMwu z^7=f|poL>OX|PKM_*}eJB3It3e>ggwvwmfN8x^{9YPk4^dGWUqj*1uO5{)n84rC+$ zEOK+MRu{Wbwh(PRWO}@j(K$B#eWncUdr9C@P$tGLjNl+j9#QH@bG+p&IdH_dPa9QE zpSsUk8eJ|*8&VM(dix%zj=37Gc82}2{6^~1g zMXu>QtMIG#!}1J)vs{7451eS=+Go&VaDv_D!~O*yPH6=vT;%0r%Vlof8OBq^J9*1d zz2$!Eie}HUU3uV@$nh%E1#zZr-+!|-?n?Rde#+a*>fXXniN%bJr(gGk&DBie4~tJ1 zN&Jvxz%n~q@Qjq=feDi$k0cyCaPk1tm2|-~0*pdenJu?BNq0v-`gbIkKIx=-MH%73nVs?4$RLas=!f0qLu=}&N7-s{^+_gzg-ND^m2UB{y>xwe-vf?}o zc`g(ia-@G`T-(uTWzTjvDw8dpO?yFwhO=S777h=k8-_f3JU@9(@+{@q=};#ZP-=K* z2}?(^n2UpK#Jri)Cq<>DWF*Xpnl|I`fdcPueKCD`+dn@#S9!;uyV6<0`**B%>V1xP z|IQp-AUAQ}ya|6;6F3T(&c<__+%~XKxba}|t8d@m1u=Qs8>xOdQ@z(sRO1}$rigir zYXrP2j0`%M4DCA}GANbQ9CF~~Q#rvrxpk>sfW_tmJ&&0m2`mUyNER_T#IR^0f0~Yt zZ1az)JOan{PJ3P3Ft^IH;I(NR^FMP{y(3IVpC&A8j`53|k$g;!C&Eehp2oD-o3?E~ zki4_K`JT}2F1g4B6>J`j>;kX1`e?Olm?yMl`m|8$v$Be{CY^}N%^$jMUT|WC1ib$QuYxDWJ&?TCPWG aPEJ18pmpA;!$w13Gz3ONU^E116aoPM5gI=L diff --git a/utils/io/fileutils/testdata/zipslip/abs.tar.gz b/utils/io/fileutils/testdata/zipslip/abs.tar.gz deleted file mode 100644 index 2db3551fd379ecfb0b2a6ec23146ee5e910f9e45..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 130 zcmV-|0Db=-iwFRGRYPF_1Jf_bEznQONz_lv%t>XS4KOe;Ff%bx0MX`V=3p8KU^EDr zDHxg<8Ua-q8kw3a7#JFxo0>2v7|_T)D4?{sB(VtSl*+`6#Ij7>>dG@xQ*-c`gX$>- kYCDrwz#}y$C!cGeT`>wq!6+C7qk!H30CHvG3jhcJ0IVi4p#T5? diff --git a/utils/io/fileutils/testdata/zipslip/hardlink-tilde.tar b/utils/io/fileutils/testdata/zipslip/hardlink-tilde.tar deleted file mode 100644 index 1c84939a381068ae0120053740532e797472fb6c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 10240 zcmeIuF$#bn7=~ew(h0Oc>IPjPI)IR16b)+7)Y-FIB4}ucmiI&WL==7>XM8vI(;z-f zo>FQp_D;F?_3YdimCh@X6|0i+akatvpc-eq?Nm6b?nf)*65sq~4$=5D(wjHjMF0T= x5I_I{1Q0*~0R#|0009ILKmY**5I_I{1Q0*~0R#|0009ILKmY**5J2E(fel&JA6ozb diff --git a/utils/io/fileutils/testdata/zipslip/hardlink-tilde.tar.gz b/utils/io/fileutils/testdata/zipslip/hardlink-tilde.tar.gz deleted file mode 100644 index d891049b335f02520add82577ad34e7a439cea5b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 135 zcmb2|=HQ5zU!KhLKQ}Q)uOzXE;q5s?u0sw24i{yP3a1E1oZ;QmP|@HZCd4DQTX2od zZpEcZ6Aw96^f%hyJ#*uE;=H`;ui9r_H9WR<_4m4Wx#F|eS#3EVa6SHcP>|k3n{Sr9 m3v(=ei&srQzUleS>d0Sv=B;Odfd}<_7#ivpt!B_*U;qH8=R1A? diff --git a/utils/io/fileutils/testdata/zipslip/rel.tar b/utils/io/fileutils/testdata/zipslip/rel.tar deleted file mode 100644 index 7980de6b33b5ba55b1d7cb2100ae0c46a2bdb085..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2048 zcmdPX(@)FHNoAlVFfcGMGci$M0Mh1W=3pAggwa5zftiA#iJ=itm7$TTxq<8EApq=trYGBB@qa!v%{(h6<{Mwai4 z3=AwFZ62vPIr&@x-i%Cg%(x7a04Zbu>R?#X2x7sFWrY}vW@LajE64#r4U7!FK-wL| GVE_Pt=o#4n diff --git a/utils/io/fileutils/testdata/zipslip/softlink-abs.tar b/utils/io/fileutils/testdata/zipslip/softlink-abs.tar deleted file mode 100644 index e45fab4b325ea411dba7b7d4700ef88625377343..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2048 zcmeHF?Fz#n4D?Zafng#>pT~lwGWWrB8+-eug$>(Z`_aOn`seNv2$zfb(w7v^$Aj;( z65Biga70p!Xx)TNKgg5?8q{EoMr|da0f$1;Hg@Jy@45IJTYLGzKjOSstLG3xstXG~ zt?^w-F1mj!bAA6>tmv4d`T72UB!Pbdk&s%I(^YlJt3IZ%qM>@!&hKAG(RfRsC9tmq E-uogth5!Hn diff --git a/utils/io/fileutils/testdata/zipslip/softlink-abs.tar.gz b/utils/io/fileutils/testdata/zipslip/softlink-abs.tar.gz deleted file mode 100644 index b5635faa6aff126fc0a0ba1e594e0100c4c50100..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 157 zcmV;O0Al|iiwFRkQA1$>1MQLB3d0}_g?*H~z%UV0pT~lwGWWxD8+-dn%fMc2Fwm>| z-JAqMa>9w1DFuH%9_$#UXagb|W>|DEi)KE$Hl#`6pcSbBkTe<+z>WNDxW{B~*~-h# z_Tj(JJ!j{_k3HL`ptj9c#4`V~sd(d`{E-+iSIh#GOsA_HgO!sHuA-rmo#)@_boR>| LiQf)i00;m8#6(RF diff --git a/utils/io/fileutils/testdata/zipslip/softlink-abs.zip b/utils/io/fileutils/testdata/zipslip/softlink-abs.zip deleted file mode 100644 index 0b800a4d4bd580714dba491a25107f3c9f89dc3a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 367 zcmWIWW@h1H0D;UVgJ3WNO7JqsFcjyfmE>gRW$Pv;73+tFa56B5xi}|A0&!^tHv=Qf zcSZ&V7LfV?xG~N^V{&VK>v@5qAS{V)46>PEBYAyjj^m PZeaq#O+b1%h{FH?fyG5c diff --git a/utils/io/fileutils/testdata/zipslip/softlink-rel.tar b/utils/io/fileutils/testdata/zipslip/softlink-rel.tar deleted file mode 100644 index 6e24b29d38252e75f68afaf267b5a69be621ed9e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2048 zcmeHE(F(&L4D?g-18bv=%lG(TsZ=(o-NycYSz*KaHfUi`C2)5J!sU{#{T#z(JWW2f zYM+OQY%Qoao_Rr`9~3G=lVKvnjtEeb)<%Kd$Ig1{EzNEcYfm@0dsz2!^%%U5`A5N* xHNHzh(fwPQ^84pvL&p-$kN0ObtiUu)E7gbSH*`~sI{5vIG^(r#)C3Nczze)8IKuz{ diff --git a/utils/io/fileutils/testdata/zipslip/softlink-rel.tar.gz b/utils/io/fileutils/testdata/zipslip/softlink-rel.tar.gz deleted file mode 100644 index ca0439a1d1270fcdbb0f6c72cb5bf3e3c70a9a2d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 150 zcmV;H0BQdpiwFS30`g)211ru?E6K^s%hoMQ&CzF|4KOe;FgG<-0MlmXU>XQuG=yVl zVq|V&VqjowVxnMRXkut+#GqhGBln6LW?Zh60ND=& z0t{~*K{T@YKsU2O+>B;8x{;_Zh8fAg@OGg)x{=7{<2Ig^4dfOkAlw9`mw-470ID-d Ar2qf` From af631338e74b65f6af66cb2027e5925bd3696b74 Mon Sep 17 00:00:00 2001 From: Eyal Ben Moshe Date: Sun, 23 Apr 2023 18:09:14 +0300 Subject: [PATCH 3/6] Add Frogbot schedule and remove frogbot-config.yml (#751) --- .frogbot/frogbot-config.yml | 5 ----- .../{frogbot-fix.yml => frogbot-scan-and-fix.yml} | 11 ++++++++++- 2 files changed, 10 insertions(+), 6 deletions(-) delete mode 100644 .frogbot/frogbot-config.yml rename .github/workflows/{frogbot-fix.yml => frogbot-scan-and-fix.yml} (67%) diff --git a/.frogbot/frogbot-config.yml b/.frogbot/frogbot-config.yml deleted file mode 100644 index b6845a99b..000000000 --- a/.frogbot/frogbot-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -- params: - git: - repoName: jfrog-client-go - branches: - - dev \ No newline at end of file diff --git a/.github/workflows/frogbot-fix.yml b/.github/workflows/frogbot-scan-and-fix.yml similarity index 67% rename from .github/workflows/frogbot-fix.yml rename to .github/workflows/frogbot-scan-and-fix.yml index 3a25fb26c..3f2679563 100644 --- a/.github/workflows/frogbot-fix.yml +++ b/.github/workflows/frogbot-scan-and-fix.yml @@ -1,8 +1,17 @@ -name: "Frogbot Fix" +name: "Frogbot Scan and Fix" on: push: + # Creating fix pull requests will be triggered by any push to one of the these branches. + # You can add or replace to any branch you want to open fix pull requests for. branches: - 'dev' + schedule: + # The job will run once a day at 00:00 GMT. + - cron: "0 0 * * *" +permissions: + contents: write + pull-requests: write + security-events: write jobs: frogbot: runs-on: ubuntu-latest From 590ae14f9dcaabe116c6ef4a4731e6a03fb3836a Mon Sep 17 00:00:00 2001 From: Yahav Itzhak Date: Sun, 30 Apr 2023 11:37:47 +0300 Subject: [PATCH 4/6] Allow retrieving the temp dir base (#755) --- utils/io/fileutils/temp.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/utils/io/fileutils/temp.go b/utils/io/fileutils/temp.go index 93d0d370e..274656071 100644 --- a/utils/io/fileutils/temp.go +++ b/utils/io/fileutils/temp.go @@ -44,6 +44,10 @@ func SetTempDirBase(dirPath string) { tempDirBase = dirPath } +func GetTempDirBase() string { + return tempDirBase +} + func RemoveTempDir(dirPath string) error { exists, err := IsDirExists(dirPath, false) if err != nil { From c8bc899d661f3782621de639604dcf6a05aa4a8b Mon Sep 17 00:00:00 2001 From: Michael Sverdlov Date: Mon, 1 May 2023 17:56:39 +0300 Subject: [PATCH 5/6] Update analysis.yml (#756) --- .github/workflows/analysis.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/analysis.yml b/.github/workflows/analysis.yml index a49d91bbf..4c288ef9b 100644 --- a/.github/workflows/analysis.yml +++ b/.github/workflows/analysis.yml @@ -15,7 +15,8 @@ jobs: - name: Static Code Analysis uses: golangci/golangci-lint-action@v3 with: - args: -E=errcheck,gosimple,govet,ineffassign,staticcheck,typecheck,unused,gocritic,asasalint,asciicheck,errchkjson,errname,exportloopref,forcetypeassert,makezero,nilerr,unparam,unconvert,wastedassign,usestdlibvars --timeout=5m + args: | + --timeout 5m --out-${NO_FUTURE}format colored-line-number --enable errcheck,gosimple,govet,ineffassign,staticcheck,typecheck,unused,gocritic,asasalint,asciicheck,errchkjson,exportloopref,forcetypeassert,makezero,nilerr,unparam,unconvert,wastedassign,usestdlibvars Go-Sec: From 8ce7c2d0a9e16f52797b7c4d68de8e18f122ec94 Mon Sep 17 00:00:00 2001 From: Omer Zidkoni <50792403+omerzi@users.noreply.github.com> Date: Tue, 2 May 2023 17:06:59 +0300 Subject: [PATCH 6/6] Promoted version to 1.28.3 (#757) --- go.mod | 6 +++--- go.sum | 8 ++++---- utils/utils.go | 2 +- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/go.mod b/go.mod index dff3e8089..92dd09c78 100644 --- a/go.mod +++ b/go.mod @@ -9,8 +9,8 @@ require ( github.com/go-git/go-git/v5 v5.6.1 github.com/golang-jwt/jwt/v4 v4.5.0 github.com/gookit/color v1.5.3 - github.com/jfrog/build-info-go v1.9.2 - github.com/jfrog/gofrog v1.2.5 + github.com/jfrog/build-info-go v1.9.3 + github.com/jfrog/gofrog v1.3.0 github.com/mholt/archiver/v3 v3.5.1 github.com/stretchr/testify v1.8.2 github.com/xanzy/ssh-agent v0.3.3 @@ -57,4 +57,4 @@ require ( // replace github.com/jfrog/build-info-go => github.com/jfrog/build-info-go v1.8.9-0.20230418123708-71a0dbbcb331 -replace github.com/jfrog/gofrog => github.com/jfrog/gofrog v1.2.6-0.20230418122323-2bf299dd6d27 +// replace github.com/jfrog/gofrog => github.com/jfrog/gofrog dev diff --git a/go.sum b/go.sum index 3bace9a1b..058d7b788 100644 --- a/go.sum +++ b/go.sum @@ -55,10 +55,10 @@ github.com/imdario/mergo v0.3.13/go.mod h1:4lJ1jqUDcsbIECGy0RUJAXNIhg+6ocWgb1ALK github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A= github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo= github.com/jessevdk/go-flags v1.5.0/go.mod h1:Fw0T6WPc1dYxT4mKEZRfG5kJhaTDP9pj1c2EWnYs/m4= -github.com/jfrog/build-info-go v1.9.2 h1:gSX9PH3whFcAMtM9dlPxRE7u9YuYcx8IkfVXQKRjWw0= -github.com/jfrog/build-info-go v1.9.2/go.mod h1:hHXyLsG0SW1jQa4g6q8x2LGAvvX/MMqWVFTcIUAF2PI= -github.com/jfrog/gofrog v1.2.6-0.20230418122323-2bf299dd6d27 h1:jX3UD9qVfj9cuyOe7pN7LlB9JKH5A/3vctjnBpWCKsU= -github.com/jfrog/gofrog v1.2.6-0.20230418122323-2bf299dd6d27/go.mod h1:IFMc+V/yf7rA5WZ74CSbXe+Lgf0iApEQLxRZVzKRUR0= +github.com/jfrog/build-info-go v1.9.3 h1:ZpVcNM4hH+r6dK0ERdSNaizuZALPgSdE29Da1Iki1fo= +github.com/jfrog/build-info-go v1.9.3/go.mod h1:GbuFS+viHCKZYx9nWHYu7ab1DgQkFdtVN3BJPUNb2D4= +github.com/jfrog/gofrog v1.3.0 h1:o4zgsBZE4QyDbz2M7D4K6fXPTBJht+8lE87mS9bw7Gk= +github.com/jfrog/gofrog v1.3.0/go.mod h1:IFMc+V/yf7rA5WZ74CSbXe+Lgf0iApEQLxRZVzKRUR0= github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4= github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM= github.com/klauspost/compress v1.4.1/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A= diff --git a/utils/utils.go b/utils/utils.go index 0d311f059..9519946fe 100644 --- a/utils/utils.go +++ b/utils/utils.go @@ -26,7 +26,7 @@ import ( const ( Development = "development" Agent = "jfrog-client-go" - Version = "1.28.2" + Version = "1.28.3" ) // In order to limit the number of items loaded from a reader into the memory, we use a buffers with this size limit.