Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update download-artifact plugin in publish-to-test-pypi.yml to fix vulnerability #1596

Merged
merged 1 commit into from
Sep 5, 2024
Merged

Update download-artifact plugin in publish-to-test-pypi.yml to fix vulnerability #1596

merged 1 commit into from
Sep 5, 2024

Conversation

markusgrotz
Copy link
Contributor

@markusgrotz markusgrotz commented Sep 4, 2024
edited by webknjaz
Loading

Versions of actions/download-artifact before 4.1.7 are vulnerable to arbitrary file write when downloading and extracting a specifically crafted artifact that contains path traversal filenames.

Fore more details see: GHSA-6q32-hq47-5qq3

📚 Documentation preview 📚: https://python-packaging-user-guide--1596.org.readthedocs.build/en/1596/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/

@markusgrotz
Update download-artifact plugin in publish-to-test-pypi.yml to fix vu…
5821db4 
…lnerability

Versions of actions/download-artifact before 4.1.7 are vulnerable to arbitrary file write when downloading and extracting a specifically crafted artifact that contains path traversal filenames.

Fore more details see: GHSA-6q32-hq47-5qq3
sinoroc
sinoroc approved these changes Sep 4, 2024
View reviewed changes
Copy link
Contributor

@sinoroc sinoroc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if it is in the long term manageable to keep those up to date? Are Dependabot and tools like this able to help with that?

@zanieb
Copy link

zanieb commented Sep 4, 2024

Yes Dependabot supports bumping these versions https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot

@sinoroc
Copy link
Contributor

sinoroc commented Sep 4, 2024

Yes Dependabot supports bumping these versions https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot

Even for the files that are in non-regular locations (i.e. not in .github/workflows)?

@webknjaz
Copy link
Member

webknjaz commented Sep 5, 2024

Even for the files that are in non-regular locations (i.e. not in .github/workflows)?

Not sure. However, I wouldn't want hashes or patch-level version bumps in the guide, which is why I kept the major-version refs in it.

They also need to be manually validated, since for example the upload+download actions of v4 have breaking changes. They probably don't affect the example workflow but would affect people with more complicated scenarios, having matrices of C-extensions.

webknjaz
webknjaz approved these changes Sep 5, 2024
View reviewed changes
Copy link
Member

@webknjaz webknjaz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@webknjaz webknjaz added this pull request to the merge queue Sep 5, 2024
Merged via the queue into pypa:main with commit 958adec Sep 5, 2024
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@webknjaz webknjaz webknjaz approved these changes

@sinoroc sinoroc sinoroc approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@markusgrotz @zanieb @sinoroc @webknjaz