Security release
Fixes a path traversal / arbitrary file write in perry publish — GHSA-x55v-q459-68ch (CVSS 4.0 8.6, High, CWE-22).
perry publish trusted the build server's ArtifactReady.artifact_name and download_path verbatim when constructing the local destination path. A malicious or compromised hub could deliver a traversal payload (e.g. ../../.ssh/authorized_keys) to write downloaded content outside the chosen output directory (arbitrary file write), and in the self-hosted-hub local-copy path could copy out arbitrary local files (arbitrary read). The primary multi-victim vector is a malicious PR setting [publish] server = "…" in a repo's perry.toml; CI runs receive no confirmation prompt.
All versions through v0.5.1158 are affected. Upgrade to v0.5.1159.
- fix(publish): sanitize server-controlled artifact path — reduce
artifact_nameto a bare, traversal-free filename and gate thedownload_pathlocal-copy shortcut to loopback hubs (#4989)
Reported by @wsparks-vc.