What's Changed
- Bump golang.org/x/crypto from 0.43.0 to 0.45.0 by @dependabot[bot] in #140
New Contributors
- @dependabot[bot] made their first contribution in #140
Full Changelog: v0.8.10...v0.8.11
feat(security): Implement robust path and archive extraction safeguards
This commit addresses several security vulnerabilities related to path traversal and insecure archive extraction.
- Path Traversal Prevention (cli/config.go, cli/uninstall.go)
Introduced os.OpenRoot for file system operations in getVersion and Uninstall functions.
This confines all file access to the designated base directory, effectively mitigating path traversal vulnerabilities that could lead to:
arbitrary code execution (via zvm use / run / sync)
arbitrary file deletion (via zvm uninstall)
- Zip Slip Remediation (cli/upgrade.go)
Enhanced the untar function with explicit path validation using filepath.Abs and strings.HasPrefix.
This ensures that files extracted during the upgrade process cannot be written outside the intended temporary directory, protecting against arbitrary file writes from a malicious tarball.