Skip to content

Commit 00694d4

Browse files
committed
fix(cve-2022-35861): backport pyenv fix
Kudos to @CharlyReux and @RomainLefeuvre for spotting this and suggesting the fix.
1 parent a3d88fd commit 00694d4

2 files changed

Lines changed: 26 additions & 1 deletion

File tree

libexec/goenv-version-file-read

Lines changed: 13 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,19 @@ else
2727
IFS="${IFS}"$'\r'
2828
words=($(cut -b 1-1024 "$VERSION_FILE" | sed -n 's/^[[:space:]]*\([^[:space:]#][^[:space:]]*\).*/\1/p'))
2929

30-
versions=("${words[@]}")
30+
# Filter out potentially malicious version strings to prevent path traversal (CVE-2022-35861)
31+
versions=()
32+
for word in "${words[@]}"; do
33+
if [[ -z "$word" || "$word" == \#* ]]; then
34+
# Skip empty lines and comments
35+
continue
36+
elif [[ "$word" == ".." ]] || [[ "$word" == */* ]]; then
37+
# The version string is used to construct a path and we skip dubious values.
38+
# This prevents issues such as path traversal (CVE-2022-35861).
39+
continue
40+
fi
41+
versions=("${versions[@]}" "$word")
42+
done
3143
fi
3244

3345
if [ ! -n "$versions" ]; then

test/goenv-version-file-read.bats

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -109,3 +109,16 @@ IN
109109
run goenv-version-file-read my-version
110110
assert_success "1.11.1"
111111
}
112+
113+
@test "skips relative path traversal" {
114+
cat >my-version <<IN
115+
1.11.1
116+
1.10.8
117+
..
118+
./*
119+
1.9.7
120+
IN
121+
122+
run goenv-version-file-read my-version
123+
assert_success "1.11.1:1.10.8:1.9.7"
124+
}

0 commit comments

Comments
 (0)