[chore] fix license path generation on Windows#182
Merged
Conversation
mailo-nr
changed the title
kb-newrelic
approved these changes
Mar 17, 2026
spathlavath
added a commit
to newrelic-forks/nrdot-collector-components
that referenced
this pull request
Mar 18, 2026
* fix: allow windows style storage paths (newrelic#158) This commit fixes two critical security issues identified by the security team: 1. TOCTOU Race Condition: Added symlink re-validation immediately before write operations in fileStorage.Save() to prevent attackers from creating symlinks between validation and file write. 2. Permission Error Bypass: Removed silent bypassing of permission errors during symlink validation. Now returns an error if path security cannot be verified, preventing potential attacks through unreadable directories. Changes: - Enhanced fileStorage struct with allowedBaseDir and skipValidation fields - Added newFileStorageForTesting() for test isolation - Implemented symlink re-validation before write operations - Removed permission error bypass in checkPathForSymlinks() - Added comprehensive tests: TestTOCTOUProtection and TestPermissionErrorHandling All existing tests pass. No breaking changes to public API or behavior. --------- Co-authored-by: gmanandhar-nr <gmanandhar@newrelic.com> Co-authored-by: Palash Kulkarni <pkulkarni@newrelic.com> * feat: remove processor from atp type name (newrelic#153) * feat: remove processor from atp type name * docs: add PR to existing atp changelog * docs: update changelog entry * docs: update chloggen entry for atp (newrelic#151) * [chore] Prepare release 0.142.2 (newrelic#162) * [chore] Prepare release 0.143.0 (newrelic#168) * ci: pin OTel collector to highest release tag at candidate minor version When preparing a release with SYNC_UPSTREAM=true, checkout the highest published tag of opentelemetry-collector matching the candidate minor version before running multimod sync. This ensures the collector beta modules (e.g. v0.143.0) are paired with the highest stable patch release of the collector at that minor, rather than an arbitrary main HEAD that may contain unreleased development work. Falls back to HEAD with a warning if no matching tag exists. * [chore] multimod update stable modules Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * [chore] multimod update beta modules Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * [chore] update contrib modules to v0.143.0 Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * [chore] mod and toolchain tidy Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * update core modules list * changelog update 0.143.0 * update version.yaml 0.143.0 * builder config changes 0.143.0 * Prepare beta for version v0.143.0 * fix: patch GO-2026-4394 by pinning otel/sdk to v1.40.0 * chore: run gotidy to sync transitive otel/sdk version bump --------- Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Mailo Arsac <marsac@newrelic.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * [chore] Prepare release 0.144.0 (newrelic#170) * [chore] multimod update stable modules Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * [chore] multimod update beta modules Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * [chore] update contrib modules to v0.144.0 Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * [chore] mod and toolchain tidy Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * update core modules list * changelog update 0.144.0 * update version.yaml 0.144.0 * builder config changes 0.144.0 * Prepare beta for version v0.144.0 * fix: update confighttp.ServerConfig.Endpoint to NetAddr for v0.144.0 --------- Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Mailo Arsac <marsac@newrelic.com> * [chore] Prepare release 0.145.0 (newrelic#171) * [chore] multimod update stable modules Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * [chore] multimod update beta modules Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * [chore] update contrib modules to v0.145.0 Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * [chore] mod and toolchain tidy Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * update core modules list * changelog update 0.145.0 * update version.yaml 0.145.0 * builder config changes 0.145.0 * Prepare beta for version v0.145.0 --------- Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * [chore] Prepare release 0.146.0 (newrelic#172) * [chore] multimod update stable modules Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * [chore] multimod update beta modules Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * [chore] update contrib modules to v0.146.0 Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * [chore] mod and toolchain tidy Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * update core modules list * changelog update 0.146.0 * update version.yaml 0.146.0 * builder config changes 0.146.0 * Prepare beta for version v0.146.0 * remove otel sdk replace directives for GO-2026-4394 * fix: update correctness test PICT files for otlp_grpc rename in v0.146.0 --------- Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Mailo Arsac <marsac@newrelic.com> * [chore] Prepare release 0.147.0 (newrelic#173) * [chore] multimod update stable modules Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * [chore] multimod update beta modules Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * [chore] update contrib modules to v0.147.0 Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * [chore] mod and toolchain tidy Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * update core modules list * changelog update 0.147.0 * update version.yaml 0.147.0 * builder config changes 0.147.0 * Prepare beta for version v0.147.0 --------- Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * [chore] automatically generate third party notice overrides (newrelic#159) * ci: autobump golang when updating otel (newrelic#176) * [chore] autobump golang (newrelic#178) * chore: autobump golang when updating otel * trigger checks * use sed syntax that is portable to both mac and linux (which github actions uses) * move logic out into script and add a os check * Apply suggestions from code review Co-authored-by: kb-newrelic <121687305+kb-newrelic@users.noreply.github.com> * move sed_inplace function out of find statement for clarity --------- Co-authored-by: kb-newrelic <121687305+kb-newrelic@users.noreply.github.com> * chore(ci): fix license paths on windows (newrelic#182) --------- Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: kb-newrelic <121687305+kb-newrelic@users.noreply.github.com> Co-authored-by: gmanandhar-nr <gmanandhar@newrelic.com> Co-authored-by: Palash Kulkarni <pkulkarni@newrelic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Mailo Arsac <marsac@newrelic.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: agarvin-nr <agarvin@newrelic.com> Co-authored-by: Emilia Ferreyra <110185663+emiliaFer@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
On Windows (Git Bash),
realpathreturns POSIX-style paths (/d/a/...) while Make's$(SRC_ROOT)resolves to a Windows-style path (D:/a/...). This mismatch causedaddoverridesto fail stripping the repo root prefix, producing malformed module names inoverrides.jsonland breaking thechecklicensestep.Introduces
ALL_GO_MOD_SUBDIR_CMD— a new variable using relative paths and-mindepth 2to exclude the rootgo.modwithout relying on path format matching.addoverridesnow uses this variable and strips the./prefix instead of$(SRC_ROOT).