Skip to content

Fix isAllowedDir matching by prefix #1276

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
sean-breen merged 13 commits into from
Sep 30, 2025
Merged

Fix isAllowedDir matching by prefix #1276

sean-breen merged 13 commits into from
Sep 30, 2025

Conversation

@sean-breen
Copy link
Contributor

@sean-breen sean-breen commented Sep 16, 2025
edited
Loading

Proposed changes

Stops isAllowedDir function from matching by prefix. Originally this function would allow any path which was prefixed by an allowed directory, i.e

  • if /var/log/nginx was present in allowed dirs, then the path /var/log/nginx-test would also be allowed. Not good!

This PR stops this match from taking place, but still matches if the provided path is a subdirectory of an already allowed directory, i.e

  • if /var/log/nginx is in allowed dirs, /var/log/nginx/mysubdir will be allowed but /var/log/nginx-test will be blocked.

Checklist

Before creating a PR, run through this checklist and mark each as complete.

  • I have read the CONTRIBUTING document
  • I have run make install-tools and have attached any dependency changes to this pull request
  • If applicable, I have added tests that prove my fix is effective or that my feature works
  • If applicable, I have checked that any relevant tests pass after adding my changes
  • If applicable, I have updated any relevant documentation (README.md)
  • If applicable, I have tested my cross-platform changes on Ubuntu 22, Redhat 8, SUSE 15 and FreeBSD 13

@sean-breen sean-breen requested a review from a team as a code owner September 16, 2025 11:05
@github-actions github-actions bot added bug Something isn't working chore Pull requests for routine tasks labels Sep 16, 2025
UnwashedMeme
UnwashedMeme requested changes Sep 16, 2025
View reviewed changes
@sean-breen sean-breen marked this pull request as draft September 18, 2025 08:44
UnwashedMeme
UnwashedMeme approved these changes Sep 24, 2025
View reviewed changes
@sean-breen sean-breen marked this pull request as ready for review September 24, 2025 15:41
aphralG
aphralG reviewed Sep 25, 2025
View reviewed changes
@sean-breen sean-breen merged commit c904afa into main Sep 30, 2025
65 of 66 checks passed
@sean-breen sean-breen deleted the allowedDirs_byPrefix branch September 30, 2025 14:42
@sean-breen sean-breen restored the allowedDirs_byPrefix branch September 30, 2025 14:43
@sean-breen sean-breen deleted the allowedDirs_byPrefix branch October 2, 2025 09:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@UnwashedMeme UnwashedMeme UnwashedMeme approved these changes

@aphralG aphralG aphralG left review comments

@dhurley dhurley dhurley approved these changes

@craigell craigell craigell approved these changes

@spencerugbo spencerugbo spencerugbo approved these changes

Assignees

No one assigned

Labels

bug Something isn't working chore Pull requests for routine tasks

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@sean-breen @UnwashedMeme @dhurley @craigell @spencerugbo @aphralG