Harden fork (zip-slip fix + signed releases) and repoint to agendrix#1
Merged
Merged
Conversation
Path traversal fix (gh attach get): - Add safeJoin() and validate every attachment destination path up front before writing. Attachment paths come from a remote git tree (entry.Path) and are untrusted: a ".." entry could escape --output via filepath.Join (classic zip-slip). Fail the whole run on the first bad path so a malicious ref cannot write a single byte outside the target dir; create parent dirs for nested blob paths. Covered by safejoin_test.go (12 cases). Supply-chain hardening (audit evidence + manual/CI verification step, NOT an enforced gate -- gh extension install does not verify signatures or checksums): - .goreleaser.yml: -trimpath, CGO_ENABLED=0 and pinned ldflags for reproducible-ish builds; SHA-256 checksums.txt; cosign keyless (Sigstore/OIDC) signing of the checksum file. - release.yml: id-token/attestations permissions, pinned sigstore/cosign-installer, actions/attest-build-provenance. - README/SECURITY: release-verification instructions. Fork repoint: - Rename Go module github.com/enthus-appdev/gh-attach -> github.com/agendrix/gh-attach and update all imports. - Repoint docs/CI links: README badges (were pointing at upstream CI) and examples, issue templates, CONTRIBUTING. The upstream attribution link and the external enthus-appdev/oss-actions GitHub Action are intentionally left pointing at enthus-appdev. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
Merging this branch will increase overall coverage
Coverage by fileChanged files (no unit tests)
Please note that the "Total", "Covered", and "Missed" counts above refer to code statements instead of lines of code. The value in brackets refers to the test coverage of that file in the old version of the code. Changed unit test files
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Hardens this hard fork of
enthus-appdev/gh-attachfor use at an ISO 27001 company, and completes the rename of the fork's own identity toagendrix.1. Path traversal (zip-slip) fix —
gh attach getAttachment paths originate from a remote git tree (
entry.Path) and are pushable by anyone with repo write via the raw Git Data API — i.e. untrusted input. A tree entry like../../etc/foowould previously escape--outputthroughfilepath.Join.safeJoin()rejects empty/absolute paths, any..segment (after normalizing\→/), and anything that fails afilepath.Relcontainment check.MkdirAlls parents so nested blob paths (docs/x.png) work.safejoin_test.go: 12 cases (parent/deep/mid-path escapes, absolute, Windows-backslash, empty/./..; accepts plain/nested/leading-dot).2. Supply-chain hardening
.goreleaser.yml:-trimpath,CGO_ENABLED=0, pinned ldflags (reproducible-ish builds); SHA-256checksums.txt; cosign keyless (Sigstore/OIDC) signing of the checksum file.release.yml:id-token: write+attestations: write, pinnedsigstore/cosign-installer@v3.7.0,actions/attest-build-provenance@v2.cosign verify-blob,sha256sum -c,gh attestation verify).The
archives:block staysformats: ['binary']/{os}-{arch}—gh extension installonly consumes raw binaries named that way.3. Fork repoint
enthus-appdev/gh-attach→agendrix/gh-attachenthus-appdev/oss-actionsGitHub Action; and_test.gofixtures (arbitrary sample data — the resolver/String assertions are paired, so replacing would break tests).Verification
go build·go test(both pkgs, incl. newsafejoin_test) ·go vet— all pass.gofmtclean on changed files.goreleaser checkpasses; snapshot build confirms thedist/*/gh-attachprovenance glob matches all 4 binaries;-trimpathconfirmed (no local-path leak). All YAML parses.Out of scope / flagged
gofmtdrift in upstream files (gitdata.go,run.go,repo_test.go, …) left untouched to keep this diff focused.refs/uploads/misc/*(manual-only cleanup). Policy, not code.🤖 Generated with Claude Code