Closed sunaoka closed 1 year ago
Hi, any updates?
We have updates security audit where $argv
used in gen_stub.php
and gen_api.php
are high security risk (even if vendor is not accessible primarily from public).
Let me quote: If an attacker can provide inputs to determine which files to read, and these inputs are not sanitized for file-system metacharacters (such as slashes), then the attacker may choose to read arbitrary files beyond those intended, disclosing these files' contents. It is recommended to consider the following: • Consider using a static solution for reading files, such as a list of allowed files to read from, or a different file storage solution, such as a database If reading local files from disk is absolutely required, ensure files being read from a specific folder, and restrict code access to this folder only • When a user provides the file name to be read, prevent them from manipulating the path to access an unintended directory by sanitizing the file name for any file-system metacharacters, such as: • Slashes (/,\) , Dot (.), Tilde (~)
Thx a lot for this
Hi, thank you for the PR. It should be covered by https://github.com/awslabs/aws-crt-php/pull/88. Closing...
Description of changes:
Let's ignore these files while installing this package via composer.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.