This release primarily includes a fix that blocked using
filepath-securejoin in Kubernetes.
Previously, some testing mocks we had resulted in us doing import "testing"
in non-_test.go code, which made some downstreams like Kubernetes unhappy.
This has been fixed. (#32)
Thanks to all of the contributors who made this release possible:
This release primarily includes fixes for spurious errors we hit when
checking that directories created by MkdirAll "look right". Upon further
consideration, these checks were fundamentally buggy and didn't offer
any practical protection anyway.
The mode and owner verification logic in MkdirAll has been removed. This
was originally intended to protect against some theoretical attacks but upon
further consideration these protections don't actually buy us anything and
they were causing spurious errors with more complicated filesystem setups.
The "is the created directory empty" logic in MkdirAll has also been
removed. This was not causing us issues yet, but some pseudofilesystems (such
as cgroup) create non-empty directories and so this logic would've been
wrong for such cases.
Thanks to all of the contributors who made this release possible:
This release includes a few fixes for MkdirAll when dealing with S_ISUID
and S_ISGID, to solve a regression runc hit when switching to MkdirAll.
Passing the S_ISUID or S_ISGID modes to MkdirAllInRoot will now return
an explicit error saying that those bits are ignored by mkdirat(2). In
the past a different error was returned, but since the silent ignoring
behaviour is codified in the man pages a more explicit error seems
apt. While silently ignoring these bits would be the most compatible
option, it could lead to users thinking their code sets these bits
when it doesn't. Programs that need to deal with compatibility can
mask the bits themselves. (#23, #25)
Previously, some testing mocks we had resulted in us doing import "testing"
in non-_test.go code, which made some downstreams like Kubernetes unhappy.
This has been fixed. (#32)
[0.3.3] - 2024-09-30
Fixed
The mode and owner verification logic in MkdirAll has been removed. This
was originally intended to protect against some theoretical attacks but upon
further consideration these protections don't actually buy us anything and
they were causing spurious errors with more complicated filesystem setups.
The "is the created directory empty" logic in MkdirAll has also been
removed. This was not causing us issues yet, but some pseudofilesystems (such
as cgroup) create non-empty directories and so this logic would've been
wrong for such cases.
[0.3.2] - 2024-09-13
Changed
Passing the S_ISUID or S_ISGID modes to MkdirAllInRoot will now return
an explicit error saying that those bits are ignored by mkdirat(2). In the
past a different error was returned, but since the silent ignoring behaviour
is codified in the man pages a more explicit error seems apt. While silently
ignoring these bits would be the most compatible option, it could lead to
users thinking their code sets these bits when it doesn't. Programs that need
to deal with compatibility can mask the bits themselves. (#23, #25)
Fixed
If a directory has S_ISGID set, then all child directories will have
S_ISGID set when created and a different gid will be used for any inode
created under the directory. Previously, the "expected owner and mode"
validation in securejoin.MkdirAll did not correctly handle this. We now
correctly handle this case. (#24, #25)
Bumps the go-patch group with 6 updates in the / directory:
1.17.171.17.410.3.10.3.41.0.201.0.1131.14.111.14.430.0.250.0.301.8.01.8.1Bumps the go-patch group with 2 updates in the /api directory: github.com/go-logr/logr and github.com/onsi/gomega. Bumps the go-patch group with 3 updates in the /tfctl directory: github.com/go-logr/logr, github.com/onsi/gomega and github.com/spf13/cobra.
Updates
github.com/aws/aws-sdk-go-v2/credentialsfrom 1.17.17 to 1.17.41Commits
0cbb5aaRelease 2024-10-0854c1dd6Regenerated Clients2cde144Update endpoints model67fbd35Update API modelaa04330Allow non-nil but empty headers (#2826)5a4e5bbadd feature tracking for cbor protocol (#2821)183987cadd annotations to deprecated services and introduce codegen integration for ...b737dc9Release 2024-10-077279a51Regenerated Clientsa1b1f5aUpdate endpoints modelUpdates
github.com/aws/smithy-gofrom 1.20.3 to 1.22.0Changelog
Sourced from github.com/aws/smithy-go's changelog.
... (truncated)
Commits
d479fb7Release 2024-10-0326886e2add http client metrics (#543)c175324Print output when executing commands when exit code != 0 (#540)ec6d6f9Release 2024-09-253187256changelogf1f22c5introduce new aws-http-auth module which implements sigv4 and sigv4a (#541)85dcb19Release 2024-09-19d2ad136add tracing and metrics support to generated clients (#538)f0c6adfRelease 2024-08-14f908d96remove non-runtime changelogUpdates
github.com/cyphar/filepath-securejoinfrom 0.3.1 to 0.3.4Release notes
Sourced from github.com/cyphar/filepath-securejoin's releases.
... (truncated)
Changelog
Sourced from github.com/cyphar/filepath-securejoin's changelog.
Commits
fd16adeVERSION: release v0.3.400e0710godoc: update package documentation0cd6be1README: fix reference to open_tree kernel requirements205046fREADME: add pkg.go.dev badgeecb1b8etests: procfs: clean up mock test hook3ec6eedCHANGELOG: mention #32 fix86e6182merge #32 into cyphar/filepath-securejoin:main6864912Isolate the testing import in test code4348feeopenat: remove unused functiond0c7d67merge #31 into cyphar/filepath-securejoin:mainUpdates
github.com/elgohr/go-localstackfrom 1.0.20 to 1.0.113Commits
5966c11Merge pull request #983 from elgohr/dependabot/go_modules/github.com/maxbruns...28b89dbBump github.com/maxbrunsfeld/counterfeiter/v6 from 6.9.0 to 6.10.06d4967dMerge pull request #982 from elgohr/dependabot/go_modules/docker-c4b95dffb69d08f74Bump the docker group with 2 updatesf2338a6Merge pull request #980 from elgohr/dependabot/go_modules/docker-12c74cbbec2a3219bBump the docker group with 2 updatese1faedcMerge pull request #981 from elgohr/dependabot/go_modules/github.com/maxbruns...aa3a744Bump github.com/maxbrunsfeld/counterfeiter/v6 from 6.8.1 to 6.9.02fc3485Merge pull request #979 from elgohr/dependabot/go_modules/aws-sdk-6b3fa0658d53cc661Bump the aws-sdk group with 2 updatesUpdates
github.com/jenkins-x/go-scmfrom 1.14.11 to 1.14.43Release notes
Sourced from github.com/jenkins-x/go-scm's releases.
... (truncated)
Commits
b29dca5chore: release 1.14.437cb6258chore: add variables4b6f912Merge pull request #456 from jenkins-x/dependabot/go_modules/github.com/bluek...6189096chore(deps): bump github.com/bluekeyes/go-gitdiff from 0.7.4 to 0.8.0357a1beMerge pull request #459 from jenkins-x/pullrequestnull635708ffix: updating gitea demo url7a98a89fix: readable diffs96ab517fix: pull request should be null for issues12239b8Merge pull request #452 from jenkins-x/dependabot/go_modules/github.com/bluek...2414a0dMerge pull request #451 from jenkins-x/dependabot/go_modules/k8s.io/apimachin...Updates
github.com/kubescape/go-git-urlfrom 0.0.25 to 0.0.30Commits
d27eb58Merge pull request #16 from kubescape/fix-gitlab1ba58cbuse detected host in gitlab apiafc1c54Merge pull request #15 from kubescape/fix-gitlab29a0174also support self hosted gitlab in NewGitAPI1d0b89dMerge pull request #14 from kubescape/fix-gitlabec5afafadd support for self-hosted gitlab0a7f7edMerge pull request #13 from kubescape/fix-gitlab5dd5ab2fix gitlab project ID generation36432daMerge pull request #12 from hectorj2f/fix_git_urls_cvee2ce7a0replace whilp/git-urls module by chainguard-dev/git-urlsUpdates
github.com/maxbrunsfeld/counterfeiter/v6from 6.9.0 to 6.10.0Release notes
Sourced from github.com/maxbrunsfeld/counterfeiter/v6's releases.
Commits
241cc37add integration test to validate type aliases are treated correctlyac22042issue #298 - go 1.23 go/types alias change224623aMerge pull request #300 from maxbrunsfeld/dependabot/go_modules/golang.org/x/...16e7f66Bump golang.org/x/tools from 0.25.0 to 0.26.092721d4Merge pull request #299 from maxbrunsfeld/dependabot/go_modules/golang.org/x/...f5b33b8Bump golang.org/x/text from 0.18.0 to 0.19.0b15b881Merge pull request #296 from maxbrunsfeld/dependabot/go_modules/github.com/on...63d30a8Bump github.com/onsi/gomega from 1.34.1 to 1.34.2Updates
github.com/onsi/gomegafrom 1.34.1 to 1.34.2Release notes
Sourced from github.com/onsi/gomega's releases.
Changelog
Sourced from github.com/onsi/gomega's changelog.
Commits
7cabed6v1.34.2c59c6dcbump ginkgo as well8158b99bump to go 1.22 - remove x/exp dependencyfa057b8v1.34.15e71dcdUse slices from exp/slices to keep golang 1.20 compatUpdates
github.com/spf13/cobrafrom 1.8.0 to 1.8.1Release notes
Sourced from github.com/spf13/cobra's releases.
... (truncated)
Commits
e94f6d0Address golangci-lint deprecation warnings, enable some more linters (#2152)8003b74Remove fully inactivated linters (#2148)5c2c1d6Consistent annotation names (#2140)5a1aceabuild(deps): bump github.com/cpuguy83/go-md2man/v2 from 2.0.3 to 2.0.4 (#2127)0fc86c2docs: update user guide (#2128)6b5f577More linting (#2099)bd914e5fix: remove deprecated io/ioutils package (#2120)1f80fa2chore: remove repetitive words (#2122)c69ae4cci: test golang 1.22 (#2113)a30cee5build(deps): bump actions/cache from 3 to 4 (#2102)Updates
k8s.io/apimachineryfrom 0.30.1 to 0.30.3Commits
Updates
github.com/go-logr/logrfrom 1.4.1 to 1.4.2Release notes
Sourced from github.com/go-logr/logr's releases.
Commits
1205f42Merge pull request #295 from go-logr/dependabot/github_actions/actions/checko...ccedcbdMerge pull request #294 from go-logr/dependabot/github_actions/github/codeql-...bead577build(deps): bump actions/checkout from 4.1.5 to 4.1.6a492d95build(deps): bump github/codeql-action from 3.25.4 to 3.25.519ad07cbuild(deps): bump ossf/scorecard-action from 2.3.1 to 2.3.31c97a21build(deps): bump actions/checkout from 4.1.4 to 4.1.5f70c5b5build(deps): bump github/codeql-action from 3.25.3 to 3.25.44ade8d3build(deps): bump golangci/golangci-lint-action from 5.3.0 to 6.0.188d98bdMerge pull request #289 from go-logr/dependabot/github_actions/golangci/golan...432cd86Merge pull request #288 from go-logr/dependabot/github_actions/actions/setup-...Updates
github.com/onsi/gomegafrom 1.34.0 to 1.34.2Release notes
Sourced from github.com/onsi/gomega's releases.
Changelog
Sourced from github.com/onsi/gomega's changelog.
Commits
7cabed6v1.34.2c59c6dcbump ginkgo as well8158b99bump to go 1.22 - remove x/exp dependencyfa057b8v1.34.15e71dcdUse slices from exp/slices to keep golang 1.20 compatUpdates
golang.org/x/netfrom 0.25.0 to 0.28.0Commits
4542a42go.mod: update golang.org/x dependencies765c7e8xsrftoken: create no padding base64 string by RawURLEncoding032e4e4LICENSE: update per Google Legale2310aego.mod: update golang.org/x dependencies77708f7quic: skip tests which depend on unimplemented UDP functions on Plan 99617c63http2: avoid Transport hang with Connection: close and AllowHTTP66e838cgo.mod: update golang.org/x dependencies6249541http2: avoid race in server handler SetReadDeadine/SetWriteDeadline603e3e6quic: disable X25519Kyber768Draft00 in tests67e8d0chttp2: report an error if goroutines outlive serverTester testsUpdates
github.com/go-logr/logrfrom 1.4.1 to 1.4.2Release notes
Sourced from github.com/go-logr/logr's releases.
Commits
1205f42Merge pull request #295 from go-logr/dependabot/github_actions/actions/checko...ccedcbdMerge pull request #294 from go-logr/dependabot/github_actions/github/codeql-...bead577build(deps): bump actions/checkout from 4.1.5 to 4.1.6a492d95build(deps): bump github/codeql-action from 3.25.4 to 3.25.519ad07cbuild(deps): bump ossf/scorecard-action from 2.3.1 to 2.3.31c97a21build(deps): bump actions/checkout from 4.1.4 to 4.1.5f70c5b5build(deps): bump github/codeql-action from 3.25.3 to 3.25.44ade8d3build(deps): bump golangci/golangci-lint-action from 5.3.0 to 6.0.188d98bdMerge pull request #289 from go-logr/dependabot/github_actions/golangci/golan...432cd86Merge pull request #288 from go-logr/dependabot/github_actions/actions/setup-...Updates
github.com/onsi/gomegafrom 1.34.0 to 1.34.2Release notes
Sourced from github.com/onsi/gomega's releases.
Changelog
Sourced from github.com/onsi/gomega's changelog.
Commits
7cabed6v1.34.2c59c6dcLooks like these dependencies are no longer updatable, so this is no longer needed.