Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

ci: fix download artifact vulnerability #327

Merged
merged 5 commits into from
Sep 18, 2024
Merged

ci: fix download artifact vulnerability #327

merged 5 commits into from
Sep 18, 2024
+33 −22

Conversation

DifferentialOrange
Copy link
Member

@DifferentialOrange DifferentialOrange commented Sep 4, 2024
edited
Loading

Versions of actions/download-artifact before 4.1.7 are vulnerable to arbitrary file write when downloading and extracting a specifically crafted artifact that contains path traversal filenames [1].

  1. https://github.com/tarantool/tarantool-python/security/dependabot/4

Also see #326

Since CI is failing now, several fixes were introduced, as well as Python 3.6 support drop.

@DifferentialOrange DifferentialOrange force-pushed the DifferentialOrange/no-gh-ci-health branch 2 times, most recently from 41b052f to f85f3c5 Compare September 4, 2024 06:36
@DifferentialOrange DifferentialOrange changed the title Differential orange/no gh ci health ci: fix download artifact vulnerability Sep 4, 2024
@DifferentialOrange DifferentialOrange force-pushed the DifferentialOrange/no-gh-ci-health branch from 093813b to 31666d9 Compare September 4, 2024 06:56
@DifferentialOrange
setup: fix import order
71afe14
@DifferentialOrange
ci: fix download artifact vulnerability
ed71710 
Versions of actions/download-artifact before 4.1.7 are vulnerable to
arbitrary file write when downloading and extracting a specifically
crafted artifact that contains path traversal filenames [1].

1. https://github.com/tarantool/tarantool-python/security/dependabot/4
@DifferentialOrange
ci: cancel previous runs on PR push
f1c9302 
After this patch, current PR pipeline runs will be cancelled if new
commits/force push triggers new pipelines.
@DifferentialOrange DifferentialOrange force-pushed the DifferentialOrange/no-gh-ci-health branch from 31666d9 to af88d26 Compare September 4, 2024 08:09
@DifferentialOrange
package: drop Python 3.6 support
abc8938 
Python 3.6 EOL is 2021-12-23 [1]. Current build script no longer
supports Python 3.6 due to `packaging` Python dependency bump.
(And fixing the issue is more than just fixating older `packaging`
version as a dependency.)

https://devguide.python.org/versions/
@DifferentialOrange
ci: bump installer script
b32cab7
@DifferentialOrange DifferentialOrange marked this pull request as ready for review September 4, 2024 08:25
@DifferentialOrange DifferentialOrange force-pushed the DifferentialOrange/no-gh-ci-health branch from af88d26 to b32cab7 Compare September 4, 2024 08:25
@DifferentialOrange DifferentialOrange mentioned this pull request Sep 4, 2024
Closed
@DifferentialOrange DifferentialOrange requested review from oleg-jukovec and removed request for oleg-jukovec September 4, 2024 08:36
@DifferentialOrange DifferentialOrange merged commit 61e96fc into master Sep 18, 2024
75 checks passed
@DifferentialOrange DifferentialOrange deleted the DifferentialOrange/no-gh-ci-health branch September 18, 2024 11:27
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@oleg-jukovec oleg-jukovec oleg-jukovec approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@DifferentialOrange @oleg-jukovec