fix: add checksum verification and harden archive extraction in CLI self-update#7575
fix: add checksum verification and harden archive extraction in CLI self-update#7575fresh3nough wants to merge 1 commit intoblock:mainfrom
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: cfd1604ba5
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
fresh3nough
force-pushed
the
fix/update-checksum-verification-7552
branch
from
cfd1604 to
b79c0f8
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: b79c0f8473
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
…elf-update Addresses block#7552: CLI self-update lacked signature/checksum verification and archive extraction was vulnerable to path traversal. Changes: - Replace shell-out update with native Rust implementation - Add SHA-256 checksum verification against <asset>.sha256 files (graceful fallback when no checksum file is published) - Harden tar extraction: iterate entries individually with path validation to prevent zip-slip/tar-slip attacks - Harden zip extraction: use enclosed_name() for path sanitization - Add tar.gz/tgz support via flate2 for format flexibility - Generate SHA-256 checksum files in CI build pipeline - Upload checksum files alongside release archives - Add comprehensive tests for all new functionality Signed-off-by: fresh3nough <[email protected]>
fresh3nough
force-pushed
the
fix/update-checksum-verification-7552
branch
from
b79c0f8 to
43705cf
Compare
|
hey @fresh3nough, thanks for this. #7148 moved the update to a rust implementation, but the digest proposal from your PR is still relevant. #7097 adds what we need on the build side, so we should probably go with those signatures. I'll close this PR, but the goal here is good and if you're interested, maybe you could look into verifying these using the https://github.com/sigstore/sigstore-rs crate? |
|
@jamadeo thanks, yes sir, i will take a look fs |
|
Hey @tlongwell-block (and thanks for the thoughtful close!), Opened a new PR with the exact direction you suggested: #7818
Happy to iterate! |
2 participants
Summary
Replace the shell-out-to-curl-and-bash self-update mechanism with a native Rust implementation that adds SHA-256 checksum verification and hardens archive extraction against path traversal attacks (zip-slip/tar-slip).
Checksum verification:
<asset>.sha256file from the same releasebuild-cli.yml) now generates.sha256files alongside each archive, andrelease.yml/canary.ymlupload them as release assetsExtraction hardening:
tar.bz2,tar.gz) now iterates entries individually, validating each path rejects absolute paths and..components before unpackingenclosed_name()for path sanitization and iterates entries individually instead of using bulkextract()Format flexibility:
flate2dependency andextract_tar_gz()to support.tar.gz/.tgzarchives alongside the existing.tar.bz2and.zipformatsextract_archive()dispatcher selects the correct extractor based on file extensionType of Change
AI Assistance
Testing
..components)cargo test -p goose-cli -- update(15/15)cargo clippy --all-targets -- -D warningspasses cleancargo fmtappliedSteps to reproduce the fix:
Related Issues
Closes #7552