artifact filename mangling might break valid unix file paths #565

lukpueh · 2023-03-22T12:28:38Z

[based on X41 source code audit informational note]

in_toto.runlib.record_artifacts_as_dict mangles file names to provide consistency between different operating systems. But replacing a backslash with a slash, can break valid Unix file paths:

in-toto/in_toto/runlib.py

Lines 260 to 263 in fe5ec9a

    
           # FIXME: this is necessary to provide consisency between windows 
        
           # filepaths and *nix filepaths. A better solution may be in order 
        
           # though... 
        
           artifact = artifact.replace('\\', '/')

Solution Advice

X41 recommends to normalize file paths by d by using file:// URLs that are handled the same on all supported operating systems.

ITE-4 defines the necessary specification change, and #536 provides a implementation.

The text was updated successfully, but these errors were encountered:

lukpueh changed the title ~~Broken Filename Mangling~~ artifact filename mangling might break valid unix file paths Mar 22, 2023

lukpueh added the X41 Informational findings from X41 source code audit label Mar 30, 2023

lukpueh mentioned this issue May 1, 2023

Revise exclude patterns behaviour and docs #586

Open

lukpueh mentioned this issue May 16, 2023

Add dirHash resolver #590

Merged

3 tasks

adityasaky mentioned this issue Jul 25, 2023

Fixes filepath pattern matching in windows in-toto/in-toto-golang#254

Merged

2 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

artifact filename mangling might break valid unix file paths #565

artifact filename mangling might break valid unix file paths #565

lukpueh commented Mar 22, 2023 •

edited

artifact filename mangling might break valid unix file paths #565

artifact filename mangling might break valid unix file paths #565

Comments

lukpueh commented Mar 22, 2023 • edited

lukpueh commented Mar 22, 2023 •

edited