Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Path Traversals in Vendoring #888

Open
goruha opened this issue Dec 23, 2024 · 2 comments · May be fixed by #899
Open

Support Path Traversals in Vendoring #888

goruha opened this issue Dec 23, 2024 · 2 comments · May be fixed by #899
Assignees
@haitham911
Labels
bug 🐛 An issue with the system Short List

Comments

@goruha
Copy link
Member

goruha commented Dec 23, 2024

Describe the Bug

When there are traverse path in vendor URI atmos vendor pull fail with error
FatalError{Underlying: error while running command: exit status 1; URI cannot contain path traversal sequences}

The regression introduced in version 1.130.0

Expected Behavior

atmos vendor pull should finis successfully

Steps to Reproduce

  1. Use atmos version 1.130.0
  2. Create vendor.yaml with following content
apiVersion: atmos/v1
kind: AtmosVendorConfig
metadata:
  name: fixtures
  description: Atmos vendoring manifest
spec:
  sources:
    - component: "account-map"
      source: github.com/cloudposse/terraform-aws-components.git//modules/account-map?ref={{.Version}}
      version: 1.520.0
      targets:
        - "components/terraform/account-map"
      included_paths:
        - "**/*.tf"
        - "**/*.md"
        - "**/*.tftmpl"
        - "**/modules/**"
      excluded_paths: []

    - component: "vpc"
      source: "../../src"
      targets:
        - "components/terraform/vpc"
      included_paths:
        - "**/*.tf"
        - "**/*.md"
        - "**/*.tftmpl"
        - "**/modules/**"
      excluded_paths: []
  1. Run atmos vendor pull

Screenshots

No response

Environment

No response

Additional Context

No response
@goruha goruha added the bug 🐛 An issue with the system label Dec 23, 2024
@goruha goruha changed the title Vendor pul regression Vendor pull regression Dec 24, 2024
@jamengual
Copy link

I'm having the same issue

looks like this broke the parsing:

Run cd atmos/
Vendoring from 'vendor.yaml'
unsupported URI scheme: git::https
Error: Process completed with exit code 1.

when

sources:
      - source: 'git::https://x-access-token:{{env "GITHUB_TOKEN"}}@github.com......

@osterman
Copy link
Member

@jamengual your error is related to the new vendoring, but unrelated to the error above.

@goruha We can remove the check for path traversals. Makes sense in the use-case above.

@osterman osterman changed the title Vendor pull regression Support Path Traversals in Vendoring Dec 24, 2024
@osterman osterman added the Short List label Dec 24, 2024 — with Linear
@haitham911 haitham911 linked a pull request Dec 28, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@haitham911 haitham911

Labels
bug 🐛 An issue with the system Short List
Projects
None yet
Milestone
No milestone
4 participants
@osterman @goruha @jamengual @haitham911