Comments (6)
anderseknert
commented on May 9, 2024
Hi @kbalthaser! Thanks for reporting that. It does seem like an issue either in the docs or how the bundle is built. Could you perhaps help me understand what kind of path-traversal issues this may result in?
from opa.
kbalthaser
commented on May 9, 2024
The path-traversal issue is usually on the python side, which has mostly been fixed at this point. That said some packages still have a check in place and will refuse to decompress a file that contains absolute paths in the tar file, in our case OPAL will refuse to decompress the bundle. If the community here thinks there is no issue with the bundler on the OPA side, I can certainly talk with the OPAL developers as well.
I think it is just strange to see the tool build the bundle with the files pathed to root, it is not really what you would normally see on a standard tarball archive. As such it just "looks" and "feels" like it is incorrect. You would normally have to go out of your way to construct the archive like that. I would like to understand the reasoning behind having the bundle packaged with that leading / on all files.
from opa.
anderseknert
commented on May 9, 2024
I don't know if there was any conscious reasoning behind that, and we'd have to go back to 2019 to ask :)
https://github.com/open-policy-agent/opa/blob/main/internal/file/archive/tarball.go#L30
In the time since, I've never since this raised as an issue, but presumably few tools other than OPA do more work on bundles than to serve them. For that reason, I'd be weary of making changes to the format at this point in time, but I'd be happy to see the docs updated to reflect how they're stored in the archive.
from opa.
srenatus
commented on May 9, 2024
Frankly, it's always been like that and I, too, never questioned it. I don't think there's a good reason for it to be like it is, and it's also unlikely to break much stuff when we change it. However, I do have used explicit un-tar calls before, like tar xf bundle.tar.gz /policy.wasm, and so have others -- those would break if we remove the leading slash, I think.
Looking around, there would be a few people affected, it seems: https://github.com/search?q=%22%2Fpolicy.wasm%22&type=code
from opa.
kbalthaser
commented on May 9, 2024
With that much inertia, I can understand not wanting to change it at this point. I can pretty easily work around this issue by repacking the archive.
from opa.
anderseknert
commented on May 9, 2024
Thanks @kbalthaser 👍 I'll close this then. If others experience issues around this, they should hopefully be able to find this discussion.
from opa.
Related Issues (20)
- Add latest-envoy for linux/arm64 HOT 1
- OPA not closing gracefully HOT 2
- Make http.send accept any json variant as application/json HOT 6
- `deps` command has poor memory footprint
- OPA / blog HOT 1
- Make http headers available in the decision-log HOT 4
- I am making an api call in opa policy and when api throws an error or exception I need a way to track those errors in the console logs. Is there a way to customize decision logs and logs those errors with log level as error and also let's say I am middle of policy validation and one of the header is missing or some field is invalid I want to log such thing as error. So that when I look into container logs I should able to figure it out why opa allow decision is false HOT 1
- Extend `test` command to allow filtering package / file / test
- discovery: default decision not picked up HOT 1
- Add possibility to enrich decision logs from custom builtins
- rego.v1 import does not enable future keywords in query compiler
- Tests on the main branch fail HOT 3
- Bundle discovery issue when roots contains a space character
- Allow returning errors in HTTPTracingService HOT 5
- Flag to fail OPA runtime if some of the bundle was not found HOT 3
- Incorrect error message when keywords are used on the LHS of comprehensions
- object.subset method does not evaluate correctly for all subset permutations HOT 3
- A pre built binary for darwin/amd64 wasn't released at v0.64.0 HOT 3
- Support EKS Pod Identities for Signing S3 Bundle Requests HOT 1
- Arrays are not explained in the language description HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from opa.