upstream/kubernetes
1
0
Fork 0
mirror of https://github.com/kubernetes/kubernetes.git synced 2026-02-14 16:25:09 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
kubernetes/vendor/github.com/cyphar/filepath-securejoin/pathrs-lite
History
Davanum Srinivas c825d80bbf Update security-critical authentication and protobuf dependencies 
This PR updates security-critical dependencies addressing authentication
and data parsing vulnerabilities.

**Authentication Security:**
- github.com/coreos/go-oidc: v2.3.0 -> v2.5.0
  - Security fix: Now verifies token signature BEFORE validating payload
  - Prevents potential processing of tampered tokens before cryptographic
    verification

- github.com/cyphar/filepath-securejoin: v0.6.0 -> v0.6.1
  - Security fix: Fixed seccomp fallback logic - library now properly falls
    back to safer O_PATH resolver when openat2(2) is denied by seccomp-bpf
  - Fixed file descriptor leak in openat2 wrapper during RESOLVE_IN_ROOT

- cyphar.com/go-pathrs: v0.2.1 -> v0.2.2
  - Companion update to filepath-securejoin

**Protobuf Security:**
- google.golang.org/protobuf: v1.36.8 -> v1.36.11
  - Security fix: Added recursion limit check in lazy decoding validation
  - Prevents potential stack exhaustion attacks via maliciously crafted
    protobuf messages
  - Also adds support for URL chars in type URLs in text-format

These updates are critical for:
- OIDC authentication in kube-apiserver
- Container filesystem path resolution (used by container runtimes)
- Protobuf message parsing throughout the codebase

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2026-01-13 16:56:16 -05:00
..
internal
procfs
doc.go
mkdir.go
mkdir_libpathrs.go
mkdir_purego.go
open.go
open_libpathrs.go
open_purego.go
README.md

README.md

pathrs-lite

github.com/cyphar/filepath-securejoin/pathrs-lite provides a minimal pure Go implementation of the core bits of libpathrs. This is not intended to be a complete replacement for libpathrs, instead it is mainly intended to be useful as a transition tool for existing Go projects.

pathrs-lite also provides a very easy way to switch to libpathrs (even for downstreams where pathrs-lite is being used in a third-party package and is not interested in using CGo). At build time, if you use the libpathrs build tag then pathrs-lite will use libpathrs directly instead of the pure Go implementation. The two backends are functionally equivalent (and we have integration tests to verify this), so this migration should be very easy with no user-visible impact.

License

Most of this subpackage is licensed under the Mozilla Public License (version 2.0). For more information, see the top-level COPYING.md and LICENSE.MPL-2.0 files, as well as the individual license headers for each file.

Copyright (C) 2024-2025 Aleksa Sarai <cyphar@cyphar.com>
Copyright (C) 2024-2025 SUSE LLC

This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, You can obtain one at https://mozilla.org/MPL/2.0/.