v3.4.1 — Security patch (CodeQL #65–#68) #34
Jovancoding
announced in
Announcements
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Security Fixes
CodeQL #65–#68 (HIGH) — Insecure temporary file (CWE-377, CWE-378)
All four alerts flagged
writeFileSynccalls inlib/locked-blackboard.tswhere CodeQL traced a taint path fromos.tmpdir()throughbasePathto the written file.Changes in
lib/locked-blackboard.ts:path.resolve(basePath)in constructor — absolute path resolution normalizes all derived paths (blackboardPath,pendingDir,lockPath)mode: 0o600on allwriteFileSynccalls — files are owner-read/write only; no world or group access (directly addresses CWE-377/CWE-378)mode: 0o700on allmkdirSynccalls — directories are owner-onlyAffected write sites:
writeInitialBlackboard()persistToDisk()(locked path)savePendingChange()archivePendingChange()persistToDiskInternal()Compatibility
100% backward compatible — no API changes, no behavior changes.
497 tests passing (64/64 priority tests verified post-fix).
Full changelog
See CHANGELOG.md for complete history.
This discussion was created from the release v3.4.1 — Security patch (CodeQL #65–#68).
Beta Was this translation helpful? Give feedback.
All reactions