Avoid following symlinks from the repository (!176) · Merge requests · Iron Bank / ironbank-pipeline

blake.burkhart requested to merge 38-README-symlink into development Oct 21, 2020

By accident (not intentional security design), we already tested with -f and only supported regular files. Document that this code is security relevant with a comment.

The frontend only supports files named README.md and LICENSE, update the pipeline to match this. Only supporting LICENSE will probably break existing repos, but they were really already broken.

Closes #38

Edited Nov 17, 2020 by Tim Seagren

Avoid following symlinks from the repository

Merge request reports