mirror of
https://github.com/openfaas/faasd.git
synced 2025-06-11 09:26:47 +00:00
e33a60862d
This patch fixes a vulnerability in the secrets API, however it is important to stress that the user must be authenticated as the admin user on the REST API before they can attempt this. Reported by Appsecco via email. @lucasroesler, Appsecco and myself believe this to be of low severity. The fix prevents directory traversal characters from being used in secret names. If a secret name such as: ../../root/.ssh/authorized_keys were to be used, an attacker could remove the value and write their own. Tested with unit tests and tests are now made to run via the CI and a new Makefile target. Signed-off-by: Alex Ellis (OpenFaaS Ltd) <alexellis2@gmail.com>