GHSA-x6p3-76f2-xxvh
Shamefile has an arbitrary file read via shamefile.yaml in shame next
Details
### Impact
A path traversal vulnerability in `shame next` allows an attacker-controlled `shamefile.yaml` to disclose contents of files outside the repository, one line at a time, to the terminal of a user who runs the command. See patch commit for technical details.
### Patches
Fixed in 0.1.7. Upgrade to either 0.1.7 or later versions to incorporate the patch.
### Workarounds
Do not run `shame next` against untrusted `shamefile.yaml`. Use `shame me --dry-run` for CI validation.
### Resources
- Patch commit: https://github.com/BKDDFS/shamefile/commit/77b0aeea318503582818c708518c601fedc43557 - Pull request: https://github.com/BKDDFS/shamefile/pull/80 - Release: https://github.com/BKDDFS/shamefile/releases/tag/v0.1.7 - [CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')](https://cwe.mitre.org/data/definitions/22.html)
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 0.1.7 Upgrade shamefile to 0.1.7 or newer (ecosystem crates.io).
References
- https://github.com/BKDDFS/shamefile/security/advisories/GHSA-x6p3-76f2-xxvh [WEB]
- https://github.com/BKDDFS/shamefile/pull/80 [WEB]
- https://github.com/BKDDFS/shamefile/commit/77b0aeea318503582818c708518c601fedc43557 [WEB]
- https://github.com/BKDDFS/shamefile [PACKAGE]
- https://github.com/BKDDFS/shamefile/releases/tag/v0.1.7 [WEB]