"Path is outside SIP root" false positive #63

New issue

Closed

opened 2026-04-15 12:57:43 +00:00 by scossu · 0 comments

scossu commented 2026-04-15 12:57:43 +00:00

Owner

Copy link

Following instructions on https://pkar-doc.knowledgetx.com/test_drive/ , inside a pre-packaged PKAR container:

pkar deposit /usr/local/lib/luarocks/rocks-5.4/pocket_archive/1.0.0rc-1/examples/sip/pkar_submission-postcard.csv

generates the "Path is outside SIP root" error. This error is generated by the path validation step that prevents ../ exploits, but it is clearly not behaving correctly here.

Conversely,

cd /usr/local/lib/luarocks/rocks-5.4/pocket_archive/1.0.0rc-1/examples/sip
pkar deposit pkar_submission-postcard.csv

works.

• Amend documentation to use workaround.
• Fix path check logic.

Following instructions on https://pkar-doc.knowledgetx.com/test_drive/ , inside a pre-packaged PKAR container: ``` pkar deposit /usr/local/lib/luarocks/rocks-5.4/pocket_archive/1.0.0rc-1/examples/sip/pkar_submission-postcard.csv ``` generates the "Path is outside SIP root" error. This error is generated by the path validation step that prevents `../` exploits, but it is clearly not behaving correctly here. Conversely, ``` cd /usr/local/lib/luarocks/rocks-5.4/pocket_archive/1.0.0rc-1/examples/sip pkar deposit pkar_submission-postcard.csv ``` works. - [x] Amend documentation to use workaround. - [x] Fix path check logic.

scossu added the

area/submission

t

bug

p

high

area/security

labels 2026-04-15 12:57:43 +00:00

scossu referenced this issue from a pull request that will close it, 2026-04-15 13:33:15 +00:00

Fix submission path check. #64

scossu 2026-04-15 13:33:26 +00:00

• closed this issue
• added the
  s
  done
  label

scossu added this to the v1.0.0 milestone 2026-04-15 13:34:04 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

test

v1.0rc2

v1.0rc1

v1.0b13

v1.0b12

v1.0b11

v1.0b10

v1.0b9

v1.0b8

v1.0b7

v1.0b6

v1.0b5

v1.0b4

v1.0b3

v1.0b2

v1.0b1

v1.0a9

v1.0a8

v1.0a7

v1.0a6

v1.0a5

v1.0a4

v1.0a3

v1.0a2

v1.0a1

v1.0a0

Labels

Clear labels   

area/api

  

area/content_model

  

area/framework

  

area/infrastructure

  

area/io

  

area/presentation

  

area/preservation

  

area/rdf

  

area/security

  

area/submission

  

area/ui

  

s

blocked

  

s

done

  

s

progress

  

s

testing

  

s

wontfix

  

p

critical

A major malfunction, data corruption, or missing critical feature. It SHOULD be in the current milestone and SHOULD be resolved ASAP, and a new release cut immediately after fixing.

  

p

high

A bug that causes significant disruption or missing or incomplete feature that impairs basic workflows. It MUST be in a milestone.

  

p

low

A bugfix or enhamcement request that does not affect normal usage significantly. It MAY be in a milestone.

  

p

normal

A bug or missing feature that causes some disruption or forces annoying workarounds. It SHOULD be in a milestone.

  

t

bug

  

t

documentation

  

t

enhancement

  

t

feature

  

t

test

No labels

area/api

area/content_model

area/framework

area/infrastructure

area/io

area/presentation

area/preservation

area/rdf

area/security

area/submission

area/ui

s

blocked

s

done

s

progress

s

testing

s

wontfix

p

critical

p

high

p

low

p

normal

t

bug

t

documentation

t

enhancement

t

feature

t

test

Milestone

Clear milestone

No items

No milestone

v1.0.0

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

ktx/pocket_archive#63

No description provided.