← Back to issue list

Directory traversal issue when organizing a part

View original Github issue

Metadata

Project
craft-parts
Number
#1525
Type
issue
State
open
Author
lengau
Labels
Status: Triaged Type: Bug
Created
2026-03-31 14:00:50+00:00
Updated
2026-04-25 07:49:52+00:00
Closed

Current evaluation

No evaluation has been recorded for this issue yet.

Issue body

### Bug Description When organizing a part, it's possible to organize from any directory, not just subdirectories of the install directory. ### To Reproduce Run `python -m craft_parts` on the parts.yaml file below. Note how the contents of `/etc/apt` get placed into the prime directory. It's also possible to use directory traversal strings to get a relative directory. ### part yaml ```shell parts: a: plugin: nil organize: /etc/apt: '' ``` ### Relevant log output ```shell DEBUG:craft_parts.packages:get repository attribute: attr=configure, repository:<class 'craft_parts.packages.deb.Ubuntu'> DEBUG:craft_parts.utils.os_utils:is_snap: False, SNAP_NAME set to None DEBUG:craft_parts.sequencer:process a:1 DEBUG:craft_parts.sequencer:add action a:1(0) DEBUG:craft_parts.sequencer:process a:2 DEBUG:craft_parts.sequencer:add action a:2(0) DEBUG:craft_parts.sequencer:process a:3 DEBUG:craft_parts.sequencer:add action a:3(0) DEBUG:craft_parts.sequencer:process a:4 DEBUG:craft_parts.sequencer:add action a:4(0) DEBUG:craft_parts.sequencer:process a:5 DEBUG:craft_parts.sequencer:add action a:5(0) INFO:craft_parts.executor.executor:Installing build-packages DEBUG:craft_parts.packages:get repository attribute: attr=install_packages, repository:<class 'craft_parts.packages.deb.Ubuntu'> DEBUG:craft_parts.executor.executor:verify plugin environment for part 'a' DEBUG:craft_parts.packages:set repository attribute: attr=stage_packages_filters, value=None, repo:<class 'craft_parts.packages.deb.Ubuntu'> Execute: Pull a DEBUG:craft_parts.executor.executor:execute action a:Action(part_name='a', step=Step.PULL, action_type=ActionType.RUN, reason=None, project_vars=ProjectVarInfo(root={}), properties=ActionProperties(changed_files=None, changed_dirs=None)) Execute: Overlay a DEBUG:craft_parts.executor.executor:execute action a:Action(part_name='a', step=Step.OVERLAY, action_type=ActionType.RUN, reason=None, project_vars=ProjectVarInfo(root={}), properties=ActionProperties(changed_files=None, changed_dirs=None)) Execute: Build a DEBUG:craft_parts.executor.executor:execute action a:Action(part_name='a', step=Step.BUILD, action_type=ActionType.RUN, reason=None, project_vars=ProjectVarInfo(root={}), properties=ActionProperties(changed_files=None, changed_dirs=None)) DEBUG:craft_parts.state_manager.states:load state file: /home/lengau/Work/Code/craft-parts/parts/a/state/pull DEBUG:craft_parts.packages:get repository attribute: attr=unpack_stage_packages, repository:<class 'craft_parts.packages.deb.Ubuntu'> DEBUG:craft_parts.executor.part_handler:remove directory /home/lengau/Work/Code/craft-parts/parts/a/build DEBUG:craft_parts.executor.step_handler:Executing PosixPath('/home/lengau/Work/Code/craft-parts/parts/a/run/build.sh') DEBUG:craft_parts.executor.part_handler:Run pre-organize callbacks DEBUG:craft_parts.packages:get repository attribute: attr=get_installed_packages, repository:<class 'craft_parts.packages.deb.Ubuntu'> DEBUG:urllib3.connectionpool:http://localhost:None "GET /v2/snaps HTTP/1.1" 200 None Execute: Stage a DEBUG:craft_parts.executor.executor:execute action a:Action(part_name='a', step=Step.STAGE, action_type=ActionType.RUN, reason=None, project_vars=ProjectVarInfo(root={}), properties=ActionProperties(changed_files=None, changed_dirs=None)) Execute: Prime a DEBUG:craft_parts.executor.executor:execute action a:Action(part_name='a', step=Step.PRIME, action_type=ActionType.RUN, reason=None, project_vars=ProjectVarInfo(root={}), properties=ActionProperties(changed_files=None, changed_dirs=None)) ```

Evaluation history

No evaluation history available.