GHSA-pmwq-pjrm-6p5r

Impact

What kind of vulnerability is it? Who is impacted?

in-toto-golang and in-toto-python both support glob patterns in artifact rules to indicate the artifacts that a rule applies to. Both support negations in character classes to indicate what should not be matched, but they used different operators to indicate the negation. in-toto-python uses ! while in-toto-golang used ^. A layout authored with the expectations of one implementation can therefore exhibit different behavior in the other implementation.

This impacts users in a specific set of circumstances where two different implementations are used to verify the same layout + attestation bundle at different stages of the same pipeline. As a rule of thumb, we advise using a single implementation across all aspects of a pipeline, from layout creation to pipeline execution and verification to prevent this class of bugs.

Patches

Has the problem been patched? What versions should users upgrade to?

in-toto-golang has been updated to use ! instead of ^ to indicate negation. See https://github.com/in-toto/in-toto-golang/pull/462. This is part of v0.11.0.