fix(deps): update module github.com/cyphar/filepath-securejoin to v0.3.1

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/cyphar/filepath-securejoin	v0.3.0 -> v0.3.1

---

Release Notes

cyphar/filepath-securejoin (github.com/cyphar/filepath-securejoin)

v0.3.1

Compare Source

• By allowing Open(at)InRoot to opt-out of the extra work done by MkdirAll
  to do the necessary "partial lookups", Open(at)InRoot now does less work
  for both implementations (resulting in a many-fold decrease in the number of
  operations for openat2, and a modest improvement for non-openat2) and is
  far more guaranteed to match the correct openat2(RESOLVE_IN_ROOT)
  behaviour.

• We now use readlinkat(fd, "") where possible. For Open(at)InRoot this
  effectively just means that we no longer risk getting spurious errors during
  rename races. However, for our hardened procfs handler, this in theory should
  prevent mount attacks from tricking us when doing magic-link readlinks (even
  when using the unsafe host /proc handle). Unfortunately Reopen is still
  potentially vulnerable to those kinds of somewhat-esoteric attacks.

  Technically this will only work on post-2.6.39 kernels
  but it seems incredibly unlikely anyone is using filepath-securejoin on a
  pre-2011 kernel.

• Several improvements were made to the errors returned by Open(at)InRoot and
  MkdirAll when dealing with invalid paths under the emulated (ie.
  non-openat2) implementation. Previously, some paths would return the wrong
  error (ENOENT when the last component was a non-directory), and other paths
  would be returned as though they were acceptable (trailing-slash components
  after a non-directory would be ignored by Open(at)InRoot).

  These changes were done to match openat2's behaviour and purely is a
  consistency fix (most users are going to be using openat2 anyway).

Signed-off-by: Aleksa Sarai cyphar@cyphar.com

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[Luap99]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Luap99, renovate[bot]

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [Luap99]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment