deps: Update dependency Zio to 0.22.2 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
Zio	0.16.2 → 0.22.2

---

Zio has SubFileSystem Path Confinement Bypass via Unresolved .. Segment

GHSA-h39g-6x3c-7fq9

More information

Details

Summary

SubFileSystem fails to confine operations to its declared sub path when the input path is /../ (or equivalents /../, /..\\). This path passes all validation but resolves to the root of the parent filesystem, allowing directory level operations outside the intended boundary.

Affected Component

Zio.UPath.ValidateAndNormalize
Zio.FileSystems.SubFileSystem

UPath.ValidateAndNormalize has a trailing slash optimisation.

if (!processParts && i + 1 == path.Length)
    return path.Substring(0, path.Length - 1);

When the input ends with / or \, and processParts is still false, the function strips the trailing separator and returns immediately before the .. resolution logic runs. The input /../ triggers this path: the trailing / is the last character, processParts has not been set (because .. as the first relative segment after root is specifically exempted), so the function returns /.. with the .. segment unresolved.

The resulting UPath with FullName = "/.." is absolute, contains no control characters, and no colon so it passes FileSystem.ValidatePath without rejection.

When this path reaches SubFileSystem.ConvertPathToDelegate:

protected override UPath ConvertPathToDelegate(UPath path)
{
    var safePath = path.ToRelative();     // "/..".ToRelative() = ".."
    return SubPath / safePath;            // "/jail" / ".." = "/"  (resolved by Combine)
}

The delegate filesystem receives / (the root) instead of a path under /jail.

Proof of Concept

using Zio;
using Zio.FileSystems;

var root = new MemoryFileSystem();
root.CreateDirectory("/sandbox");
var sub = new SubFileSystem(root, "/sandbox");

Console.WriteLine(sub.DirectoryExists("/../"));           // True (sees parent root)
Console.WriteLine(sub.ConvertPathToInternal("/../"));     // "/" (parent root path)

Impact

The escape is limited to directory level operations because appending a filename after .. (e.g., /../file.txt) causes normal .. resolution to trigger, which correctly rejects the path as going above root. Only the bare terminal /../ (which strips to /..) survives. This means that exploitability is limited, and this vulnerability does not escalate to file read/write.

Severity

• CVSS Score: 3.8 / 10 (Low)
• Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

References

• https://github.com/xoofx/zio/security/advisories/GHSA-h39g-6x3c-7fq9
• https://github.com/xoofx/zio/commit/c8c2f5328e50c1e7ab8c5c405fe70e0bd35f4782
• https://github.com/xoofx/zio/releases/tag/0.22.2
• https://github.com/advisories/GHSA-h39g-6x3c-7fq9

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

xoofx/zio (Zio)

v0.22.2

Compare Source

Changes

✨ New Features

• Add instructions (803ed28)

🐛 Bug Fixes

• Fixes SubFileSystem Path Confinement Bypass via Unresolved .. Segment (advisory GHSA-h39g-6x3c-7fq9)

🧰 Misc

• Migrate tests from xUnit to MSTest v4 (40d27cb)
• Update to net10.0 (287a781)
• Merge commit from fork (c8c2f53)

Full Changelog: 0.22.1...0.22.2

_{Published with dotnet-releaser}

v0.22.1

Compare Source

Changes

🐛 Bug Fixes

• Fix ZIP external attributes on move actions (PR #​104) by @​GerardSmit

Full Changelog: 0.22.0...0.22.1

_{Published with dotnet-releaser}

v0.22.0

Compare Source

Changes

🐛 Bug Fixes

• Fix leading slash in ZIP archive (PR #​103) by @​GerardSmit

Full Changelog: 0.21.3...0.22.0

_{Published with dotnet-releaser}

v0.21.3

Compare Source

Changes

🐛 Bug Fixes

• Fix resolve for aggregate file systems (b68c2f1)
• Fix warning (936c0e0)

📚 Documentation

• Update readme.md (PR #​101) by @​Mertsch

🧰 Misc

• Migrate to slnx and central package (382fb7f)
• Try fixing ci (ab07d69)
• Remove parallel tests with xUnit (e7c26be)
• Update CI with .NET 10.0 (fa1ac45)

Full Changelog: 0.21.2...0.21.3

_{Published with dotnet-releaser}

v0.21.2

Compare Source

Changes

🐛 Bug Fixes

• Fix AggregateFileSystem.ResolvePath for directory (b1ddd81)

Full Changelog: 0.21.1...0.21.2

_{Published with dotnet-releaser}

v0.21.1

Compare Source

Changes

🐛 Bug Fixes

• Fix cross filesystem copy / ResolvePath for AggregateFileSystem (4243fdb)

Full Changelog: 0.21.0...0.21.1

_{Published with dotnet-releaser}

v0.21.0

Compare Source

Changes

🚨 Breaking Changes

• Breaking change: remove support for net4.6.2 (456f9d9)

🧰 Maintenance

• Fix ci with net8.0 (6dcdbf5)

🧰 Misc

• Change Fallback & FallbackSafe to be public (PR #​100) by @​LuxTheDude

Full Changelog: 0.20.0...0.21.0

_{Published with dotnet-releaser}

v0.20.0

Compare Source

Changes

🚀 Enhancements

• Reduce allocations in .NET 9 (PR #​97) by @​GerardSmit

Full Changelog: 0.19.2...0.20.0

_{Published with dotnet-releaser}

v0.19.2

Compare Source

Changes

🐛 Bug Fixes

• Fix rooted path without volume label regression on Windows (PR #​96) by @​Metapyziks

Full Changelog: 0.19.1...0.19.2

_{Published with dotnet-releaser}

v0.19.1

Compare Source

Changes

🐛 Bug Fixes

• Fix cross-filesystem operations in MountFileSystem (PR #​95) by @​GerardSmit

Full Changelog: 0.19.0...0.19.1

_{Published with dotnet-releaser}

v0.19.0

Compare Source

Changes

🚀 Enhancements

• Optimize cross-filesystem operations (PR #​94) by @​agocke

Full Changelog: 0.18.1...0.19.0

_{Published with dotnet-releaser}

v0.18.1

Compare Source

Changes

🐛 Bug Fixes

• Fix SubFileSystem watcher (sometimes) silently discarding events (PR #​92) by @​Metapyziks

🚀 Enhancements

• Refactor FileSystemWatcher tests to use ManualResetEvent (PR #​93) by @​Metapyziks

🧰 Misc

• Update readme.md (a4b9faf)

Full Changelog: 0.18.0...0.18.1

_{Published with dotnet-releaser}

v0.18.0

Compare Source

Changes

✨ New Features

• Add symlink support (PR #​85) by @​GerardSmit

🐛 Bug Fixes

• Fix Linux unit tests (PR #​87) by @​GerardSmit
• Fixed ZipArchiveFileSystem and project warnings (PR #​88) by @​GerardSmit

🚀 Enhancements

• Reduce allocations in UPath.Combine (PR #​89) by @​GerardSmit

Full Changelog: 0.17.1...0.18.0

_{Published with dotnet-releaser}

v0.17.1

Compare Source

Changes

✨ New Features

• Add nuget.org only config (7b5b5f5)

🐛 Bug Fixes

• Fix changing directory times (PR #​84) by @​GerardSmit

🧰 Maintenance

• Update ci.yml with nuget config (5dd3e2a)

🏭 Tests

• Update tests to .NET 8 (a563d0c)

🧰 Misc

• Improve Code Quality (PR #​80) by @​iamcarbon
• Update readme (de506be)
• Update readme about net7.0 SDK (468c5e8)
• Update readme.md (ae0b1ca)

Full Changelog: 0.17.0...0.17.1

_{Published with dotnet-releaser}

v0.17.0

Compare Source

Changes

🚀 Enhancements

• Use file-scoped namespaces (PR #​73) by @​iamcarbon
• UPath performance improvements (PR #​77) by @​bollhals

🧰 Misc

• Update to net7.0 (b7b5f2f)
• Remove support for net40 net45 (99c16ec)

Full Changelog: 0.16.2...0.17.0

_{Published with dotnet-releaser}

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: src/ChangeLog/packages.lock.json, src/ChangeLog.Test/packages.lock.json, utilities/docs/packages.lock.json, utilities/schema/packages.lock.json

8.0.100 [/opt/containerbase/tools/dotnet/sdk]