HttpError: Resource not accessible by integration at /home/runner/work/_actions/release-drafter/release-drafter/v5/dist/index.js:8462:21 at processTicksAndRejections (node:internal/process/task_queues:96:5) at async Job.doExecute (/home/runner/work/_actions/release-drafter/release-drafter/v5/dist/index.js:30793:18) { name: 'AggregateError', event: { id: '6729261433', name: 'pull_request', payload: { action: 'edited', changes: { body: { from: 'wip issue #1535\r\n' + '\r\n' + '## Coverage\r\n' + '1. DotDotSlash attack (passed)\r\n' + '2. Symlink attack (passed)\r\n' + '3. Encoded url attack (passed)\r\n' + '\r\n' + '## Improvements\r\n' + '1. `java.nio` can be used instead of `java.io` in staticServe middleware. You can find the key differences [here](https://www.baeldung.com/java-io-vs-nio)\r\n' + '\r\n' + '## Sources\r\n' + '1. [owasp](https://owasp.org/www-community/attacks/Path_Traversal)\r\n' + '2. [Burp Academy](https://portswigger.net/web-security/file-path-traversal)\r\n' + '3. [DotDotSlash](https://github.com/jcesarstef/dotdotslash/blob/master/match.py)\r\n' + '\r\n' + '## Todo\r\n' + '- [X] Creating a test suite for static file serving. The test suite should verify that it is impossible to escape the sandbox in which local files are being served, even in the presence of OS-specific symlinks (etc.).\r\n' + '- [ ] Creating various tests for any case in which potential user-data is \r\n' + 'turned into HTTP headers, cookies, content, etc. For example, `HttpError` turns (potentially user-defined) strings into content that is ultimately embedded into the response. This allows various security exploits such as XSS, which must be prevented through appropriate escaping. The tests should attempt to embed malicious data into the construction of errors, headers, responses, etc., and should demonstrate appropriate escape mechanisms are utilized to prevent these exploits.\r\n' + '- [ ] Creating a test suite that verifies any authentication code that ships with ZIO HTTP is not vulnerable to [[timing attacks](https://en.wikipedia.org/wiki/Timing_attack)](https://en.wikipedia.org/wiki/Timing_attack). ZIO 2 has a data type called `zio.Config.Secret` that can be used to hold passwords, keys, etc., which can prevent timing attacks.\r\n' + '- [ ] Creating a test suite that attempts to crash the server (OOME) by generating extremely large: infinite URLs, infinite individual headers (e.g. `Content-type: application/sjkldjfklsjdflkjsdkfljsdfljsdfk....`), infinite total headers (each of which is small), infinite request bodies; infinite multi-part forms, etc.; and demonstrating that user-configurable limits on all of these are exposed and available and have reasonable defaults such that an out-of-the-box server is reasonably secure.\r\n' + '- [ ] Creating a test suite that demonstrates any built-in ZIO HTTP exception types do not leak stack trace or other sensitive information in HTTP responses.\r\n' + '- [ ] Creating a test suite designed to exercise any metrics that are built into ZIO HTTP, and verifying that it is not possible to run out of memory by, e.g., generating infinite URLs, infinite content types, etc.' }, title: { from: 'feat: test suite for static file server' } }, number: 2483, organization: { avatar_url: 'https://avatars.githubusercontent.com/u/49655448?v=4', description: 'ZIO — Real World Functional Programming', events_url: 'https://api.github.com/orgs/zio/events', hooks_url: 'https://api.github.com/orgs/zio/hooks', id: 49655448, issues_url: 'https://api.github.com/orgs/zio/issues', login: 'zio', members_url: 'https://api.github.com/orgs/zio/members{/member}', node_id: 'MDEyOk9yZ