Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

fix: clean template destination path forpull#12559

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
dannykopping merged 9 commits intocoder:mainfromdannykopping:dk/template-pull-path
Mar 14, 2024

Conversation

dannykopping
Copy link
Contributor

@dannykoppingdannykopping commentedMar 12, 2024
edited
Loading

Fixes#10281

Cleaning the path and making it absolute causes the path to not be seen asunsafe by the underlying library.

Note to reviewer: this PR obviates the need forTestTemplatePull_ToImplicit.
It made sense to me to merge them together, but you may want to keep them separate; I'm easy either way.

Side-note: I was testing to see if I could inject problematic template names like--help and ended up finding a CLI bug:#12575

@dannykoppingdannykopping marked this pull request as ready for reviewMarch 13, 2024 07:52
Copy link
Member

@mtojekmtojek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

LGTM, but please wait for review from Mathias 👍

}

if dest != clean {
cliui.Warn(inv.Stderr, fmt.Sprintf("cleaning destination path from %s to %s", dest, clean))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

nit: I wouldn't warn users here, it the tool can fix the path then we don't need to them

mafredri reacted with thumbs up emoji
Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I was thinking this process of cleaning the dir might cause unexpected results, but on reflection I think you're right; I've removed it.

clean, err := filepath.Abs(filepath.Clean(dest))
if err != nil {
cliui.Error(inv.Stderr, fmt.Sprintf("cleaning destination path %s failed: %q", dest, err))
return err
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Could this be anxerrors.Errorf("lookup of absolute path failed ...: %w") instead of the manual cliui error call? I'd expect the error to be printed twice this way.

dannykopping reacted with thumbs up emoji
dir := t.TempDir()
wd, err := os.Getwd()
require.NoError(t, err)
err = os.Chdir(dir)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

How do these tests actually work with chdir removed? The files will be created inside the repo since we're not in the tmpdir, right?

Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

It pulls into thegivenPath:

inv,root:=clitest.New(t,"templates","pull",template.Name,tc.givenPath)

AFAICS it's functionally equivalent

Copy link
Member

@mafredrimafredriMar 13, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

If the given path is relative, won't it be relative to the Go process, i.e. the test which is running incoder/cli directory? Thus it'll store files in there instead of tmp.

Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

You're correct! I added these two lines to account for that in the last commit:

newWD:=t.TempDir()require.NoError(t,os.Chdir(newWD))

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

You also need to restore the wd after the test has ended, otherwise it could break other tests.

Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Oooh good point!

Copy link
ContributorAuthor

@dannykoppingdannykopping left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

@mafredri@mtojek responded, thank you for your reviews!

}

if dest != clean {
cliui.Warn(inv.Stderr, fmt.Sprintf("cleaning destination path from %s to %s", dest, clean))
Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I was thinking this process of cleaning the dir might cause unexpected results, but on reflection I think you're right; I've removed it.

dir := t.TempDir()
wd, err := os.Getwd()
require.NoError(t, err)
err = os.Chdir(dir)
Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

It pulls into thegivenPath:

inv,root:=clitest.New(t,"templates","pull",template.Name,tc.givenPath)

AFAICS it's functionally equivalent

Copy link
Member

@mafredrimafredri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

A few more things but once those are fixed I think this is good to go. Thanks for tackling this issue!

@@ -230,118 +230,111 @@ func TestTemplatePull_LatestStdout(t *testing.T) {

// ToDir tests that 'templates pull' pulls down the active template
// and writes it to the correct directory.
//
// nolint: tparallel // The subtests cannot be run in parallel; see the inner loop.
func TestTemplatePull_ToDir(t *testing.T) {
t.Parallel()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

We'll need to remove this parallel now that we're doing chdir again.

Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Note that this istparallel notparalleltest.

Copy link
Member

@mafredrimafredriMar 14, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I wasn't referring to linting. A test that modifies the environment of the process (e.g. setenv or chdir) can't be parallel or have parallel ancestors.

Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

OH you're completely right!

templateAdmin, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID, rbac.RoleTemplateAdmin())
t.Cleanup(func() {
_ = os.RemoveAll(tc.givenPath)
_ = os.RemoveAll(expectedDest)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

We could perhaps combine these and chdir into a single cleanup? Or perhaps even better would be to implementtestutil.Chdir since it's something we do every now and a then.

dannykopping reacted with thumbs up emoji
},
{
name: "directory traversal is acceptable",
givenPath: "../mytmpl",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I suppose this write is outside the test tmpdir? Perhaps we should increase the depth down below (pseudonewWD := filepath.Join(t.TempDir(), "work"); mkdir(newWD))?

@dannykopping
Copy link
ContributorAuthor

dannykopping commentedMar 14, 2024
edited
Loading

@mafredri I took a slightly different approach in9d035e3 which is a bit cleaner. Please let me know what you think.

Signed-off-by: Danny Kopping <danny@coder.com>
Signed-off-by: Danny Kopping <danny@coder.com>
Signed-off-by: Danny Kopping <danny@coder.com>
Signed-off-by: Danny Kopping <danny@coder.com>
…s broke a testSigned-off-by: Danny Kopping <danny@coder.com>
Signed-off-by: Danny Kopping <danny@coder.com>
Signed-off-by: Danny Kopping <danny@coder.com>
cleanup; t.Cleanup is ordered by last-added-first-called.Signed-off-by: Danny Kopping <danny@coder.com>
Copy link
Member

@mafredrimafredri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Found one last simplification, but otherwise LGTM! 😄

Co-authored-by: Mathias Fredriksson <mafredri@gmail.com>
@dannykoppingdannykoppingenabled auto-merge (squash)March 14, 2024 12:34
@dannykoppingdannykopping merged commit14130de intocoder:mainMar 14, 2024
@github-actionsgithub-actionsbot locked and limited conversation to collaboratorsMar 14, 2024
@dannykoppingdannykopping deleted the dk/template-pull-path branchMarch 14, 2024 12:59
Sign up for freeto subscribe to this conversation on GitHub. Already have an account?Sign in.
Reviewers

@mafredrimafredrimafredri approved these changes

@mtojekmtojekmtojek approved these changes

Assignees

@dannykoppingdannykopping

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

The coder template pull command fails with a relative path starting with.
3 participants
@dannykopping@mafredri@mtojek
[8]ページ先頭
©2009-2025 Movatter.jp