New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix URLs for needles in subdirectories (POO #58959) #2456
Conversation
I'm not sure what the right way to test this would be. I don't know exactly where in the existing tests we can exercise it... |
That test failure doesn't look like it has anything to do with this code... |
Thanks for taking care of the problem. This is indeed something I've overlooked.
The test cases for this route are hidden within a UI test: https://github.com/os-autoinst/openQA/blob/master/t/ui/07-file.t#L64 So it would be good to extend this subtest. The case that somebody tries to sneak out of the directory using |
@AdamWill with the current tests failing in https://circleci.com/gh/os-autoinst/openQA/4088?utm_campaign=vcs-integration-link&utm_medium=referral&utm_source=github-build-link and https://circleci.com/gh/os-autoinst/openQA/4084?utm_campaign=vcs-integration-link&utm_medium=referral&utm_source=github-build-link we should not merge this. If you can manage to fix the tests I would merge to help you get a fix sooner rather than later. |
|
I'm planning to add tests and consider the 'directory escape' case as @Martchus suggested anyway, so not expecting this to be merged yet. Will work on it today or tomorrow. |
Looking at this again, I believe reverse directory traversal protection is already in place: that's what the block commented "make sure the directory of the file parameter is a real subdir of testcasedir" does, if you look at what the |
c45b76d
to
e3141b3
Compare
so I poked this a bit more today. It turns out to be...a little messy. First off, I think Second, looking at the tests it becomes clear that some other stuff is broken for needles in subdirectories. You can't get the image and JSON for a needle that's in a subdirectory via I don't really want to rewrite the whole of this stuff right now, I probably don't understand all the ins and outs. This at least fixes the observed problem on Fedora for now. |
Given that this is icky, I'm willing to consider the possibility that maybe we should just stop allowing needles in subdirectories. Splitting the Fedora needles up into subdirectories wasn't my idea and I'm really not convinced it's useful. We could just merge all the Fedora needles back into a single directory again, it shouldn't be difficult (there are no name conflicts because we already figured out that openQA is confused by two needles in different subdirectories with the same file name). |
e3141b3
to
729562c
Compare
well damnit, we can't use |
As discussed in the POO, this was broken by PR os-autoinst#2410 commit 36aa974 - it assumes you can always find a needle simply by sticking the needle filename on the end of a `needledir` call, but you can't, needles are allowed to be in subdirectories of needledir. This should hopefully fix that without breaking the custom run case by using the *whole* of the JSON file path - we just figure out the subdirectory component from it. This works for me in the 'needle is in a subdirectory of the normal needle dir' case, but I didn't test it in the custom run case. Signed-off-by: Adam Williamson <awilliam@redhat.com>
729562c
to
19556ef
Compare
Codecov Report
@@ Coverage Diff @@
## master #2456 +/- ##
==========================================
+ Coverage 87.16% 87.16% +<.01%
==========================================
Files 169 169
Lines 11092 11103 +11
==========================================
+ Hits 9668 9678 +10
- Misses 1424 1425 +1
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks all good to me now :)
As discussed in the POO, this was broken by PR #2410 commit
36aa974 - it assumes you can always find a needle simply by
sticking the needle filename on the end of a
needledir
call,but you can't, needles are allowed to be in subdirectories of
needledir. This should hopefully fix that without breaking
the custom run case by using the whole of the JSON file path -
we just figure out the subdirectory component from it. This works
for me in the 'needle is in a subdirectory of the normal needle
dir' case, but I didn't test it in the custom run case.
Signed-off-by: Adam Williamson awilliam@redhat.com