restrict allowable paths for bundle dir input #399
Conversation
Pull Request Test Coverage Report for Build 1302
💛 - Coveralls |
SaravShah
force-pushed
the
path_validation_bundle_dir
branch
from
86f3dd3
to
1438e99
Compare
|
List looks correct. |
There was a problem hiding this comment.
not sure whether we want to treat the dir listing as sensitive info. guessing probably not.
still, i'd be more in favor of putting the development and test listing as a single entry in the base settings.yml (since it's the same for both envs), and then putting the production settings in production.yml in shared configs. the separate yml with env specific sections loaded by an initializer seems a little non-standard/circuitous, and i'm not sure i see the benefit.
retracting the above comment, as @atz and @SaravShah pointed out that there's some template rendering in order to get the paths set up for dev and test (i didn't notice that the config file is actually a .yml.erb, not a plain .yml).
spec/models/bundle_context_spec.rb
Outdated
| end | ||
|
|
||
| it 'not a sub dir of parent directories' do | ||
| expect { bc.bundle_dir = 'spec/../../' }.to change(bc, :valid?).to(false) |
There was a problem hiding this comment.
what about using 'spec/test_data/../../' instead? that way, the test path's first few segments would be valid were it not for the .. (and thus more plausible as an attack if we were being more naive about our path normalization and comparison).
SaravShah
force-pushed
the
path_validation_bundle_dir
branch
from
1438e99
to
f2e20d6
Compare
Hopefully i spelled all of the mounts here correctly
closes #387