New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
restrict allowable paths for bundle dir input #399
Conversation
Pull Request Test Coverage Report for Build 1302
💛 - Coveralls |
86f3dd3
to
1438e99
Compare
List looks correct. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not sure whether we want to treat the dir listing as sensitive info. guessing probably not.
still, i'd be more in favor of putting the development
and test
listing as a single entry in the base settings.yml
(since it's the same for both envs), and then putting the production settings in production.yml
in shared configs. the separate yml with env specific sections loaded by an initializer seems a little non-standard/circuitous, and i'm not sure i see the benefit.
retracting the above comment, as @atz and @SaravShah pointed out that there's some template rendering in order to get the paths set up for dev and test (i didn't notice that the config file is actually a .yml.erb
, not a plain .yml
).
spec/models/bundle_context_spec.rb
Outdated
end | ||
|
||
it 'not a sub dir of parent directories' do | ||
expect { bc.bundle_dir = 'spec/../../' }.to change(bc, :valid?).to(false) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what about using 'spec/test_data/../../'
instead? that way, the test path's first few segments would be valid were it not for the ..
(and thus more plausible as an attack if we were being more naive about our path normalization and comparison).
1438e99
to
f2e20d6
Compare
Hopefully i spelled all of the mounts here correctly
closes #387