mirror of
https://github.com/renovatebot/renovate.git
synced 2025-01-13 07:26:26 +00:00
fix(fs): remove regex path validation (#21871)
This commit is contained in:
Michael Kriese
GitHub
parent
c00732f262
commit
9f01274911
4 changed files with 7 additions and 25 deletions
|
|
@ -1,7 +1,7 @@
|
||||||
import is from '@sindresorhus/is';
|
import is from '@sindresorhus/is';
|
||||||
import { load } from 'js-yaml';
|
import { load } from 'js-yaml';
|
||||||
import { logger } from '../../../logger';
|
import { logger } from '../../../logger';
|
||||||
import { isValidLocalPath, readLocalFile } from '../../../util/fs';
|
import { readLocalFile } from '../../../util/fs';
|
||||||
import { trimLeadingSlash } from '../../../util/url';
|
import { trimLeadingSlash } from '../../../util/url';
|
||||||
import type {
|
import type {
|
||||||
ExtractConfig,
|
ExtractConfig,
|
||||||
|
|
@ -133,11 +133,6 @@ export async function extractAllPackageFiles(
|
||||||
while (filesToExamine.length > 0) {
|
while (filesToExamine.length > 0) {
|
||||||
const file = filesToExamine.pop()!;
|
const file = filesToExamine.pop()!;
|
||||||
|
|
||||||
if (!isValidLocalPath(file)) {
|
|
||||||
logger.debug(`Invalid gitlabci file path ${file}`);
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
|
|
||||||
const content = await readLocalFile(file, 'utf8');
|
const content = await readLocalFile(file, 'utf8');
|
||||||
if (!content) {
|
if (!content) {
|
||||||
logger.debug(`Empty or non existent gitlabci file ${file}`);
|
logger.debug(`Empty or non existent gitlabci file ${file}`);
|
||||||
|
|
|
||||||
|
|
@ -1973,7 +1973,7 @@ describe('modules/manager/gomod/artifacts', () => {
|
||||||
).toBeNull();
|
).toBeNull();
|
||||||
expect(execSnapshots).toMatchObject([
|
expect(execSnapshots).toMatchObject([
|
||||||
{
|
{
|
||||||
cmd: 'go get -d -t . foo .bar/... cat',
|
cmd: "go get -d -t . foo .bar/... '&&' cat",
|
||||||
options: {
|
options: {
|
||||||
cwd: '/tmp/github/some/repo',
|
cwd: '/tmp/github/some/repo',
|
||||||
},
|
},
|
||||||
|
|
@ -2039,7 +2039,7 @@ describe('modules/manager/gomod/artifacts', () => {
|
||||||
newPackageFileContent: gomod1,
|
newPackageFileContent: gomod1,
|
||||||
config: {
|
config: {
|
||||||
...config,
|
...config,
|
||||||
goGetDirs: ['&&', '||'],
|
goGetDirs: ['/etc', '../../../'],
|
||||||
},
|
},
|
||||||
})
|
})
|
||||||
).toEqual([
|
).toEqual([
|
||||||
|
|
|
||||||
|
|
@ -64,14 +64,14 @@ describe('util/fs/util', () => {
|
||||||
${'./foo/..../bar'} | ${true}
|
${'./foo/..../bar'} | ${true}
|
||||||
${'./..'} | ${false}
|
${'./..'} | ${false}
|
||||||
${'\\foo'} | ${false}
|
${'\\foo'} | ${false}
|
||||||
${"foo'"} | ${false}
|
${"foo'"} | ${true}
|
||||||
${'fo"o'} | ${false}
|
${'fo"o'} | ${true}
|
||||||
${'fo&o'} | ${false}
|
${'fo&o'} | ${true}
|
||||||
${'f;oo'} | ${true}
|
${'f;oo'} | ${true}
|
||||||
${'f o o'} | ${true}
|
${'f o o'} | ${true}
|
||||||
${'/'} | ${false}
|
${'/'} | ${false}
|
||||||
${'/foo'} | ${false}
|
${'/foo'} | ${false}
|
||||||
${'&&'} | ${false}
|
${'&&'} | ${true}
|
||||||
${';'} | ${true}
|
${';'} | ${true}
|
||||||
${'./[foo]/bar'} | ${true}
|
${'./[foo]/bar'} | ${true}
|
||||||
`('isValidPath($value) == $expected', ({ value, expected }) => {
|
`('isValidPath($value) == $expected', ({ value, expected }) => {
|
||||||
|
|
|
||||||
|
|
@ -3,10 +3,6 @@ import { GlobalConfig } from '../../config/global';
|
||||||
import { FILE_ACCESS_VIOLATION_ERROR } from '../../constants/error-messages';
|
import { FILE_ACCESS_VIOLATION_ERROR } from '../../constants/error-messages';
|
||||||
import { logger } from '../../logger';
|
import { logger } from '../../logger';
|
||||||
|
|
||||||
// http://www.mtu.edu/umc/services/digital/writing/characters-avoid/
|
|
||||||
// We allow spaces, but not newlines
|
|
||||||
const restricted = /[#%&<>*?\b\n\r\0!'"|‘“^`]/;
|
|
||||||
|
|
||||||
function assertBaseDir(path: string, baseDir: string): void {
|
function assertBaseDir(path: string, baseDir: string): void {
|
||||||
if (!path.startsWith(baseDir)) {
|
if (!path.startsWith(baseDir)) {
|
||||||
logger.debug(
|
logger.debug(
|
||||||
|
|
@ -18,11 +14,6 @@ function assertBaseDir(path: string, baseDir: string): void {
|
||||||
}
|
}
|
||||||
|
|
||||||
function ensurePath(path: string, key: 'localDir' | 'cacheDir'): string {
|
function ensurePath(path: string, key: 'localDir' | 'cacheDir'): string {
|
||||||
if (restricted.test(path)) {
|
|
||||||
logger.debug({ path }, 'Preventing access to path with illegal characters');
|
|
||||||
throw new Error(FILE_ACCESS_VIOLATION_ERROR);
|
|
||||||
}
|
|
||||||
|
|
||||||
const baseDir = upath.resolve(GlobalConfig.get(key)!);
|
const baseDir = upath.resolve(GlobalConfig.get(key)!);
|
||||||
const fullPath = upath.resolve(
|
const fullPath = upath.resolve(
|
||||||
upath.isAbsolute(path) ? path : upath.join(baseDir, path)
|
upath.isAbsolute(path) ? path : upath.join(baseDir, path)
|
||||||
|
|
@ -43,10 +34,6 @@ export function isValidPath(
|
||||||
path: string,
|
path: string,
|
||||||
key: 'localDir' | 'cacheDir'
|
key: 'localDir' | 'cacheDir'
|
||||||
): boolean {
|
): boolean {
|
||||||
if (restricted.test(path)) {
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
const baseDir = upath.resolve(GlobalConfig.get(key)!);
|
const baseDir = upath.resolve(GlobalConfig.get(key)!);
|
||||||
const fullPath = upath.resolve(
|
const fullPath = upath.resolve(
|
||||||
upath.isAbsolute(path) ? path : upath.join(baseDir, path)
|
upath.isAbsolute(path) ? path : upath.join(baseDir, path)
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue