-
Notifications
You must be signed in to change notification settings - Fork 35
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
refactor(ntp-si): read asset list explicitly #1046
base: master
Are you sure you want to change the base?
Conversation
The ntp-si packaging logic had intimate knowledge of the internal format of `photo.json` in order to determine the set of assets to be included in the crx. This PR shifts that responsibility to `ntp-si-assets`, which as of brave/ntp-si-assets#1240 now publishes an additional file `assets.json` explicitly containing the list of files to be packaged. [example](https://mobile-data.s3.brave.com/GB/desktop/assets.json) This is a pre-req for rich NTTs, which will have a wider variety of assets. That isn't implemented server-side yet: this change is in preparation for reducing the number of places that are impacted when it is. So currently there should be no visible difference with this change: it's a pure refactor. Re #1039
and while I was there I realised I need to ensure subdirectories exist, if needed
} | ||
|
||
const validateTargetPath = (rootPath, targetPath) => { | ||
const resolvedRoot = path.resolve(rootPath) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
reported by reviewdog 🐶
[semgrep] Detected possible user input going into a path.join
or path.resolve
function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.
Source: https://semgrep.dev/r/javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
Cc @thypon @kdenhartog
|
||
const validateTargetPath = (rootPath, targetPath) => { | ||
const resolvedRoot = path.resolve(rootPath) | ||
const resolvedTarget = path.resolve(targetPath) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
reported by reviewdog 🐶
[semgrep] Detected possible user input going into a path.join
or path.resolve
function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.
Source: https://semgrep.dev/r/javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
Cc @thypon @kdenhartog
The ntp-si packaging logic had intimate knowledge of the internal format of
photo.json
in order to determine the set of assets to be included in the crx.This PR shifts that responsibility to
ntp-si-assets
, which as of https://github.com/brave/ntp-si-assets/pull/1240 now publishes an additional fileassets.json
explicitly containing the list of files to be packaged. See example.This is a pre-req for rich NTTs, which will have a wider variety of assets. That isn't implemented server-side yet: this change is in preparation for reducing the number of places that are impacted when it is. So currently there should be no visible difference with this change: it's a pure refactor.
Re #1039