Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

#36: fix for unsafe paths #38

Merged
merged 9 commits into from
Jul 11, 2023
Merged

#36: fix for unsafe paths #38

merged 9 commits into from
Jul 11, 2023

Conversation

chucker
Copy link
Collaborator

@chucker chucker commented Jul 10, 2023
edited by ricardoboss
Loading

Fixes #36

@chucker chucker requested a review from ricardoboss July 10, 2023 21:34
@chucker
Copy link
Collaborator Author

chucker commented Jul 10, 2023

This deserves unit tests.

@chucker
Copy link
Collaborator Author

chucker commented Jul 10, 2023

I guess Contains() would also do the trick.

@ricardoboss ricardoboss linked an issue Jul 10, 2023 that may be closed by this pull request
Path in source shouldn't be outside of repo #36
Closed
@chucker chucker marked this pull request as ready for review July 11, 2023 09:14
ricardoboss
ricardoboss approved these changes Jul 11, 2023
View reviewed changes
Copy link
Member

@ricardoboss ricardoboss left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok. Make sure the CI passes before merging :)

TRENZ.Docs.API/Interfaces/ISafeFileSystemPathTraversalService.cs Outdated

public interface ISafeFileSystemPathTraversalService
{
string Traverse(string root, string path);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"Traverse" is not the correct verb for what the method does, I think. Maybe "SafeCombine"? Or "VerifyCombine"?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmmmmmm. I don't love SafeCombine but sure.

TRENZ.Docs.API.Test/PathTraversalTests.cs
[TestCategory("Services")]
public class PathTraversalTests
{
private const string MacOsRoot = "/var/folders/ab/cdefg/T/TRENZ.Docs.API/trenz-docs-test";
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Technically the only paths the service will ever see are Linux paths... This is really minor, but the correct name would probably be UnixPathRoot or something along those lines

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I went with MacOs since it's derived from an actual (temp) path in debug on my Mac. In theory, we could also test this with a bunch of Windows paths…

@chucker
Copy link
Collaborator Author

chucker commented Jul 11, 2023

Ok. Make sure the CI passes before merging :)

It didn't.

@github-actions
Copy link

Code Coverage

Package Line Rate Branch Rate Complexity Health
TRENZ.Docs.API 40% 40% 356
Summary 40% (316 / 791) 40% (102 / 252) 356

Minimum allowed line rate is 30%

@chucker chucker merged commit 11a2196 into main Jul 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ricardoboss ricardoboss ricardoboss approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Path in source shouldn't be outside of repo
2 participants
@chucker @ricardoboss