Skip to content

Commit e1ad9f1

Browse files
yoanmyoanm
committed
Secured report paths
1 parent 54a05f0 commit e1ad9f1

File tree

7 files changed

+9
-7
lines changed

7 files changed

+9
-7
lines changed

.github/actions/reports-group/create-action/dist/index.js

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

.github/actions/reports-group/create-action/dist/index.js.map

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

.github/actions/reports-group/find-action/dist/index.js

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

.github/actions/reports-group/find-action/dist/index.js.map

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

.github/actions/reports-group/load-metadata-action/dist/index.js

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

.github/actions/reports-group/load-metadata-action/dist/index.js.map

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

.github/actions/reports-group/node-sdk/src/path.js

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -72,11 +72,13 @@ function trustFrom(workspacePath) {
7272

7373
const untrustedMetadata = JSON.parse(content);
7474
const trustedGroupPath = path.dirname(trustedPath);
75+
// Ensure `reports` hasn't been tampered with ! (may lead to files outside the directory)
76+
const trustedReportPathsConverter = trustFrom(trustedGroupPath);
7577

7678
return {
7779
name: untrustedMetadata.name,
7880
format: untrustedMetadata.format,
79-
reports: untrustedMetadata.reports.map(r => helpers.trust(path.join(trustedGroupPath, r))),
81+
reports: untrustedMetadata.reports.map(r => trustedReportPathsConverter.trust(path.join(trustedGroupPath, r))),
8082
flags: untrustedMetadata.flags,
8183
path: withTrailingSeparator(trustedGroupPath),
8284
};

0 commit comments

Comments
 (0)