From 7189d1390ec1bc4c100d2df4e31475938ed9d493 Mon Sep 17 00:00:00 2001 From: Don Olmstead Date: Fri, 7 Aug 2015 15:21:39 -0700 Subject: [PATCH 1/2] Adding linting rules for cache value --- pkg/yaml/lint.go | 17 +++++++++++++++++ pkg/yaml/lint_test.go | 26 ++++++++++++++++++++++++++ 2 files changed, 43 insertions(+) diff --git a/pkg/yaml/lint.go b/pkg/yaml/lint.go index 07b779365..26c741410 100644 --- a/pkg/yaml/lint.go +++ b/pkg/yaml/lint.go @@ -22,6 +22,7 @@ var lintRules = [...]lintRule{ expectTrustedPublish, expectTrustedDeploy, expectTrustedNotify, + expectCacheInWorkspace, } // Lint runs all lint rules against the Yaml Config. @@ -105,6 +106,22 @@ func expectTrustedNotify(c *common.Config) error { return nil } +// lint rule that fails if the cache directories are not contained +// in the workspace. +func expectCacheInWorkspace(c *common.Config) error { + for _, step := range c.Build.Cache { + cleaned := filepath.Clean(step) + + if strings.Index(cleaned, "../") != -1 { + return fmt.Errorf("Cache must point to a path in the workspace") + } else if cleaned == "." { + return fmt.Errorf("Cannot cache the workspace") + } + } + + return nil +} + func LintPlugins(c *common.Config, opts *Opts) error { if len(opts.Whitelist) == 0 { return nil diff --git a/pkg/yaml/lint_test.go b/pkg/yaml/lint_test.go index 3afde444f..0d8fd9e3e 100644 --- a/pkg/yaml/lint_test.go +++ b/pkg/yaml/lint_test.go @@ -88,6 +88,32 @@ func Test_Linter(t *testing.T) { g.Assert(Lint(c) == nil).IsTrue() }) + g.It("Should pass with path inside workspace", func() { + c := &common.Config{ + Build: &common.Step{ + Cache: []string{".git","/.git","/.git/../.git/../.git"}, + }, + } + g.Assert(expectCacheInWorkspace(c) == nil).IsTrue() + }) + + g.It("Should fail with path outside workspace", func() { + c := &common.Config{ + Build: &common.Step{ + Cache: []string{".git","/.git","../../.git"}, + }, + } + g.Assert(expectCacheInWorkspace(c) != nil).IsTrue() + }) + + g.It("Should fail when caching workspace directory", func() { + c := &common.Config{ + Build: &common.Step{ + Cache: []string{".git",".git/../"}, + }, + } + g.Assert(expectCacheInWorkspace(c) != nil).IsTrue() + }) }) } From 3fdee1b8e84a8d402214dcfe6d3d3b64208e14dc Mon Sep 17 00:00:00 2001 From: Don Olmstead Date: Fri, 7 Aug 2015 16:18:11 -0700 Subject: [PATCH 2/2] Disallowing : in the path for a cached entry --- pkg/yaml/lint.go | 4 ++++ pkg/yaml/lint_test.go | 11 ++++++++++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/pkg/yaml/lint.go b/pkg/yaml/lint.go index 26c741410..9141549af 100644 --- a/pkg/yaml/lint.go +++ b/pkg/yaml/lint.go @@ -110,6 +110,10 @@ func expectTrustedNotify(c *common.Config) error { // in the workspace. func expectCacheInWorkspace(c *common.Config) error { for _, step := range c.Build.Cache { + if strings.Index(step, ":") != -1 { + return fmt.Errorf("Cache cannot contain : in the path") + } + cleaned := filepath.Clean(step) if strings.Index(cleaned, "../") != -1 { diff --git a/pkg/yaml/lint_test.go b/pkg/yaml/lint_test.go index 0d8fd9e3e..d446f684a 100644 --- a/pkg/yaml/lint_test.go +++ b/pkg/yaml/lint_test.go @@ -113,7 +113,16 @@ func Test_Linter(t *testing.T) { }, } g.Assert(expectCacheInWorkspace(c) != nil).IsTrue() - }) + }) + + g.It("Should fail when : is in the path", func() { + c := &common.Config{ + Build: &common.Step{ + Cache: []string{".git",".git:/../"}, + }, + } + g.Assert(expectCacheInWorkspace(c) != nil).IsTrue() + }) }) }