Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix bug atmos vendor pull URI cannot contain path traversal sequences and git schema #899

Open
wants to merge 16 commits into
base: main
Choose a base branch
from
Open

fix bug atmos vendor pull URI cannot contain path traversal sequences and git schema #899

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
5900ef3
allow URI contain path traversal
haitham911 Dec 28, 2024
71fff29
allow scheme: git::
haitham911 Dec 28, 2024
4e8c172
remove max length check url
haitham911 Dec 28, 2024
26fb6f6
remove character url validate
haitham911 Dec 28, 2024
dcd0086
fix log error
haitham911 Dec 28, 2024
ee879d9
add git schema to source on vendor yaml
haitham911 Dec 29, 2024
f10db51
modify source on vendor yaml
haitham911 Dec 29, 2024
4ebd799
use git on vendor test
haitham911 Dec 29, 2024
521ba3b
Merge branch 'main' into issues-888
osterman Dec 30, 2024
3818cbf
fix windows path
haitham911 Dec 31, 2024
a7072ed
Merge branch 'issues-888' of https://github.com/cloudposse/atmos into…
haitham911 Dec 31, 2024
44fa700
add test case for vendor
haitham911 Jan 4, 2025
0dd8c26
Merge branch 'main' into issues-888
haitham911 Jan 4, 2025
ceef619
fix yaml format
haitham911 Jan 4, 2025
bc02f6e
use yaml syntax
haitham911 Jan 4, 2025
713ab4b
Merge branch 'main' into issues-888
osterman Jan 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion examples/demo-vendoring/vendor.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ spec:

sources:
- component: "github/stargazers"
source: "github.com/cloudposse/atmos.git//examples/demo-library/{{ .Component }}?ref={{.Version}}"
source: "git::https://github.com/cloudposse/atmos.git//examples/demo-library/{{ .Component }}?ref={{.Version}}"
haitham911 marked this conversation as resolved.
Show resolved Hide resolved
version: "main"
targets:
- "components/terraform/{{ .Component }}/{{.Version}}"
Expand Down
2 changes: 1 addition & 1 deletion internal/exec/vendor_model.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -161,7 +161,7 @@ func (m *modelVendor) Update(msg tea.Msg) (tea.Model, tea.Cmd) {
}
version := grayColor.Render(version)
return m, tea.Sequence(
tea.Printf("%s %s %s", mark, pkg.name, version),
tea.Printf("%s %s %s %s", mark, pkg.name, version, errMsg),
tea.Quit,
)
}
Expand Down
18 changes: 0 additions & 18 deletions internal/exec/vendor_utils.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -637,32 +637,14 @@ func validateURI(uri string) error {
if uri == "" {
return fmt.Errorf("URI cannot be empty")
}
// Maximum length check
if len(uri) > 2048 {
return fmt.Errorf("URI exceeds maximum length of 2048 characters")
}
// Add more validation as needed
// Validate URI format
if strings.Contains(uri, "..") {
return fmt.Errorf("URI cannot contain path traversal sequences")
}
Comment on lines -646 to -648
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add a test for vendoring from:

../../demo-library/weather

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add it to example/tests

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@osterman @aknysh
To test the vendor functionality, I reviewed the process and observed that it does not break even if there are errors. However, simply running the vendor pull command is not sufficient as a test.
Instead, there should be specific test cases that validate the process, including counting the vendor files to ensure accuracy. For example, we should test the vendor process on Windows to confirm it does not fail or break. Currently, the process only logs the outcome without actually vendoring any files, which is not reliable for testing purposes

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, can you add some proper tests for this then?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes

if strings.Contains(uri, " ") {
return fmt.Errorf("URI cannot contain spaces")
}
// Validate characters
if strings.ContainsAny(uri, "<>|&;$") {
return fmt.Errorf("URI contains invalid characters")
}
// Validate scheme-specific format
if strings.HasPrefix(uri, "oci://") {
if !strings.Contains(uri[6:], "/") {
return fmt.Errorf("invalid OCI URI format")
}
} else if strings.Contains(uri, "://") {
scheme := strings.Split(uri, "://")[0]
if !isValidScheme(scheme) {
return fmt.Errorf("unsupported URI scheme: %s", scheme)
}
}
return nil
}
Expand Down
Loading