fix: clean template destination path for pull
#12559
Conversation
cli/templatepull.go
Outdated
| } | ||
|
|
||
| if dest != clean { | ||
| cliui.Warn(inv.Stderr, fmt.Sprintf("cleaning destination path from %s to %s", dest, clean)) |
There was a problem hiding this comment.
nit: I wouldn't warn users here, it the tool can fix the path then we don't need to them
There was a problem hiding this comment.
I was thinking this process of cleaning the dir might cause unexpected results, but on reflection I think you're right; I've removed it.
cli/templatepull.go
Outdated
| clean, err := filepath.Abs(filepath.Clean(dest)) | ||
| if err != nil { | ||
| cliui.Error(inv.Stderr, fmt.Sprintf("cleaning destination path %s failed: %q", dest, err)) | ||
| return err |
There was a problem hiding this comment.
Could this be an xerrors.Errorf("lookup of absolute path failed ...: %w") instead of the manual cliui error call? I'd expect the error to be printed twice this way.
| dir := t.TempDir() | ||
| wd, err := os.Getwd() | ||
| require.NoError(t, err) | ||
| err = os.Chdir(dir) |
There was a problem hiding this comment.
How do these tests actually work with chdir removed? The files will be created inside the repo since we're not in the tmpdir, right?
There was a problem hiding this comment.
It pulls into the givenPath:
inv, root := clitest.New(t, "templates", "pull", template.Name, tc.givenPath)AFAICS it's functionally equivalent
There was a problem hiding this comment.
If the given path is relative, won't it be relative to the Go process, i.e. the test which is running in coder/cli directory? Thus it'll store files in there instead of tmp.
There was a problem hiding this comment.
You're correct! I added these two lines to account for that in the last commit:
newWD := t.TempDir()
require.NoError(t, os.Chdir(newWD))There was a problem hiding this comment.
You also need to restore the wd after the test has ended, otherwise it could break other tests.
There was a problem hiding this comment.
Oooh good point!
cli/templatepull.go
Outdated
| } | ||
|
|
||
| if dest != clean { | ||
| cliui.Warn(inv.Stderr, fmt.Sprintf("cleaning destination path from %s to %s", dest, clean)) |
There was a problem hiding this comment.
I was thinking this process of cleaning the dir might cause unexpected results, but on reflection I think you're right; I've removed it.
| dir := t.TempDir() | ||
| wd, err := os.Getwd() | ||
| require.NoError(t, err) | ||
| err = os.Chdir(dir) |
There was a problem hiding this comment.
It pulls into the givenPath:
inv, root := clitest.New(t, "templates", "pull", template.Name, tc.givenPath)AFAICS it's functionally equivalent
cli/templatepull_test.go
Outdated
| @@ -230,118 +230,111 @@ func TestTemplatePull_LatestStdout(t *testing.T) { | |||
|
|
|||
| // ToDir tests that 'templates pull' pulls down the active template | |||
| // and writes it to the correct directory. | |||
| // | |||
| // nolint: tparallel // The subtests cannot be run in parallel; see the inner loop. | |||
| func TestTemplatePull_ToDir(t *testing.T) { | |||
| t.Parallel() | |||
There was a problem hiding this comment.
We'll need to remove this parallel now that we're doing chdir again.
There was a problem hiding this comment.
Note that this is tparallel not paralleltest.
There was a problem hiding this comment.
I wasn't referring to linting. A test that modifies the environment of the process (e.g. setenv or chdir) can't be parallel or have parallel ancestors.
There was a problem hiding this comment.
OH you're completely right!
cli/templatepull_test.go
Outdated
| templateAdmin, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID, rbac.RoleTemplateAdmin()) | ||
| t.Cleanup(func() { | ||
| _ = os.RemoveAll(tc.givenPath) | ||
| _ = os.RemoveAll(expectedDest) |
There was a problem hiding this comment.
We could perhaps combine these and chdir into a single cleanup? Or perhaps even better would be to implement testutil.Chdir since it's something we do every now and a then.
cli/templatepull_test.go
Outdated
| }, | ||
| { | ||
| name: "directory traversal is acceptable", | ||
| givenPath: "../mytmpl", |
There was a problem hiding this comment.
I suppose this write is outside the test tmpdir? Perhaps we should increase the depth down below (pseudo newWD := filepath.Join(t.TempDir(), "work"); mkdir(newWD))?
Signed-off-by: Danny Kopping <danny@coder.com>
Signed-off-by: Danny Kopping <danny@coder.com>
Signed-off-by: Danny Kopping <danny@coder.com>
Signed-off-by: Danny Kopping <danny@coder.com>
…s broke a test Signed-off-by: Danny Kopping <danny@coder.com>
Signed-off-by: Danny Kopping <danny@coder.com>
cda50fc to
9d035e3
Compare
Signed-off-by: Danny Kopping <danny@coder.com>
cleanup; t.Cleanup is ordered by last-added-first-called. Signed-off-by: Danny Kopping <danny@coder.com>
Co-authored-by: Mathias Fredriksson <mafredri@gmail.com>
Fixes #10281
Cleaning the path and making it absolute causes the path to not be seen as unsafe by the underlying library.
Note to reviewer: this PR obviates the need for
TestTemplatePull_ToImplicit.It made sense to me to merge them together, but you may want to keep them separate; I'm easy either way.
Side-note: I was testing to see if I could inject problematic template names like
--helpand ended up finding a CLI bug: #12575