You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cordova.apache.org by sh...@apache.org on 2014/10/30 22:27:38 UTC
git commit: CB-7890 validate file copy operations in plugman
Repository: cordova-lib
Updated Branches:
refs/heads/master 42333b6b9 -> 281aee737
CB-7890 validate file copy operations in plugman
Signed-off-by: Shazron Abdullah <sh...@apache.org>
Project: http://git-wip-us.apache.org/repos/asf/cordova-lib/repo
Commit: http://git-wip-us.apache.org/repos/asf/cordova-lib/commit/281aee73
Tree: http://git-wip-us.apache.org/repos/asf/cordova-lib/tree/281aee73
Diff: http://git-wip-us.apache.org/repos/asf/cordova-lib/diff/281aee73
Branch: refs/heads/master
Commit: 281aee737dbe5143c9cb5957359ed5df6298a154
Parents: 42333b6
Author: Brett Rudd <br...@gmail.com>
Authored: Wed Oct 29 12:14:32 2014 -0700
Committer: Shazron Abdullah <sh...@apache.org>
Committed: Thu Oct 30 14:23:56 2014 -0700
----------------------------------------------------------------------
.../spec-plugman/platforms/common.spec.js | 42 ++++++++++++++++++--
cordova-lib/src/plugman/platforms/common.js | 12 ++++++
2 files changed, 51 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cordova-lib/blob/281aee73/cordova-lib/spec-plugman/platforms/common.spec.js
----------------------------------------------------------------------
diff --git a/cordova-lib/spec-plugman/platforms/common.spec.js b/cordova-lib/spec-plugman/platforms/common.spec.js
index 6f8647f..828955b 100644
--- a/cordova-lib/spec-plugman/platforms/common.spec.js
+++ b/cordova-lib/spec-plugman/platforms/common.spec.js
@@ -25,7 +25,9 @@ var common = require('../../src/plugman/platforms/common')
, src = path.join(project_dir, 'src')
, dest = path.join(project_dir, 'dest')
, java_dir = path.join(src, 'one', 'two', 'three')
- , java_file = path.join(java_dir, 'test.java');
+ , java_file = path.join(java_dir, 'test.java')
+ , symlink_file = path.join(java_dir, 'symlink')
+ , non_plugin_file = path.join(osenv.tmpdir(), 'non_plugin_file');
describe('common platform handler', function() {
describe('resolveSrcPath', function() {
@@ -51,8 +53,34 @@ describe('common platform handler', function() {
});
describe('copyFile', function() {
- it('should throw if source path cannot be resolved', function(){
- expect(function(){common.copyFile(test_dir, src, project_dir, dest)}).toThrow();
+ it('should throw if source path not found', function(){
+ expect(function(){common.copyFile(test_dir, src, project_dir, dest)}).
+ toThrow(new Error('"' + src + '" not found!'));
+ });
+
+ it('should throw if src not in plugin directory', function(){
+ shell.mkdir('-p', project_dir);
+ fs.writeFileSync(non_plugin_file, 'contents', 'utf-8');
+ expect(function(){common.copyFile(test_dir, "../non_plugin_file", project_dir, dest)}).
+ toThrow(new Error('"' + non_plugin_file + '" not located within plugin!'));
+ shell.rm('-rf', test_dir);
+ });
+
+ it('should allow symlink src, if inside plugin', function(){
+ shell.mkdir('-p', java_dir);
+ fs.writeFileSync(java_file, 'contents', 'utf-8');
+ fs.symlinkSync(java_file, symlink_file);
+ common.copyFile(test_dir, symlink_file, project_dir, dest)
+ shell.rm('-rf', project_dir);
+ });
+
+ it('should throw if symlink is linked to a file outside the plugin', function(){
+ shell.mkdir('-p', java_dir);
+ fs.writeFileSync(non_plugin_file, 'contents', 'utf-8');
+ fs.symlinkSync(non_plugin_file, symlink_file);
+ expect(function(){common.copyFile(test_dir, symlink_file, project_dir, dest)}).
+ toThrow(new Error('"' + symlink_file + '" not located within plugin!'));
+ shell.rm('-rf', project_dir);
});
it('should throw if target path exists', function(){
@@ -61,6 +89,14 @@ describe('common platform handler', function() {
shell.rm('-rf', dest);
});
+ it('should throw if dest is outside the project directory', function(){
+ shell.mkdir('-p', java_dir);
+ fs.writeFileSync(java_file, 'contents', 'utf-8');
+ expect(function(){common.copyFile(test_dir, java_file, project_dir, non_plugin_file)}).
+ toThrow(new Error('"' + non_plugin_file + '" not located within project!'));
+ shell.rm('-rf', project_dir);
+ });
+
it('should call mkdir -p on target path', function(){
shell.mkdir('-p', java_dir);
fs.writeFileSync(java_file, 'contents', 'utf-8');
http://git-wip-us.apache.org/repos/asf/cordova-lib/blob/281aee73/cordova-lib/src/plugman/platforms/common.js
----------------------------------------------------------------------
diff --git a/cordova-lib/src/plugman/platforms/common.js b/cordova-lib/src/plugman/platforms/common.js
index 994aade..2226d0c 100644
--- a/cordova-lib/src/plugman/platforms/common.js
+++ b/cordova-lib/src/plugman/platforms/common.js
@@ -41,7 +41,19 @@ module.exports = common = {
copyFile:function(plugin_dir, src, project_dir, dest) {
src = module.exports.resolveSrcPath(plugin_dir, src);
if (!fs.existsSync(src)) throw new Error('"' + src + '" not found!');
+
+ // check that src path is inside plugin directory
+ var real_path = fs.realpathSync(src);
+ var real_plugin_path = fs.realpathSync(plugin_dir);
+ if (real_path.indexOf(real_plugin_path) !== 0)
+ throw new Error('"' + src + '" not located within plugin!');
+
dest = module.exports.resolveTargetPath(project_dir, dest);
+
+ // check that dest path is located in project directory
+ if (dest.indexOf(project_dir) !== 0)
+ throw new Error('"' + dest + '" not located within project!');
+
shell.mkdir('-p', path.dirname(dest));
// XXX shelljs decides to create a directory when -R|-r is used which sucks. http://goo.gl/nbsjq
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cordova.apache.org
For additional commands, e-mail: commits-help@cordova.apache.org