You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@whimsical.apache.org by se...@apache.org on 2020/10/06 19:14:23 UTC

[whimsy] branch master updated: Validate board agenda/minute names

This is an automated email from the ASF dual-hosted git repository.

sebb pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/whimsy.git


The following commit(s) were added to refs/heads/master by this push:
     new d1d9445  Validate board agenda/minute names
d1d9445 is described below

commit d1d9445885ea63f80bc181637070f40277dc48b9
Author: Sebb <se...@apache.org>
AuthorDate: Tue Oct 6 20:14:14 2020 +0100

    Validate board agenda/minute names
---
 www/board/agenda/main.rb                        |  7 +++++++
 www/board/agenda/models/agenda.rb               | 16 ++++++++++------
 www/board/agenda/views/actions/budget.json.rb   |  3 ++-
 www/board/agenda/views/actions/draft.json.rb    |  3 ++-
 www/board/agenda/views/actions/feedback.json.rb |  3 ++-
 www/board/agenda/views/actions/minute.json.rb   |  3 ++-
 www/board/agenda/views/actions/summary.json.rb  |  5 +++--
 7 files changed, 28 insertions(+), 12 deletions(-)

diff --git a/www/board/agenda/main.rb b/www/board/agenda/main.rb
index 94502f8..215da6c 100755
--- a/www/board/agenda/main.rb
+++ b/www/board/agenda/main.rb
@@ -30,6 +30,9 @@ unless ENV['RACK_ENV'] == 'development'
   disable :logging # suppress log of requests to stderr/error.log
 end
 
+# needs to match all agendas and minutes
+BOARD_REGEX = %r{\Aboard_\w+_[-\d_]+\.txt\z}
+
 # determine where relevant data can be found
 if ENV['RACK_ENV'] == 'test'
   FOUNDATION_BOARD = File.expand_path('test/work/board')
@@ -68,3 +71,7 @@ end
 def dir(pattern, base=FOUNDATION_BOARD)
   Dir[File.join(base, pattern)].map {|name| File.basename name}
 end
+
+def validate_board_file(name)
+  raise ArgumentError, "Invalid filename #{name}" unless name =~ BOARD_REGEX
+end
diff --git a/www/board/agenda/models/agenda.rb b/www/board/agenda/models/agenda.rb
index 959485a..de13d16 100755
--- a/www/board/agenda/models/agenda.rb
+++ b/www/board/agenda/models/agenda.rb
@@ -28,8 +28,9 @@ class Agenda
   # fetch parsed agenda from in memory cache if up to date, otherwise
   # fall back to disk.
   def self.[](file)
+    validate_board_file(file)
+
     path = File.join(CACHE, file.sub(/\.txt$/, '.yml'))
-    path.untaint if file =~ /^board_agenda_\d+_\d+_\d+\.txt$/
     data = @@cache[file]
 
     if File.exist?(path) and File.mtime(path) != data[:mtime]
@@ -45,8 +46,9 @@ class Agenda
 
   # update both in memory and disk caches with new parsed agenda
   def self.[]=(file, data)
+    validate_board_file(file)
+
     path = File.join(CACHE, file.sub(/\.txt$/, '.yml'))
-    path.untaint if file =~ /^board_agenda_\d+_\d+_\d+\.txt$/
 
     File.open(path, File::RDWR|File::CREAT, 0644) do |fh|
       fh.flock(File::LOCK_EX)
@@ -87,14 +89,16 @@ class Agenda
   end
 
   def self.uptodate(file)
-    raise ArgumentError, "Invalid file name #{file}" unless file =~ /\Aboard_\w+_[\d_]+\.txt\z/
+    validate_board_file(file)
+
     path = File.expand_path(file, FOUNDATION_BOARD)
     return false unless File.exist? path
     return Agenda[file][:mtime] == File.mtime(path)
   end
 
   def self.parse(file, mode)
-    raise ArgumentError, "Invalid file name #{file}" unless file =~ /\Aboard_\w+_[\d_]+\.txt\z/
+    validate_board_file(file)
+
     # for quick mode, anything will do
     mode = :quick if ENV['RACK_ENV'] == 'test'
     return Agenda[file][:parsed] if mode == :quick and Agenda[file][:mtime] != 0
@@ -132,6 +136,8 @@ class Agenda
   # update agenda file in SVN
   def self.update(file, message, retries=20, auth: nil, &block)
     return unless block
+    validate_board_file(file)
+
     commit_rc = 0
 
     # Create a temporary work directory
@@ -144,8 +150,6 @@ class Agenda
       auth = [['--username', env.user, '--password', env.password]]
     end
 
-    file.untaint if file =~ /\Aboard_\w+_[\d_]+\.txt\z/
-
     working_copy = File.join(AGENDA_WORK, file)
 
     File.open(working_copy, File::RDWR|File::CREAT, 0644) do |work_file|
diff --git a/www/board/agenda/views/actions/budget.json.rb b/www/board/agenda/views/actions/budget.json.rb
index 6864d62..9fe0bf2 100644
--- a/www/board/agenda/views/actions/budget.json.rb
+++ b/www/board/agenda/views/actions/budget.json.rb
@@ -2,9 +2,10 @@
 # Add budget to minutes
 #
 
+validate_board_file(@agenda)
+
 @minutes = @agenda.sub('_agenda_', '_minutes_')
 minutes_file = "#{AGENDA_WORK}/#{@minutes.sub('.txt', '.yml')}"
-minutes_file.untaint if @minutes =~ /^board_minutes_\d+-\d+-\d+\.txt$/
 
 if File.exist? minutes_file
   minutes = YAML.load_file(minutes_file) || {}
diff --git a/www/board/agenda/views/actions/draft.json.rb b/www/board/agenda/views/actions/draft.json.rb
index c09ea99..7b855ba 100644
--- a/www/board/agenda/views/actions/draft.json.rb
+++ b/www/board/agenda/views/actions/draft.json.rb
@@ -2,8 +2,9 @@
 # commit draft minutes to SVN
 #
 
+validate_board_file(@agenda)
+
 agenda_file = "#{FOUNDATION_BOARD}/#{@agenda}"
-agenda_file.untaint if @agenda =~ /^board_agenda_\d+_\d+_\d+.txt$/
 minutes_file = agenda_file.sub('_agenda', '_minutes')
 
 ASF::SVN.update minutes_file, @message, env, _ do |tmpdir, old_contents|
diff --git a/www/board/agenda/views/actions/feedback.json.rb b/www/board/agenda/views/actions/feedback.json.rb
index dcc34ed..5a6a6ed 100644
--- a/www/board/agenda/views/actions/feedback.json.rb
+++ b/www/board/agenda/views/actions/feedback.json.rb
@@ -4,10 +4,11 @@
 
 ASF::Mail.configure
 
+validate_board_file(@agenda)
+
 # fetch minutes
 @minutes = @agenda.sub('_agenda_', '_minutes_')
 minutes_file = "#{AGENDA_WORK}/#{@minutes.sub('.txt', '.yml')}"
-minutes_file.untaint if @minutes =~ /^board_minutes_\d+_\d+_\d+\.txt$/
 date = @agenda[/\d+_\d+_\d+/].gsub('_', '-')
 
 if File.exist? minutes_file
diff --git a/www/board/agenda/views/actions/minute.json.rb b/www/board/agenda/views/actions/minute.json.rb
index ad363d4..f1f8395 100644
--- a/www/board/agenda/views/actions/minute.json.rb
+++ b/www/board/agenda/views/actions/minute.json.rb
@@ -3,9 +3,10 @@
 #
 require 'active_support/core_ext/time'
 
+validate_board_file(@agenda)
+
 @minutes = @agenda.sub('_agenda_', '_minutes_')
 minutes_file = "#{AGENDA_WORK}/#{@minutes.sub('.txt', '.yml')}"
-minutes_file.untaint if @minutes =~ /^board_minutes_\d+-\d+-\d+\.txt$/
 
 if File.exist? minutes_file
   minutes = YAML.load_file(minutes_file) || {}
diff --git a/www/board/agenda/views/actions/summary.json.rb b/www/board/agenda/views/actions/summary.json.rb
index 29befa3..3b07496 100644
--- a/www/board/agenda/views/actions/summary.json.rb
+++ b/www/board/agenda/views/actions/summary.json.rb
@@ -1,9 +1,10 @@
 # send summary email to committers
 
+validate_board_file(@agenda)
+
 # fetch minutes
 @minutes = @agenda.sub('_agenda_', '_minutes_')
 minutes_file = File.join(AGENDA_WORK, "#{@minutes.sub('.txt', '.yml')}")
-minutes_file.untaint if @minutes =~ /^board_minutes_\d+_\d+_\d+\.txt$/
 
 if File.exist? minutes_file
   minutes = YAML.load_file(minutes_file) || {}
@@ -12,7 +13,7 @@ else
 end
 
 # ensure headers have proper CRLF
-header, body = @text.untaint.split(/\r?\n\r?\n/, 2)
+header, body = @text.split(/\r?\n\r?\n/, 2)
 header.gsub! /\r?\n/, "\r\n"
 
 # send mail