You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@whimsical.apache.org by se...@apache.org on 2020/10/06 19:14:23 UTC
[whimsy] branch master updated: Validate board agenda/minute names
This is an automated email from the ASF dual-hosted git repository.
sebb pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/whimsy.git
The following commit(s) were added to refs/heads/master by this push:
new d1d9445 Validate board agenda/minute names
d1d9445 is described below
commit d1d9445885ea63f80bc181637070f40277dc48b9
Author: Sebb <se...@apache.org>
AuthorDate: Tue Oct 6 20:14:14 2020 +0100
Validate board agenda/minute names
---
www/board/agenda/main.rb | 7 +++++++
www/board/agenda/models/agenda.rb | 16 ++++++++++------
www/board/agenda/views/actions/budget.json.rb | 3 ++-
www/board/agenda/views/actions/draft.json.rb | 3 ++-
www/board/agenda/views/actions/feedback.json.rb | 3 ++-
www/board/agenda/views/actions/minute.json.rb | 3 ++-
www/board/agenda/views/actions/summary.json.rb | 5 +++--
7 files changed, 28 insertions(+), 12 deletions(-)
diff --git a/www/board/agenda/main.rb b/www/board/agenda/main.rb
index 94502f8..215da6c 100755
--- a/www/board/agenda/main.rb
+++ b/www/board/agenda/main.rb
@@ -30,6 +30,9 @@ unless ENV['RACK_ENV'] == 'development'
disable :logging # suppress log of requests to stderr/error.log
end
+# needs to match all agendas and minutes
+BOARD_REGEX = %r{\Aboard_\w+_[-\d_]+\.txt\z}
+
# determine where relevant data can be found
if ENV['RACK_ENV'] == 'test'
FOUNDATION_BOARD = File.expand_path('test/work/board')
@@ -68,3 +71,7 @@ end
def dir(pattern, base=FOUNDATION_BOARD)
Dir[File.join(base, pattern)].map {|name| File.basename name}
end
+
+def validate_board_file(name)
+ raise ArgumentError, "Invalid filename #{name}" unless name =~ BOARD_REGEX
+end
diff --git a/www/board/agenda/models/agenda.rb b/www/board/agenda/models/agenda.rb
index 959485a..de13d16 100755
--- a/www/board/agenda/models/agenda.rb
+++ b/www/board/agenda/models/agenda.rb
@@ -28,8 +28,9 @@ class Agenda
# fetch parsed agenda from in memory cache if up to date, otherwise
# fall back to disk.
def self.[](file)
+ validate_board_file(file)
+
path = File.join(CACHE, file.sub(/\.txt$/, '.yml'))
- path.untaint if file =~ /^board_agenda_\d+_\d+_\d+\.txt$/
data = @@cache[file]
if File.exist?(path) and File.mtime(path) != data[:mtime]
@@ -45,8 +46,9 @@ class Agenda
# update both in memory and disk caches with new parsed agenda
def self.[]=(file, data)
+ validate_board_file(file)
+
path = File.join(CACHE, file.sub(/\.txt$/, '.yml'))
- path.untaint if file =~ /^board_agenda_\d+_\d+_\d+\.txt$/
File.open(path, File::RDWR|File::CREAT, 0644) do |fh|
fh.flock(File::LOCK_EX)
@@ -87,14 +89,16 @@ class Agenda
end
def self.uptodate(file)
- raise ArgumentError, "Invalid file name #{file}" unless file =~ /\Aboard_\w+_[\d_]+\.txt\z/
+ validate_board_file(file)
+
path = File.expand_path(file, FOUNDATION_BOARD)
return false unless File.exist? path
return Agenda[file][:mtime] == File.mtime(path)
end
def self.parse(file, mode)
- raise ArgumentError, "Invalid file name #{file}" unless file =~ /\Aboard_\w+_[\d_]+\.txt\z/
+ validate_board_file(file)
+
# for quick mode, anything will do
mode = :quick if ENV['RACK_ENV'] == 'test'
return Agenda[file][:parsed] if mode == :quick and Agenda[file][:mtime] != 0
@@ -132,6 +136,8 @@ class Agenda
# update agenda file in SVN
def self.update(file, message, retries=20, auth: nil, &block)
return unless block
+ validate_board_file(file)
+
commit_rc = 0
# Create a temporary work directory
@@ -144,8 +150,6 @@ class Agenda
auth = [['--username', env.user, '--password', env.password]]
end
- file.untaint if file =~ /\Aboard_\w+_[\d_]+\.txt\z/
-
working_copy = File.join(AGENDA_WORK, file)
File.open(working_copy, File::RDWR|File::CREAT, 0644) do |work_file|
diff --git a/www/board/agenda/views/actions/budget.json.rb b/www/board/agenda/views/actions/budget.json.rb
index 6864d62..9fe0bf2 100644
--- a/www/board/agenda/views/actions/budget.json.rb
+++ b/www/board/agenda/views/actions/budget.json.rb
@@ -2,9 +2,10 @@
# Add budget to minutes
#
+validate_board_file(@agenda)
+
@minutes = @agenda.sub('_agenda_', '_minutes_')
minutes_file = "#{AGENDA_WORK}/#{@minutes.sub('.txt', '.yml')}"
-minutes_file.untaint if @minutes =~ /^board_minutes_\d+-\d+-\d+\.txt$/
if File.exist? minutes_file
minutes = YAML.load_file(minutes_file) || {}
diff --git a/www/board/agenda/views/actions/draft.json.rb b/www/board/agenda/views/actions/draft.json.rb
index c09ea99..7b855ba 100644
--- a/www/board/agenda/views/actions/draft.json.rb
+++ b/www/board/agenda/views/actions/draft.json.rb
@@ -2,8 +2,9 @@
# commit draft minutes to SVN
#
+validate_board_file(@agenda)
+
agenda_file = "#{FOUNDATION_BOARD}/#{@agenda}"
-agenda_file.untaint if @agenda =~ /^board_agenda_\d+_\d+_\d+.txt$/
minutes_file = agenda_file.sub('_agenda', '_minutes')
ASF::SVN.update minutes_file, @message, env, _ do |tmpdir, old_contents|
diff --git a/www/board/agenda/views/actions/feedback.json.rb b/www/board/agenda/views/actions/feedback.json.rb
index dcc34ed..5a6a6ed 100644
--- a/www/board/agenda/views/actions/feedback.json.rb
+++ b/www/board/agenda/views/actions/feedback.json.rb
@@ -4,10 +4,11 @@
ASF::Mail.configure
+validate_board_file(@agenda)
+
# fetch minutes
@minutes = @agenda.sub('_agenda_', '_minutes_')
minutes_file = "#{AGENDA_WORK}/#{@minutes.sub('.txt', '.yml')}"
-minutes_file.untaint if @minutes =~ /^board_minutes_\d+_\d+_\d+\.txt$/
date = @agenda[/\d+_\d+_\d+/].gsub('_', '-')
if File.exist? minutes_file
diff --git a/www/board/agenda/views/actions/minute.json.rb b/www/board/agenda/views/actions/minute.json.rb
index ad363d4..f1f8395 100644
--- a/www/board/agenda/views/actions/minute.json.rb
+++ b/www/board/agenda/views/actions/minute.json.rb
@@ -3,9 +3,10 @@
#
require 'active_support/core_ext/time'
+validate_board_file(@agenda)
+
@minutes = @agenda.sub('_agenda_', '_minutes_')
minutes_file = "#{AGENDA_WORK}/#{@minutes.sub('.txt', '.yml')}"
-minutes_file.untaint if @minutes =~ /^board_minutes_\d+-\d+-\d+\.txt$/
if File.exist? minutes_file
minutes = YAML.load_file(minutes_file) || {}
diff --git a/www/board/agenda/views/actions/summary.json.rb b/www/board/agenda/views/actions/summary.json.rb
index 29befa3..3b07496 100644
--- a/www/board/agenda/views/actions/summary.json.rb
+++ b/www/board/agenda/views/actions/summary.json.rb
@@ -1,9 +1,10 @@
# send summary email to committers
+validate_board_file(@agenda)
+
# fetch minutes
@minutes = @agenda.sub('_agenda_', '_minutes_')
minutes_file = File.join(AGENDA_WORK, "#{@minutes.sub('.txt', '.yml')}")
-minutes_file.untaint if @minutes =~ /^board_minutes_\d+_\d+_\d+\.txt$/
if File.exist? minutes_file
minutes = YAML.load_file(minutes_file) || {}
@@ -12,7 +13,7 @@ else
end
# ensure headers have proper CRLF
-header, body = @text.untaint.split(/\r?\n\r?\n/, 2)
+header, body = @text.split(/\r?\n\r?\n/, 2)
header.gsub! /\r?\n/, "\r\n"
# send mail