From 5900ef3db4cf96ed76a84447e1b36daf3f041128 Mon Sep 17 00:00:00 2001 From: haitham911 Date: Sat, 28 Dec 2024 15:01:56 +0200 Subject: [PATCH 1/9] allow URI contain path traversal --- internal/exec/vendor_utils.go | 5 ----- 1 file changed, 5 deletions(-) diff --git a/internal/exec/vendor_utils.go b/internal/exec/vendor_utils.go index 95f7dcb0e..0020d8034 100644 --- a/internal/exec/vendor_utils.go +++ b/internal/exec/vendor_utils.go @@ -641,11 +641,6 @@ func validateURI(uri string) error { if len(uri) > 2048 { return fmt.Errorf("URI exceeds maximum length of 2048 characters") } - // Add more validation as needed - // Validate URI format - if strings.Contains(uri, "..") { - return fmt.Errorf("URI cannot contain path traversal sequences") - } if strings.Contains(uri, " ") { return fmt.Errorf("URI cannot contain spaces") } From 71fff29d634da9214d2cfff415fd0828872db519 Mon Sep 17 00:00:00 2001 From: haitham911 Date: Sat, 28 Dec 2024 15:04:19 +0200 Subject: [PATCH 2/9] allow scheme: git:: --- internal/exec/vendor_utils.go | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/internal/exec/vendor_utils.go b/internal/exec/vendor_utils.go index 0020d8034..095481488 100644 --- a/internal/exec/vendor_utils.go +++ b/internal/exec/vendor_utils.go @@ -641,6 +641,7 @@ func validateURI(uri string) error { if len(uri) > 2048 { return fmt.Errorf("URI exceeds maximum length of 2048 characters") } + if strings.Contains(uri, " ") { return fmt.Errorf("URI cannot contain spaces") } @@ -653,11 +654,6 @@ func validateURI(uri string) error { if !strings.Contains(uri[6:], "/") { return fmt.Errorf("invalid OCI URI format") } - } else if strings.Contains(uri, "://") { - scheme := strings.Split(uri, "://")[0] - if !isValidScheme(scheme) { - return fmt.Errorf("unsupported URI scheme: %s", scheme) - } } return nil } From 4e8c172a6cee020ce3d13143137a735b93cba407 Mon Sep 17 00:00:00 2001 From: haitham911 Date: Sat, 28 Dec 2024 15:05:19 +0200 Subject: [PATCH 3/9] remove max length check url --- internal/exec/vendor_utils.go | 5 ----- 1 file changed, 5 deletions(-) diff --git a/internal/exec/vendor_utils.go b/internal/exec/vendor_utils.go index 095481488..913dd2415 100644 --- a/internal/exec/vendor_utils.go +++ b/internal/exec/vendor_utils.go @@ -637,11 +637,6 @@ func validateURI(uri string) error { if uri == "" { return fmt.Errorf("URI cannot be empty") } - // Maximum length check - if len(uri) > 2048 { - return fmt.Errorf("URI exceeds maximum length of 2048 characters") - } - if strings.Contains(uri, " ") { return fmt.Errorf("URI cannot contain spaces") } From 26fb6f6c5692d4a4697d31ae1364a1e1f62d24d4 Mon Sep 17 00:00:00 2001 From: haitham911 Date: Sat, 28 Dec 2024 15:06:38 +0200 Subject: [PATCH 4/9] remove character url validate --- internal/exec/vendor_utils.go | 4 ---- 1 file changed, 4 deletions(-) diff --git a/internal/exec/vendor_utils.go b/internal/exec/vendor_utils.go index 913dd2415..339608475 100644 --- a/internal/exec/vendor_utils.go +++ b/internal/exec/vendor_utils.go @@ -640,10 +640,6 @@ func validateURI(uri string) error { if strings.Contains(uri, " ") { return fmt.Errorf("URI cannot contain spaces") } - // Validate characters - if strings.ContainsAny(uri, "<>|&;$") { - return fmt.Errorf("URI contains invalid characters") - } // Validate scheme-specific format if strings.HasPrefix(uri, "oci://") { if !strings.Contains(uri[6:], "/") { From dcd008664869f3c590bf66c704c6eaeba98c439f Mon Sep 17 00:00:00 2001 From: haitham911 Date: Sat, 28 Dec 2024 15:47:45 +0200 Subject: [PATCH 5/9] fix log error --- internal/exec/vendor_model.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/exec/vendor_model.go b/internal/exec/vendor_model.go index 1209e6805..f35e3a0e9 100644 --- a/internal/exec/vendor_model.go +++ b/internal/exec/vendor_model.go @@ -161,7 +161,7 @@ func (m *modelVendor) Update(msg tea.Msg) (tea.Model, tea.Cmd) { } version := grayColor.Render(version) return m, tea.Sequence( - tea.Printf("%s %s %s", mark, pkg.name, version), + tea.Printf("%s %s %s %s", mark, pkg.name, version, errMsg), tea.Quit, ) } From ee879d9a8045b417bc8b95d4333d2ce82fa94d3d Mon Sep 17 00:00:00 2001 From: haitham911 Date: Sun, 29 Dec 2024 15:52:47 +0200 Subject: [PATCH 6/9] add git schema to source on vendor yaml --- examples/demo-vendoring/vendor.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/demo-vendoring/vendor.yaml b/examples/demo-vendoring/vendor.yaml index 72786a00f..6fa67b14b 100644 --- a/examples/demo-vendoring/vendor.yaml +++ b/examples/demo-vendoring/vendor.yaml @@ -9,7 +9,7 @@ spec: sources: - component: "github/stargazers" - source: "github.com/cloudposse/atmos.git//examples/demo-library/{{ .Component }}?ref={{.Version}}" + source: "git::https://github.com/cloudposse/atmos.git//examples/demo-library/{{ .Component }}?ref={{.Version}}" version: "main" targets: - "components/terraform/{{ .Component }}/{{.Version}}" From f10db51a7469fdfb6d5b8736d3baa6ebe089c607 Mon Sep 17 00:00:00 2001 From: haitham911 Date: Sun, 29 Dec 2024 17:55:25 +0200 Subject: [PATCH 7/9] modify source on vendor yaml --- examples/demo-vendoring/vendor.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/demo-vendoring/vendor.yaml b/examples/demo-vendoring/vendor.yaml index 6fa67b14b..72786a00f 100644 --- a/examples/demo-vendoring/vendor.yaml +++ b/examples/demo-vendoring/vendor.yaml @@ -9,7 +9,7 @@ spec: sources: - component: "github/stargazers" - source: "git::https://github.com/cloudposse/atmos.git//examples/demo-library/{{ .Component }}?ref={{.Version}}" + source: "github.com/cloudposse/atmos.git//examples/demo-library/{{ .Component }}?ref={{.Version}}" version: "main" targets: - "components/terraform/{{ .Component }}/{{.Version}}" From 4ebd7991da8ab3a3171e07587b6aadb6cf1646b9 Mon Sep 17 00:00:00 2001 From: haitham911 Date: Sun, 29 Dec 2024 18:10:52 +0200 Subject: [PATCH 8/9] use git on vendor test --- examples/tests/vendor.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/tests/vendor.yaml b/examples/tests/vendor.yaml index 17bba24fc..ab64e00df 100644 --- a/examples/tests/vendor.yaml +++ b/examples/tests/vendor.yaml @@ -45,7 +45,7 @@ spec: - test - networking - component: "vpc-flow-logs-bucket" - source: "github.com/cloudposse/terraform-aws-components.git//modules/vpc-flow-logs-bucket?ref={{.Version}}" + source: "git::https://github.com/cloudposse/terraform-aws-components.git//modules/vpc-flow-logs-bucket?ref={{.Version}}" version: "1.323.0" targets: - "components/terraform/infra/vpc-flow-logs-bucket/{{.Version}}" From 3818cbfb431408d97b8c2b81c2faf16ae213b3d9 Mon Sep 17 00:00:00 2001 From: Haitham Rageh Date: Wed, 1 Jan 2025 01:29:13 +0200 Subject: [PATCH 9/9] fix windows path --- internal/exec/vendor_model.go | 2 +- internal/exec/vendor_utils.go | 16 ++++++++++++++-- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/internal/exec/vendor_model.go b/internal/exec/vendor_model.go index f35e3a0e9..312dc222e 100644 --- a/internal/exec/vendor_model.go +++ b/internal/exec/vendor_model.go @@ -246,7 +246,7 @@ func downloadAndInstall(p *pkgAtmosVendor, dryRun bool, atmosConfig schema.Atmos } // Create temp directory - tempDir, err := os.MkdirTemp("", fmt.Sprintf("atmos-vendor-%d-*", time.Now().Unix())) + tempDir, err := os.MkdirTemp("", "atmos-vendor") if err != nil { return installedPkgMsg{ err: fmt.Errorf("failed to create temp directory: %w", err), diff --git a/internal/exec/vendor_utils.go b/internal/exec/vendor_utils.go index 339608475..b4e5c100b 100644 --- a/internal/exec/vendor_utils.go +++ b/internal/exec/vendor_utils.go @@ -377,7 +377,7 @@ func ExecuteAtmosVendorInternal( if err != nil { return err } - targetPath := filepath.Join(vendorConfigFilePath, target) + targetPath := filepath.Join(filepath.ToSlash(vendorConfigFilePath), filepath.ToSlash(target)) pkgName := s.Component if pkgName == "" { pkgName = uri @@ -507,12 +507,22 @@ func determineSourceType(uri *string, vendorConfigFilePath string) (bool, bool, useLocalFileSystem := false sourceIsLocalFile := false if !useOciScheme { - if absPath, err := u.JoinAbsolutePathWithPath(vendorConfigFilePath, *uri); err == nil { + if absPath, err := u.JoinAbsolutePathWithPath(filepath.ToSlash(vendorConfigFilePath), *uri); err == nil { uri = &absPath useLocalFileSystem = true sourceIsLocalFile = u.FileExists(*uri) } + u, err := url.Parse(*uri) + if err == nil && u.Scheme != "" { + if u.Scheme == "file" { + trimmedPath := strings.TrimPrefix(filepath.ToSlash(u.Path), "/") + *uri = filepath.Clean(trimmedPath) + useLocalFileSystem = true + } + } + } + return useOciScheme, useLocalFileSystem, sourceIsLocalFile } @@ -580,6 +590,8 @@ func generateSkipFunction(atmosConfig schema.AtmosConfiguration, tempDir string, if filepath.Base(src) == ".git" { return true, nil } + tempDir = filepath.ToSlash(tempDir) + src = filepath.ToSlash(src) trimmedSrc := u.TrimBasePathFromPath(tempDir+"/", src)