-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
#6981: fs_permissions
find permission also sym links
#7022
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd like to see some x-platform tests on this because Path::canonicalize
also transforms paths into the abysmal Windows extended path format which has historically messed up a lot of path-related things in Foundry. For example, the directory separator becomes a backslash instead of a forward slash, which might mean this actually breaks on Windows.
You can see some examples of integration tests that set up foundry.toml
and projects in https://github.com/foundry-rs/foundry/tree/master/crates/forge/tests/cli
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd like to see an additional non-windows test for this
- for default fs permissions config - for parsing custom fs permissions - to resolve symlink permissions
added here 250bbc5#diff-289d6a2d36ab0e59edc4f4baeeaa5026ecae1002e13a5fc80e033e46d612bc7bR676 |
thanks for hint, I added couple of them (some mimics the unit tests) with 250bbc5, using |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm, pending @mattsse
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can you elaborate on the fix, unclear why we need to do this
we also want an actual solidity test example, see repro in the issue
let permission_path = dunce::canonicalize(&perm.path).unwrap_or(perm.path.clone()); | ||
if path.starts_with(permission_path) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm actually not sure why this is the right fix, because the path should already be canonicalized here
foundry/crates/cheatcodes/src/config.rs
Lines 72 to 80 in 5ef0d6f
/// Returns true if the given path is allowed, if any path `allowed_paths` is an ancestor of the | |
/// path | |
/// | |
/// We only allow paths that are inside allowed paths. To prevent path traversal | |
/// ("../../etc/passwd") we canonicalize/normalize the path first. We always join with the | |
/// configured root directory. | |
pub fn is_path_allowed(&self, path: impl AsRef<Path>, kind: FsAccessKind) -> bool { | |
self.is_normalized_path_allowed(&self.normalized_path(path), kind) | |
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm actually not sure why this is the right fix, because the path should already be canonicalized here
foundry/crates/cheatcodes/src/config.rs
Lines 72 to 80 in 5ef0d6f
/// Returns true if the given path is allowed, if any path `allowed_paths` is an ancestor of the /// path /// /// We only allow paths that are inside allowed paths. To prevent path traversal /// ("../../etc/passwd") we canonicalize/normalize the path first. We always join with the /// configured root directory. pub fn is_path_allowed(&self, path: impl AsRef<Path>, kind: FsAccessKind) -> bool { self.is_normalized_path_allowed(&self.normalized_path(path), kind) }
that's the normalized path to the file desired to be loaded in test (by using vm.readFile
), mind that is passed to is_normalized_path_allowed
function which checks it against configured fs_permissions
path (that are not normalized)
foundry/crates/cheatcodes/src/config.rs
Lines 78 to 84 in 5ef0d6f
pub fn is_path_allowed(&self, path: impl AsRef<Path>, kind: FsAccessKind) -> bool { | |
self.is_normalized_path_allowed(&self.normalized_path(path), kind) | |
} | |
fn is_normalized_path_allowed(&self, path: &Path, kind: FsAccessKind) -> bool { | |
self.fs_permissions.is_path_allowed(path, kind) | |
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah now I see, it, we're canonicalizing the permission path, got it ty!
sure, so using repo in #6981 with following structure (mind that the
with configured permission
when trying to read the file as
the foundry/crates/config/src/fs_permissions.rs Lines 45 to 56 in 5ef0d6f
so comparing if Proposed fix is to normalize the configured
I made the tests against repo provided in #6981 (which I mimicked in |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks for explaining, now I got it
lgtm
let permission_path = dunce::canonicalize(&perm.path).unwrap_or(perm.path.clone()); | ||
if path.starts_with(permission_path) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah now I see, it, we're canonicalizing the permission path, got it ty!
Motivation
see #6981
Solution
fs_permissions
symlinks paths when finding permissionsTests