Refactor prepare task to use typed inputs and outputs#1324
Refactor prepare task to use typed inputs and outputs#1324justin-thurman wants to merge 7 commits into
prepare task to use typed inputs and outputs#1324Conversation
|
📦 Package Size: 7100 KB |
justin-thurman
added
patch
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #1324 +/- ##
==========================================
+ Coverage 80.75% 80.77% +0.02%
==========================================
Files 224 224
Lines 4204 4235 +31
Branches 1200 1203 +3
==========================================
+ Hits 3395 3421 +26
+ Misses 695 694 -1
- Partials 114 120 +6 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
justin-thurman
changed the title
prepare task to use typed inputs and outputs
justin-thurman
force-pushed
the
CAP-4391
branch
7 times, most recently
from
729e9d1 to
50fe741
Compare
![aikido-pr-checks[bot]](https://avatars.githubusercontent.com/in/898896?s=60&v=4){kind=small}
|
|
||
| const apkPath = path.join(ctx.sourceDir, 'storybook.apk'); | ||
| export async function validateAndroidArtifact(sourceDirectory: string): Promise<boolean> { | ||
| const apkPath = path.join(sourceDirectory, 'storybook.apk'); |
There was a problem hiding this comment.
Potential file inclusion attack via reading file - medium severity
If an attacker can control the input leading into the ReadFile function, they might be able to read sensitive files and launch further attacks with that information.
Show fix
| const apkPath = path.join(sourceDirectory, 'storybook.apk'); | |
| const resolvedBase = path.resolve(sourceDirectory); | |
| const resolvedTarget = path.resolve(resolvedBase, 'storybook.apk'); | |
| const relative = path.relative(resolvedBase, resolvedTarget); | |
| if (relative.startsWith('..') || path.isAbsolute(relative)) { | |
| throw new Error('Invalid file path'); | |
| } | |
| const apkPath = resolvedTarget; |
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info
| if (!input.validator(fileInfo, input.browsers).valid && input.buildLogFile) { | ||
| try { | ||
| const buildLog = readFileSync(ctx.buildLogFile, 'utf8'); | ||
| const buildLog = readFileSync(input.buildLogFile, 'utf8'); |
There was a problem hiding this comment.
Potential file inclusion attack via reading file - medium severity
If an attacker can control the input leading into the ReadFile function, they might be able to read sensitive files and launch further attacks with that information.
Show fix
| const buildLog = readFileSync(input.buildLogFile, 'utf8'); | |
| const buildLogFile = input.buildLogFile; | |
| if (buildLogFile.includes('..') || path.isAbsolute(buildLogFile)) { | |
| throw new Error('Invalid file path'); | |
| } | |
| const buildLog = readFileSync(buildLogFile, 'utf8'); |
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info
1 participant
Follows
#1302
Description
This PR continues the migration of CLI tasks to the new, typed structure established in #1302, migrating the
preparetask. Like theinitializetask refactored in #1323, this task has distinct subtasks, which I've split up into separate files to aid readability. So the commits in this PR are structured around migrating each of these subtasks separately, alongside some generic housecleaning. The mainprepare/index.tsorchestration layer is updated throughout the other commits (I couldn't find a clean way to put this in its own commit, unfortunately, so I recommend reviewingprepare/index.tsprimarily in its finished state and not worrying too much about its state commit-by-commit).📦 Published PR as canary version:
16.10.2--canary.1324.25933365397.0✨ Test out this PR locally via:
npm install chromatic@16.10.2--canary.1324.25933365397.0 # or yarn add chromatic@16.10.2--canary.1324.25933365397.0