-
-
Notifications
You must be signed in to change notification settings - Fork 1.5k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #9547 from hercules-ci/allowed-scheme-without-slash
`allowed-uris`: match whole schemes without slashes
- Loading branch information
Showing
9 changed files
with
236 additions
and
13 deletions.
There are no files selected for viewing
7 changes: 7 additions & 0 deletions
7
doc/manual/rl-next/allowed-uris-can-now-match-whole-schemes.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
--- | ||
synopsis: Option `allowed-uris` can now match whole schemes in URIs without slashes | ||
prs: 9547 | ||
--- | ||
|
||
If a scheme, such as `github:` is specified in the `allowed-uris` option, all URIs starting with `github:` are allowed. | ||
Previously this only worked for schemes whose URIs used the `://` syntax. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,141 @@ | ||
#include <gmock/gmock.h> | ||
#include <gtest/gtest.h> | ||
|
||
#include "eval.hh" | ||
#include "tests/libexpr.hh" | ||
|
||
namespace nix { | ||
|
||
TEST(nix_isAllowedURI, http_example_com) { | ||
Strings allowed; | ||
allowed.push_back("http://example.com"); | ||
|
||
ASSERT_TRUE(isAllowedURI("http://example.com", allowed)); | ||
ASSERT_TRUE(isAllowedURI("http://example.com/foo", allowed)); | ||
ASSERT_TRUE(isAllowedURI("http://example.com/foo/", allowed)); | ||
ASSERT_FALSE(isAllowedURI("/", allowed)); | ||
ASSERT_FALSE(isAllowedURI("http://example.co", allowed)); | ||
ASSERT_FALSE(isAllowedURI("http://example.como", allowed)); | ||
ASSERT_FALSE(isAllowedURI("http://example.org", allowed)); | ||
ASSERT_FALSE(isAllowedURI("http://example.org/foo", allowed)); | ||
} | ||
|
||
TEST(nix_isAllowedURI, http_example_com_foo) { | ||
Strings allowed; | ||
allowed.push_back("http://example.com/foo"); | ||
|
||
ASSERT_TRUE(isAllowedURI("http://example.com/foo", allowed)); | ||
ASSERT_TRUE(isAllowedURI("http://example.com/foo/", allowed)); | ||
ASSERT_FALSE(isAllowedURI("/foo", allowed)); | ||
ASSERT_FALSE(isAllowedURI("http://example.com", allowed)); | ||
ASSERT_FALSE(isAllowedURI("http://example.como", allowed)); | ||
ASSERT_FALSE(isAllowedURI("http://example.org/foo", allowed)); | ||
// Broken? | ||
// ASSERT_TRUE(isAllowedURI("http://example.com/foo?ok=1", allowed)); | ||
} | ||
|
||
TEST(nix_isAllowedURI, http) { | ||
Strings allowed; | ||
allowed.push_back("http://"); | ||
|
||
ASSERT_TRUE(isAllowedURI("http://", allowed)); | ||
ASSERT_TRUE(isAllowedURI("http://example.com", allowed)); | ||
ASSERT_TRUE(isAllowedURI("http://example.com/foo", allowed)); | ||
ASSERT_TRUE(isAllowedURI("http://example.com/foo/", allowed)); | ||
ASSERT_TRUE(isAllowedURI("http://example.com", allowed)); | ||
ASSERT_FALSE(isAllowedURI("/", allowed)); | ||
ASSERT_FALSE(isAllowedURI("https://", allowed)); | ||
ASSERT_FALSE(isAllowedURI("http:foo", allowed)); | ||
} | ||
|
||
TEST(nix_isAllowedURI, https) { | ||
Strings allowed; | ||
allowed.push_back("https://"); | ||
|
||
ASSERT_TRUE(isAllowedURI("https://example.com", allowed)); | ||
ASSERT_TRUE(isAllowedURI("https://example.com/foo", allowed)); | ||
ASSERT_FALSE(isAllowedURI("http://example.com", allowed)); | ||
ASSERT_FALSE(isAllowedURI("http://example.com/https:", allowed)); | ||
} | ||
|
||
TEST(nix_isAllowedURI, absolute_path) { | ||
Strings allowed; | ||
allowed.push_back("/var/evil"); // bad idea | ||
|
||
ASSERT_TRUE(isAllowedURI("/var/evil", allowed)); | ||
ASSERT_TRUE(isAllowedURI("/var/evil/", allowed)); | ||
ASSERT_TRUE(isAllowedURI("/var/evil/foo", allowed)); | ||
ASSERT_TRUE(isAllowedURI("/var/evil/foo/", allowed)); | ||
ASSERT_FALSE(isAllowedURI("/", allowed)); | ||
ASSERT_FALSE(isAllowedURI("/var/evi", allowed)); | ||
ASSERT_FALSE(isAllowedURI("/var/evilo", allowed)); | ||
ASSERT_FALSE(isAllowedURI("/var/evilo/", allowed)); | ||
ASSERT_FALSE(isAllowedURI("/var/evilo/foo", allowed)); | ||
ASSERT_FALSE(isAllowedURI("http://example.com/var/evil", allowed)); | ||
ASSERT_FALSE(isAllowedURI("http://example.com//var/evil", allowed)); | ||
ASSERT_FALSE(isAllowedURI("http://example.com//var/evil/foo", allowed)); | ||
} | ||
|
||
TEST(nix_isAllowedURI, file_url) { | ||
Strings allowed; | ||
allowed.push_back("file:///var/evil"); // bad idea | ||
|
||
ASSERT_TRUE(isAllowedURI("file:///var/evil", allowed)); | ||
ASSERT_TRUE(isAllowedURI("file:///var/evil/", allowed)); | ||
ASSERT_TRUE(isAllowedURI("file:///var/evil/foo", allowed)); | ||
ASSERT_TRUE(isAllowedURI("file:///var/evil/foo/", allowed)); | ||
ASSERT_FALSE(isAllowedURI("/", allowed)); | ||
ASSERT_FALSE(isAllowedURI("/var/evi", allowed)); | ||
ASSERT_FALSE(isAllowedURI("/var/evilo", allowed)); | ||
ASSERT_FALSE(isAllowedURI("/var/evilo/", allowed)); | ||
ASSERT_FALSE(isAllowedURI("/var/evilo/foo", allowed)); | ||
ASSERT_FALSE(isAllowedURI("http://example.com/var/evil", allowed)); | ||
ASSERT_FALSE(isAllowedURI("http://example.com//var/evil", allowed)); | ||
ASSERT_FALSE(isAllowedURI("http://example.com//var/evil/foo", allowed)); | ||
ASSERT_FALSE(isAllowedURI("http://var/evil", allowed)); | ||
ASSERT_FALSE(isAllowedURI("http:///var/evil", allowed)); | ||
ASSERT_FALSE(isAllowedURI("http://var/evil/", allowed)); | ||
ASSERT_FALSE(isAllowedURI("file:///var/evi", allowed)); | ||
ASSERT_FALSE(isAllowedURI("file:///var/evilo", allowed)); | ||
ASSERT_FALSE(isAllowedURI("file:///var/evilo/", allowed)); | ||
ASSERT_FALSE(isAllowedURI("file:///var/evilo/foo", allowed)); | ||
ASSERT_FALSE(isAllowedURI("file:///", allowed)); | ||
ASSERT_FALSE(isAllowedURI("file://", allowed)); | ||
} | ||
|
||
TEST(nix_isAllowedURI, github_all) { | ||
Strings allowed; | ||
allowed.push_back("github:"); | ||
ASSERT_TRUE(isAllowedURI("github:", allowed)); | ||
ASSERT_TRUE(isAllowedURI("github:foo/bar", allowed)); | ||
ASSERT_TRUE(isAllowedURI("github:foo/bar/feat-multi-bar", allowed)); | ||
ASSERT_TRUE(isAllowedURI("github:foo/bar?ref=refs/heads/feat-multi-bar", allowed)); | ||
ASSERT_TRUE(isAllowedURI("github://foo/bar", allowed)); | ||
ASSERT_FALSE(isAllowedURI("https://github:443/foo/bar/archive/master.tar.gz", allowed)); | ||
ASSERT_FALSE(isAllowedURI("file://github:foo/bar/archive/master.tar.gz", allowed)); | ||
ASSERT_FALSE(isAllowedURI("file:///github:foo/bar/archive/master.tar.gz", allowed)); | ||
ASSERT_FALSE(isAllowedURI("github", allowed)); | ||
} | ||
|
||
TEST(nix_isAllowedURI, github_org) { | ||
Strings allowed; | ||
allowed.push_back("github:foo"); | ||
ASSERT_FALSE(isAllowedURI("github:", allowed)); | ||
ASSERT_TRUE(isAllowedURI("github:foo/bar", allowed)); | ||
ASSERT_TRUE(isAllowedURI("github:foo/bar/feat-multi-bar", allowed)); | ||
ASSERT_TRUE(isAllowedURI("github:foo/bar?ref=refs/heads/feat-multi-bar", allowed)); | ||
ASSERT_FALSE(isAllowedURI("github://foo/bar", allowed)); | ||
ASSERT_FALSE(isAllowedURI("https://github:443/foo/bar/archive/master.tar.gz", allowed)); | ||
ASSERT_FALSE(isAllowedURI("file://github:foo/bar/archive/master.tar.gz", allowed)); | ||
ASSERT_FALSE(isAllowedURI("file:///github:foo/bar/archive/master.tar.gz", allowed)); | ||
} | ||
|
||
TEST(nix_isAllowedURI, non_scheme_colon) { | ||
Strings allowed; | ||
allowed.push_back("https://foo/bar:"); | ||
ASSERT_TRUE(isAllowedURI("https://foo/bar:", allowed)); | ||
ASSERT_TRUE(isAllowedURI("https://foo/bar:/baz", allowed)); | ||
ASSERT_FALSE(isAllowedURI("https://foo/bar:baz", allowed)); | ||
} | ||
|
||
} // namespace nix |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters