Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix favorites to consult allowlist #3526

Open
wants to merge 9 commits into
base: master
Choose a base branch
from
Open

Fix favorites to consult allowlist #3526

wants to merge 9 commits into from

Conversation

Oglopf
Copy link
Contributor

@Oglopf Oglopf commented Apr 22, 2024

Fixes #3193

@Oglopf
Copy link
Contributor Author

Oglopf commented Apr 22, 2024

Need to take a look a the DashboardControllerTest#test_should_create_Files_dropdown test.

HazelGrant
HazelGrant reviewed May 9, 2024
View reviewed changes
apps/dashboard/test/integration/dashboard_controller_test.rb Outdated
`mkdir -p #{project_path}`
`mkdir -p #{project_path2}`
# regular directory now though?
#`mkdir -p #{s3_path}`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you expand more on what you mean by this? The next assertion passes when I uncomment this line, and it's the URLs that are wrong - and the problem there:

Screenshot 2024-05-09 at 10 06 46 AM

Which is what the old assertion was (but then if I change to the old assertion I still get S3 weirdness, so I want to investigate your thoughts behind this being commented out).

johrstrom
johrstrom reviewed May 9, 2024
View reviewed changes
apps/dashboard/app/apps/ood_files_app.rb Outdated
p.remote? || p.path.directory? && p.path.readable? && p.path.executable?
Configuration.allowlist_paths.include?(p.path) && (p.remote? || p.path.directory?) && p.path.readable? && p.path.executable?
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is the source of the issues you're having with the tests.

This would evaluate to false. I.e., it does not account for child paths.

['/a'].include?('/a/b')

I think you need to use Allowlist.default.permitted?(p.path)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is Allowlist here?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I replaced Configuration.allowlist_paths.include?(p.path) with AllowlistPolicy.default.permitted?(p.path) and there is still wonkiness with the way the S3 path is expanded in the test.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep you found it - I pulled that from memory, should have been AllowlistPolicy

ondemand/apps/dashboard/app/models/allowlist_policy.rb

Line 4 in 2121695

class AllowlistPolicy

@Oglopf Oglopf marked this pull request as ready for review May 20, 2024 16:02
HazelGrant
HazelGrant previously approved these changes May 20, 2024
View reviewed changes
johrstrom
johrstrom reviewed May 20, 2024
View reviewed changes
apps/dashboard/app/apps/ood_files_app.rb Outdated
@@ -20,7 +20,7 @@ def candidate_favorite_paths
# returns an array of other paths provided as shortcuts to the user
def favorite_paths
@favorite_paths ||= candidate_favorite_paths.select do |p|
p.remote? || p.path.directory? && p.path.readable? && p.path.executable?
AllowlistPolicy.default.permitted?(p.path) && (p.remote? || p.path.directory?) && p.path.readable? && p.path.executable?
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think remote locations adhere to these allowlists because they always check the local filesystem. That is, remote filesystems are always allowed.

So maybe this turns into something like this:

if p.remote? 
  true
else 
  AllowlistPolicy.default.permitted?(p.path) && p.path.directory? && p.path.readable? && p.path.executable?
end

@HazelGrant HazelGrant dismissed their stale review May 23, 2024 13:58

Breaks favorite remote files

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@johrstrom johrstrom johrstrom left review comments

@HazelGrant HazelGrant HazelGrant left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
component/dashboard
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

file path favorites outside of allowlist shouldn't show up anywhere
4 participants
@Oglopf @johrstrom @HazelGrant @osc-bot