-
Notifications
You must be signed in to change notification settings - Fork 155
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Check for writes outside of the build directory #2974
Conversation
@powerboat9 The MacOS CI broke, we repaired it but you need to rebase your branch now. |
That specific issue was addressed by #2947 "Move 'libformat_parser' build into the GCC build directory, and into libgrust" -- but yes, good idea to actually make sure we're not introducing similar things again! 👍 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of chmod -R a-w *
, it's good practice to use chmod -R a-w ./*
(or something similar) -- or just chmod -R a-w .
in fact 🙃 -- so that "malicious" files starting with -
can't possibly affect the chmod
command.
Eh, the build now actually is failing due to a similar issue:
...., so that'll need to be addressed first (in a similar way as #2947 "Move 'libformat_parser' build into the GCC build directory, and into libgrust", I suppose). |
From what I see from |
It's easy enough to try:
|
Looks like cargo is trying to update the lock file and fail. I've noticed ffi-polonius does not use the same cargo config as libformat parser. Maybe we should update the cargo invocation with a |
898cf2d
to
ae40dd1
Compare
ChangeLog: * .github/workflows/ccpp.yml: Make files outside the build directory read-only. Signed-off-by: Owen Avery <[email protected]>
ae40dd1
to
deb5b9a
Compare
I think it's worth passing some arguments to be safe. Even better would be to never call In Gentoo, in cargo.eclass, we do:
You don't need the local registry bit (although it doesn't do any harm), but you get the idea wrt offline. We also always invoke |
It looks like the issues preventing this PR from passing checks have since been fixed |
I noticed that
libgrust/libformat_parser/target
was seemingly generated outside the build directory on my machine. This should detect similar issues, and confirm/deny the aforementioned issue.