From 1694fdeb206c13c2f3da9358e896f8412c5d8349 Mon Sep 17 00:00:00 2001 From: Zhang Bo Date: Tue, 4 Jun 2024 21:50:45 -0700 Subject: [PATCH 1/7] use exact match for illegal path check Signed-off-by: Zhang Bo --- source/common/filesystem/posix/filesystem_impl.cc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/source/common/filesystem/posix/filesystem_impl.cc b/source/common/filesystem/posix/filesystem_impl.cc index d9714ce37b9b..fcb5aced5e36 100644 --- a/source/common/filesystem/posix/filesystem_impl.cc +++ b/source/common/filesystem/posix/filesystem_impl.cc @@ -339,9 +339,9 @@ bool InstanceImplPosix::illegalPath(const std::string& path) { // platform in the future, growing these or relaxing some constraints (e.g. // there are valid reasons to go via /proc for file paths). // TODO(htuch): Optimize this as a hash lookup if we grow any further. - if (absl::StartsWith(canonical_path.return_value_, "/dev") || - absl::StartsWith(canonical_path.return_value_, "/sys") || - absl::StartsWith(canonical_path.return_value_, "/proc")) { + if (canonical_path.return_value_ == "/dev" || + canonical_path.return_value_ == "/sys" || + canonical_path.return_value_ == "/proc") { return true; } return false; From 0666d4fca2ffa530cf98b5b61164f633a05d8078 Mon Sep 17 00:00:00 2001 From: Zhang Bo Date: Tue, 4 Jun 2024 23:17:01 -0700 Subject: [PATCH 2/7] format fix Signed-off-by: Zhang Bo --- source/common/filesystem/posix/filesystem_impl.cc | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/source/common/filesystem/posix/filesystem_impl.cc b/source/common/filesystem/posix/filesystem_impl.cc index fcb5aced5e36..bc771bd2152b 100644 --- a/source/common/filesystem/posix/filesystem_impl.cc +++ b/source/common/filesystem/posix/filesystem_impl.cc @@ -339,8 +339,7 @@ bool InstanceImplPosix::illegalPath(const std::string& path) { // platform in the future, growing these or relaxing some constraints (e.g. // there are valid reasons to go via /proc for file paths). // TODO(htuch): Optimize this as a hash lookup if we grow any further. - if (canonical_path.return_value_ == "/dev" || - canonical_path.return_value_ == "/sys" || + if (canonical_path.return_value_ == "/dev" || canonical_path.return_value_ == "/sys" || canonical_path.return_value_ == "/proc") { return true; } From d397624c61f5cda58f43baebf49d0ceae57c3394 Mon Sep 17 00:00:00 2001 From: Zhang Bo Date: Thu, 6 Jun 2024 00:10:40 -0700 Subject: [PATCH 3/7] fix issues in comments and add more test case Signed-off-by: Zhang Bo --- source/common/filesystem/posix/filesystem_impl.cc | 5 ++++- test/common/filesystem/filesystem_impl_test.cc | 2 ++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/source/common/filesystem/posix/filesystem_impl.cc b/source/common/filesystem/posix/filesystem_impl.cc index bc771bd2152b..e5aa7d6fcd92 100644 --- a/source/common/filesystem/posix/filesystem_impl.cc +++ b/source/common/filesystem/posix/filesystem_impl.cc @@ -339,7 +339,10 @@ bool InstanceImplPosix::illegalPath(const std::string& path) { // platform in the future, growing these or relaxing some constraints (e.g. // there are valid reasons to go via /proc for file paths). // TODO(htuch): Optimize this as a hash lookup if we grow any further. - if (canonical_path.return_value_ == "/dev" || canonical_path.return_value_ == "/sys" || + if (absl::StartsWith(canonical_path.return_value_, "/dev/") || + absl::StartsWith(canonical_path.return_value_, "/sys/") || + absl::StartsWith(canonical_path.return_value_, "/proc/") || + canonical_path.return_value_ == "/dev" || canonical_path.return_value_ == "/sys" || canonical_path.return_value_ == "/proc") { return true; } diff --git a/test/common/filesystem/filesystem_impl_test.cc b/test/common/filesystem/filesystem_impl_test.cc index 6163ab29b144..6e444f7341a1 100644 --- a/test/common/filesystem/filesystem_impl_test.cc +++ b/test/common/filesystem/filesystem_impl_test.cc @@ -235,6 +235,8 @@ TEST_F(FileSystemImplTest, IllegalPath) { EXPECT_TRUE(file_system_.illegalPath("/sys")); EXPECT_TRUE(file_system_.illegalPath("/sys/")); EXPECT_TRUE(file_system_.illegalPath("/_some_non_existent_file")); + EXPECT_FALSE(file_system_.illegalPath("/sysroot")); + EXPECT_FALSE(file_system_.illegalPath("/sysroot/")); #endif } From d02827351f081b5d8a70ab82adf80f68e2fc717b Mon Sep 17 00:00:00 2001 From: Zhang Bo Date: Thu, 6 Jun 2024 19:34:29 -0700 Subject: [PATCH 4/7] add comments Signed-off-by: Zhang Bo --- source/common/filesystem/posix/filesystem_impl.cc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/source/common/filesystem/posix/filesystem_impl.cc b/source/common/filesystem/posix/filesystem_impl.cc index e5aa7d6fcd92..b10aa7bdee18 100644 --- a/source/common/filesystem/posix/filesystem_impl.cc +++ b/source/common/filesystem/posix/filesystem_impl.cc @@ -339,6 +339,8 @@ bool InstanceImplPosix::illegalPath(const std::string& path) { // platform in the future, growing these or relaxing some constraints (e.g. // there are valid reasons to go via /proc for file paths). // TODO(htuch): Optimize this as a hash lookup if we grow any further. + // It will allow the canonical path such as /sysroot/ which is not the + // default reserved directories (/dev, /sys, /proc) if (absl::StartsWith(canonical_path.return_value_, "/dev/") || absl::StartsWith(canonical_path.return_value_, "/sys/") || absl::StartsWith(canonical_path.return_value_, "/proc/") || From 1922e600df9d9c5a7b9f613fe3dcc2430a6c0533 Mon Sep 17 00:00:00 2001 From: Zhang Bo Date: Thu, 6 Jun 2024 20:15:17 -0700 Subject: [PATCH 5/7] add comments Signed-off-by: Zhang Bo --- tools/spelling/spelling_dictionary.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/spelling/spelling_dictionary.txt b/tools/spelling/spelling_dictionary.txt index 4c8efee1ae6c..670192ef17d7 100644 --- a/tools/spelling/spelling_dictionary.txt +++ b/tools/spelling/spelling_dictionary.txt @@ -1349,6 +1349,7 @@ sys syscall syscalls sysctl +sysroot sz tchar tchars From 8413f165915b5681b2e5b11d1d65eea0824fa63d Mon Sep 17 00:00:00 2001 From: Zhang Bo Date: Fri, 7 Jun 2024 02:58:35 -0700 Subject: [PATCH 6/7] remove incorrect test cases Signed-off-by: Zhang Bo --- test/common/filesystem/filesystem_impl_test.cc | 2 -- 1 file changed, 2 deletions(-) diff --git a/test/common/filesystem/filesystem_impl_test.cc b/test/common/filesystem/filesystem_impl_test.cc index 6e444f7341a1..6163ab29b144 100644 --- a/test/common/filesystem/filesystem_impl_test.cc +++ b/test/common/filesystem/filesystem_impl_test.cc @@ -235,8 +235,6 @@ TEST_F(FileSystemImplTest, IllegalPath) { EXPECT_TRUE(file_system_.illegalPath("/sys")); EXPECT_TRUE(file_system_.illegalPath("/sys/")); EXPECT_TRUE(file_system_.illegalPath("/_some_non_existent_file")); - EXPECT_FALSE(file_system_.illegalPath("/sysroot")); - EXPECT_FALSE(file_system_.illegalPath("/sysroot/")); #endif } From 659f79e271fb2e42e4edf0dd73b762ec359dc7b8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 26 Jun 2024 06:16:10 +0000 Subject: [PATCH 7/7] build(deps): bump setuptools from 70.0.0 to 70.1.1 in /tools/base Bumps [setuptools](https://github.com/pypa/setuptools) from 70.0.0 to 70.1.1. - [Release notes](https://github.com/pypa/setuptools/releases) - [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst) - [Commits](https://github.com/pypa/setuptools/compare/v70.0.0...v70.1.1) --- updated-dependencies: - dependency-name: setuptools dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- tools/base/requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tools/base/requirements.txt b/tools/base/requirements.txt index 412d81692d14..df5c9e56a074 100644 --- a/tools/base/requirements.txt +++ b/tools/base/requirements.txt @@ -1642,7 +1642,7 @@ zstandard==0.22.0 \ # via envoy-base-utils # The following packages are considered to be unsafe in a requirements file: -setuptools==70.0.0 \ - --hash=sha256:54faa7f2e8d2d11bcd2c07bed282eef1046b5c080d1c32add737d7b5817b1ad4 \ - --hash=sha256:f211a66637b8fa059bb28183da127d4e86396c991a942b028c6650d4319c3fd0 +setuptools==70.1.1 \ + --hash=sha256:937a48c7cdb7a21eb53cd7f9b59e525503aa8abaf3584c730dc5f7a5bec3a650 \ + --hash=sha256:a58a8fde0541dab0419750bcc521fbdf8585f6e5cb41909df3a472ef7b81ca95 # via -r requirements.in