feat(security): security hardening, proxy support, and GL045 HTTP include warning
Security fixes: - Path traversal guard in include: local: — paths with ../ that escape the repo root are rejected instead of reading arbitrary host files - HTTP timeout (30 s) on all fetcher requests to prevent indefinite hangs - Response size cap (10 MiB) via io.LimitReader to prevent memory exhaustion - Cache directory and file permissions tightened to 0700/0600 - LSP Content-Length cap (64 MiB) to guard against DoS from a malicious client New feature: - --proxy flag on check, graph, and lsp subcommands; also proxy: key in .glint.yml; overrides system HTTP_PROXY / HTTPS_PROXY env vars when set; cmdGraph and cmdLSP now also load .glint.yml for proxy/token/url fallbacks New lint rule: - GL045 (Warning): include: remote: using plain http:// instead of https:// Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -133,6 +133,12 @@ func resolveLocalInclude(p *model.Pipeline, rawPath string, cfg fetcher.GitLabCo
|
||||
absPath := filepath.Join(rootDir, relPath)
|
||||
label := "local " + rawPath
|
||||
|
||||
// Guard against path traversal: reject any path that escapes rootDir.
|
||||
rel, err := filepath.Rel(rootDir, absPath)
|
||||
if err != nil || strings.HasPrefix(rel, "..") {
|
||||
return []IncludeWarning{{Label: label, Err: fmt.Errorf("path escapes repository root: %s", rawPath)}}, nil
|
||||
}
|
||||
|
||||
if visited[absPath] {
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
@@ -6,6 +6,7 @@ import (
|
||||
"net/http/httptest"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
"git.k3nny.fr/glint/internal/fetcher"
|
||||
@@ -332,6 +333,32 @@ func TestResolveLocalInclude_WithNestedIncludes(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
func TestResolveLocalInclude_PathTraversal(t *testing.T) {
|
||||
dir := t.TempDir()
|
||||
p := &model.Pipeline{Jobs: map[string]model.Job{}, RawJobs: map[string]map[string]any{}}
|
||||
// A path that escapes the repository root via "../.." must produce a warning,
|
||||
// not silently read an arbitrary file.
|
||||
warnings, _ := resolveLocalInclude(p, "../../etc/passwd", fetcher.GitLabConfig{}, dir, map[string]bool{}, 0)
|
||||
if len(warnings) == 0 {
|
||||
t.Fatal("expected warning for path traversal, got none")
|
||||
}
|
||||
if !strings.Contains(warnings[0].Err.Error(), "path escapes") {
|
||||
t.Errorf("unexpected warning: %v", warnings[0])
|
||||
}
|
||||
if len(p.Jobs) != 0 {
|
||||
t.Error("no jobs should be merged when path escapes root")
|
||||
}
|
||||
}
|
||||
|
||||
func TestResolveLocalInclude_PathTraversalWithLeadingSlash(t *testing.T) {
|
||||
dir := t.TempDir()
|
||||
p := &model.Pipeline{Jobs: map[string]model.Job{}, RawJobs: map[string]map[string]any{}}
|
||||
warnings, _ := resolveLocalInclude(p, "/../../etc/shadow", fetcher.GitLabConfig{}, dir, map[string]bool{}, 0)
|
||||
if len(warnings) == 0 {
|
||||
t.Fatal("expected warning for path traversal via leading slash, got none")
|
||||
}
|
||||
}
|
||||
|
||||
// ── resolveRemoteInclude ──────────────────────────────────────────────────────
|
||||
|
||||
func TestResolveRemoteInclude_Success(t *testing.T) {
|
||||
|
||||
Reference in New Issue
Block a user