Skip to content

fix: path traversal#300

Open
InvalidJoker wants to merge 4 commits into
spacechunks:mainfrom
InvalidJoker:fix/path-traversal
Open

fix: path traversal#300
InvalidJoker wants to merge 4 commits into
spacechunks:mainfrom
InvalidJoker:fix/path-traversal

Conversation

@InvalidJoker
Copy link
Copy Markdown
Contributor

@InvalidJoker InvalidJoker commented May 10, 2026

Closes #147

@InvalidJoker InvalidJoker marked this pull request as ready for review May 10, 2026 18:54
@InvalidJoker InvalidJoker requested a review from freggy as a code owner May 10, 2026 18:54
freggy
freggy requested changes May 13, 2026
View reviewed changes
Comment thread controlplane/chunk/flavor_test.go Outdated
name: "cleans paths",
prevVersion: fixture.FlavorVersion(),
newVersion: uncleanPathVersion,
expected: &cleanedPathVersion,
Copy link
Copy Markdown
Member

@freggy freggy May 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why not inline those directly?

Comment thread controlplane/errors/error.go Outdated
ErrMinecraftVersionNotSupported = New(codes.FailedPrecondition, "minecraft version not found")
ErrHashMismatch = New(codes.FailedPrecondition, "hash does not match")
ErrInvalidHash = New(codes.InvalidArgument, "invalid hash")
ErrInvalidPath = New(codes.InvalidArgument, "invalid path")
Copy link
Copy Markdown
Member

@freggy freggy May 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i'd prefer if we provide which paths exactly are invalid. for this we can add the BadRequest message to the error. the comments provide good guideance, on how to use it.

more info on how to implement it:

Comment thread controlplane/chunk/flavor_test.go
@@ -120,10 +120,45 @@ func TestCreateFlavor(t *testing.T) {
}

func TestCreateFlavorVersion(t *testing.T) {
Copy link
Copy Markdown
Member

@freggy freggy May 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i'd also prefer if we could have a functional test, that covers the new cases additionally.

https://github.com/spacechunks/explorer/blob/main/test/functional/controlplane/chunk_api_test.go#L516

@InvalidJoker
refactor errors
d40aedd
@InvalidJoker
Merge remote-tracking branch 'origin/main' into fix/path-traversal
2a10eea 
# Conflicts:
#	test/functional/controlplane/chunk_api_test.go
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@freggy freggy freggy requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Clean all paths retrieved when CreateFlavorVersion is called

2 participants

@InvalidJoker @freggy