Deduplicate file staging logic #740
Conversation
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
| @@ -571,6 +572,45 @@ const escapeStringForJSON = str => { | |||
| return JSON.stringify(str).slice(1, -1) | |||
| } | |||
|
|
|||
| const copyManifestWithVersion = (originalLocation, outputDir, version) => { | |||
| const outputLocation = path.join(outputDir, 'manifest.json') | |||
There was a problem hiding this comment.
reported by reviewdog 🐶
[semgrep] Detected possible user input going into a path.join or path.resolve function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.
Source: https://semgrep.dev/r/javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
Cc @thypon @bcaller
| copyManifestWithVersion(inputPath, outputDir, version) | ||
| hasManifest = true | ||
| } else { | ||
| fs.copyFileSync(inputPath, path.join(outputDir, outputName)) |
There was a problem hiding this comment.
reported by reviewdog 🐶
[semgrep] Detected possible user input going into a path.join or path.resolve function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.
Source: https://semgrep.dev/r/javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
Cc @thypon @bcaller
| replace.sync(replaceOptions) | ||
| util.stageDir( | ||
| undefined, | ||
| path.join(path.resolve(), 'build', 'ntp-sponsored-images', 'resources', locale, '/'), |
There was a problem hiding this comment.
reported by reviewdog 🐶
[semgrep] Detected possible user input going into a path.join or path.resolve function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.
Source: https://semgrep.dev/r/javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
Cc @thypon @bcaller
| // Only copy resources.json into components with a UUID. We will migrate to | ||
| // ad-block components are already written in the output directory | ||
| // so we don't need to stage anything | ||
| const originalManifest = path.join(outputDir, 'manifest.json') |
There was a problem hiding this comment.
reported by reviewdog 🐶
[semgrep] Detected possible user input going into a path.join or path.resolve function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.
Source: https://semgrep.dev/r/javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
Cc @thypon @bcaller
| replace.sync(replaceOptions) | ||
| util.stageDir( | ||
| undefined, | ||
| path.join(path.resolve(), 'build', 'user-model-installer', 'resources', locale, '/'), |
There was a problem hiding this comment.
reported by reviewdog 🐶
[semgrep] Detected possible user input going into a path.join or path.resolve function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.
Source: https://semgrep.dev/r/javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
Cc @thypon @bcaller
| replace.sync(replaceOptions) | ||
| util.stageDir( | ||
| undefined, | ||
| path.join(path.resolve(), 'build', 'ntp-super-referrer', 'resources', superReferrerName, '/'), |
There was a problem hiding this comment.
reported by reviewdog 🐶
[semgrep] Detected possible user input going into a path.join or path.resolve function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.
Source: https://semgrep.dev/r/javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
Cc @thypon @bcaller
Incremental work towards #622.
This PR refactors duplicated logic across all packaging scripts to use common
stageFilesandstageDirutilities, removing a net of almost 100 lines.In the future I'd like to consolidate all components into using just one of these utilities, however I've left that for a followup as it requires deeper understanding of each component being packaged and cleanup of some legacy backwards-compatible code.