Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(copy): support advanced copy configuration with custom target paths #1711

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
+68 −18
Open

feat(copy): support advanced copy configuration with custom target paths #1711

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
a3ddec7
feat(copy): support advanced copy configuration with custom target paths
BQXBQX Dec 2, 2024
464b49c
fix(copy): prevent path traversal in copy plugin
BQXBQX Dec 2, 2024
ffc0081
chore: Update `copy` config type in Mako bundler
BQXBQX Dec 2, 2024
5d42e4f
docs: Update `copy` config type in documentation
BQXBQX Dec 2, 2024
f2c75e3
test(copy): add e2e tests for copy plugin from/to pattern
BQXBQX Dec 2, 2024
459b3a0
fix(copy): improve path validation and cleanup for copy plugin
BQXBQX Dec 3, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 8 additions & 1 deletion crates/mako/src/config.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -123,6 +123,13 @@ pub enum Platform {
Node,
}

#[derive(Deserialize, Serialize, Debug)]
#[serde(untagged)]
pub enum CopyConfig {
Basic(String),
Advanced { from: String, to: String },
}

Comment on lines +126 to +132
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

CopyConfig添加配置验证

CopyConfig中的fromto字段直接来自用户配置,可能包含非法或不安全的路径。建议在配置解析时添加路径验证,确保路径不存在注入风险并且指向合法的位置。

#[derive(Deserialize, Serialize, Debug)]
#[serde(rename_all = "camelCase")]
pub struct Config {
Expand All @@ -137,7 +144,7 @@ pub struct Config {
pub devtool: Option<DevtoolConfig>,
pub externals: HashMap<String, ExternalConfig>,
pub providers: Providers,
pub copy: Vec<String>,
pub copy: Vec<CopyConfig>,
pub public_path: String,
pub inline_limit: usize,
pub inline_excludes_extensions: Vec<String>,
Expand Down
42 changes: 35 additions & 7 deletions crates/mako/src/plugins/copy.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,8 @@
use std::fs;
use std::path::Path;
use std::sync::Arc;

use anyhow::Result;
use anyhow::{anyhow, Result};
use fs_extra;
use glob::glob;
use notify::event::{CreateKind, DataChange, ModifyKind, RenameMode};
Expand All @@ -11,6 +12,7 @@ use tracing::debug;

use crate::ast::file::win_path;
use crate::compiler::Context;
use crate::config::CopyConfig;
use crate::plugin::Plugin;
use crate::stats::StatsJsonMap;
use crate::utils::tokio_runtime;
Expand All @@ -29,8 +31,12 @@ impl CopyPlugin {
notify::Config::default(),
)
.unwrap();
for src in context.config.copy.iter() {
let src = context.root.join(src);
for config in context.config.copy.iter() {
let src = match config {
CopyConfig::Basic(src) => context.root.join(src),
CopyConfig::Advanced { from, .. } => context.root.join(from),
};

Comment on lines +34 to +39
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

建议检查源路径是否存在

当前代码在处理src之前未检查其是否存在,可能会在源路径不存在时引发错误。建议在处理之前添加对src存在性的验证,并在不存在时进行适当的错误处理或日志记录。

示例修改:

for config in context.config.copy.iter() {
    let src = match config {
        CopyConfig::Basic(src) => context.root.join(src),
        CopyConfig::Advanced { from, .. } => context.root.join(from),
    };

+   if !src.exists() {
+       eprintln!("Source path {:?} does not exist", src);
+       continue;
+   }

    if src.exists() {
        debug!("watch {:?}", src);
        // ...
    }
}

Committable suggestion skipped: line range outside the PR's diff.

if src.exists() {
debug!("watch {:?}", src);
let mode = if src.is_dir() {
Expand Down Expand Up @@ -62,10 +68,32 @@ impl CopyPlugin {
fn copy(context: &Arc<Context>) -> Result<()> {
debug!("copy");
let dest = context.config.output.path.as_path();
for src in context.config.copy.iter() {
let src = context.root.join(src);
debug!("copy {:?} to {:?}", src, dest);
copy(src.as_path(), dest)?;
for config in context.config.copy.iter() {
match config {
CopyConfig::Basic(src) => {
let src = context.root.join(src);
debug!("copy {:?} to {:?}", src, dest);
copy(&src, dest)?;
}

CopyConfig::Advanced { from, to } => {
let src = context.root.join(from);
let target = dest.join(to.trim_start_matches("/"));

let target = target.canonicalize()?;
let dest_canonical = dest.canonicalize()?;
if !target.starts_with(&dest_canonical) {
return Err(anyhow!("Invalid target path: {:?}", target));
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

路径规范化可能导致错误

使用canonicalize()进行路径规范化时,如果路径不存在会导致错误。建议在这种情况下使用更健壮的处理方式。

建议添加错误处理:

-    let target = target.canonicalize()?;
-    let dest_canonical = dest.canonicalize()?;
+    let target = target.canonicalize().map_err(|e| {
+        anyhow!("无法规范化目标路径 {:?}: {}", target, e)
+    })?;
+    let dest_canonical = dest.canonicalize().map_err(|e| {
+        anyhow!("无法规范化输出目录 {:?}: {}", dest, e)
+    })?;
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
let target = target.canonicalize()?;
let dest_canonical = dest.canonicalize()?;
if !target.starts_with(&dest_canonical) {
return Err(anyhow!("Invalid target path: {:?}", target));
}
let target = target.canonicalize().map_err(|e| {
anyhow!("无法规范化目标路径 {:?}: {}", target, e)
})?;
let dest_canonical = dest.canonicalize().map_err(|e| {
anyhow!("无法规范化输出目录 {:?}: {}", dest, e)
})?;
if !target.starts_with(&dest_canonical) {
return Err(anyhow!("Invalid target path: {:?}", target));
}


if !target.exists() {
fs::create_dir_all(&target)?;
}

debug!("copy {:?} to {:?}", src, target);
copy(&src, &target)?;
}
}
}
Ok(())
}
Expand Down