Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(copy): support advanced copy configuration with custom target paths #1711

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
+62 −18
Open

feat(copy): support advanced copy configuration with custom target paths #1711

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
a3ddec7
feat(copy): support advanced copy configuration with custom target paths
BQXBQX Dec 2, 2024
464b49c
fix(copy): prevent path traversal in copy plugin
BQXBQX Dec 2, 2024
ffc0081
chore: Update `copy` config type in Mako bundler
BQXBQX Dec 2, 2024
5d42e4f
docs: Update `copy` config type in documentation
BQXBQX Dec 2, 2024
f2c75e3
test(copy): add e2e tests for copy plugin from/to pattern
BQXBQX Dec 2, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 8 additions & 1 deletion crates/mako/src/config.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -123,6 +123,13 @@ pub enum Platform {
Node,
}

#[derive(Deserialize, Serialize, Debug)]
#[serde(untagged)]
pub enum CopyConfig {
Basic(String),
Advanced { from: String, to: String },
}

Comment on lines +126 to +132
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

CopyConfig添加配置验证

CopyConfig中的fromto字段直接来自用户配置,可能包含非法或不安全的路径。建议在配置解析时添加路径验证,确保路径不存在注入风险并且指向合法的位置。

#[derive(Deserialize, Serialize, Debug)]
#[serde(rename_all = "camelCase")]
pub struct Config {
Expand All @@ -137,7 +144,7 @@ pub struct Config {
pub devtool: Option<DevtoolConfig>,
pub externals: HashMap<String, ExternalConfig>,
pub providers: Providers,
pub copy: Vec<String>,
pub copy: Vec<CopyConfig>,
pub public_path: String,
pub inline_limit: usize,
pub inline_excludes_extensions: Vec<String>,
Expand Down
34 changes: 28 additions & 6 deletions crates/mako/src/plugins/copy.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
use std::fs;
use std::path::Path;
use std::sync::Arc;

Expand All @@ -11,6 +12,7 @@ use tracing::debug;

use crate::ast::file::win_path;
use crate::compiler::Context;
use crate::config::CopyConfig;
use crate::plugin::Plugin;
use crate::stats::StatsJsonMap;
use crate::utils::tokio_runtime;
Expand All @@ -29,8 +31,12 @@ impl CopyPlugin {
notify::Config::default(),
)
.unwrap();
for src in context.config.copy.iter() {
let src = context.root.join(src);
for config in context.config.copy.iter() {
let src = match config {
CopyConfig::Basic(src) => context.root.join(src),
CopyConfig::Advanced { from, .. } => context.root.join(from),
};

Comment on lines +34 to +39
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

建议检查源路径是否存在

当前代码在处理src之前未检查其是否存在,可能会在源路径不存在时引发错误。建议在处理之前添加对src存在性的验证,并在不存在时进行适当的错误处理或日志记录。

示例修改:

for config in context.config.copy.iter() {
    let src = match config {
        CopyConfig::Basic(src) => context.root.join(src),
        CopyConfig::Advanced { from, .. } => context.root.join(from),
    };

+   if !src.exists() {
+       eprintln!("Source path {:?} does not exist", src);
+       continue;
+   }

    if src.exists() {
        debug!("watch {:?}", src);
        // ...
    }
}

Committable suggestion skipped: line range outside the PR's diff.

if src.exists() {
debug!("watch {:?}", src);
let mode = if src.is_dir() {
Expand Down Expand Up @@ -62,10 +68,26 @@ impl CopyPlugin {
fn copy(context: &Arc<Context>) -> Result<()> {
debug!("copy");
let dest = context.config.output.path.as_path();
for src in context.config.copy.iter() {
let src = context.root.join(src);
debug!("copy {:?} to {:?}", src, dest);
copy(src.as_path(), dest)?;
for config in context.config.copy.iter() {
match config {
CopyConfig::Basic(src) => {
let src = context.root.join(src);
debug!("copy {:?} to {:?}", src, dest);
copy(&src, dest)?;
}

CopyConfig::Advanced { from, to } => {
let src = context.root.join(from);
let target = dest.join(to.trim_start_matches("/"));

if !target.exists() {
fs::create_dir_all(&target)?;
}

debug!("copy {:?} to {:?}", src, target);
copy(&src, &target)?;
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

防止目标路径的目录遍历漏洞

在处理CopyConfig::Advanced配置时,to字段可能包含恶意路径(如../),导致文件复制到意外的位置。建议对目标路径进行规范化和验证,确保目标路径位于预期的目标目录中,防止潜在的安全问题。

示例修改:

let target = dest.join(to.trim_start_matches("/"));

+ let target = target.canonicalize()?;
+ let dest_canonical = dest.canonicalize()?;
+ if !target.starts_with(&dest_canonical) {
+     return Err(anyhow!("Invalid target path: {:?}", target));
+ }

if !target.exists() {
    fs::create_dir_all(&target)?;
}

Committable suggestion skipped: line range outside the PR's diff.

}
}
Ok(())
}
Expand Down