Automatically run the DB migrations on initializing the test app with tests.NewTestApp().
Added more elaborate warning message when restoring a backup explaining how the operation works.
Skip irregular files (symbolic links, sockets, etc.) when restoring a backup zip from the Admin UI or calling archive.Extract(src, dst) because they come with too many edge cases and ambiguities.
This was initially reported as security issue (thanks Harvey Spec) but in the PocketBase context it is not something that can be exploited without an admin intervention and since the general expectations are that the PocketBase admins can do anything and they are the one who manage their server, this should be treated with the same diligence when using scp/rsync/rclone/etc. with untrusted file sources.
It is not possible (or at least I'm not aware how to do that easily) to perform virus/malicious content scanning on the uploaded backup archive files and some caution is always required when using the Admin UI or running shell commands, hence the backup-restore warning text.
Or in other words, if someone sends you a file and tells you to upload it to your server (either as backup zip or manually via scp) obviously you shouldn't do that unless you really trust them.
PocketBase is like any other regular application that you run on your server and there is no builtin "sandbox" for what the PocketBase process can execute. This is left to the developers to restrict on application or OS level depending on their needs. If you are self-hosting PocketBase you usually don't have to do that, but if you are offering PocketBase as a service and allow strangers to run their own PocketBase instances on your server then you'll need to implement the isolation mechanisms on your own.
Automatically run the DB migrations on initializing the test app with tests.NewTestApp().
Added more elaborate warning message when restoring a backup explaining how the operation works.
Skip irregular files (symbolic links, sockets, etc.) when restoring a backup zip from the Admin UI or calling archive.Extract(src, dst) because they come with too many edge cases and ambiguities.
This was initially reported as security issue (thanks Harvey Spec) but in the PocketBase context it is not something that can be exploited without an admin intervention and since the general expectations are that the PocketBase admins can do anything and they are the one who manage their server, this should be treated with the same diligence when using scp/rsync/rclone/etc. with untrusted file sources.
It is not possible (or at least I'm not aware how to do that easily) to perform virus/malicious content scanning on the uploaded backup archive files and some caution is always required when using the Admin UI or running shell commands, hence the backup-restore warning text.
Or in other words, if someone sends you a file and tell you to upload it to your server (either as backup zip or manually via scp) obviously you shouldn't do that unless you really trust them.
PocketBase is like any other regular application that you run on your server and there is no builtin "sandbox" for what the PocketBase process can execute. This is left to the developers to restrict on application or OS level depending on their needs. If you are self-hosting PocketBase you usually don't have to do that, but if you are offering PocketBase as a service and allow strangers to run their own PocketBase instances on your server then you'll need to implement the isolation mechanisms on your own.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Bumps github.com/pocketbase/pocketbase from 0.22.4 to 0.22.5.
Release notes
Sourced from github.com/pocketbase/pocketbase's releases.
Changelog
Sourced from github.com/pocketbase/pocketbase's changelog.
Commits
b596bbdupdated go deps0492717updated backup restore message98ba003added done channel for the cron ticker309c4fecall TestApp.ResetBootstrap as finalizer of the test OnTerminate hook03cec9a#4600 autorun migrations for the test app and call the OnTerminate hook on ...48153d4updated restore backup warning message and changed archive.Extract to ignore ...be40803updated security.Encrypt and security.Decrypt docsa5eff39#4566 fixed JSVM routerUse() exampleDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show