Sanitize file names in Dependabot::DependencyFile initializer#5986
Sanitize file names in Dependabot::DependencyFile initializer#5986
Dependabot::DependencyFile initializer#5986Conversation
mattt
force-pushed
the
mattt/fix-npm-path-dependencies
branch
from
26ea184 to
cfb5f6d
Compare
|
This has been an issue with the file_fetchers (#5866, #5869), but it manifests in the update_checker when it tries to write the files out. I'm wondering if it's causing other subtle issues, and if we sanitize here we might see more issues elsewhere that will be harder to diagnose. Also if users are checking in absolute paths we should just be rejecting the job since we can't see some of the dependencies involved, the update could be invalid. So I think we need to dig down into each of these and see where we're going wrong in the file_fetcher rather than fix it up later. |
|
@jakecoffman Yeah, looking at the test failures makes me think this isn't the right approach. I'll take another pass starting from the file fetcher to see if I can figure out a more targeted solution. Thanks for taking a look! |
3 participants
Most package ecosystems have code to write dependency files into a temporary directory. Here's a representative example from
npm_and_yarn:dependabot-core/npm_and_yarn/lib/dependabot/npm_and_yarn/update_checker/dependency_files_builder.rb
Lines 16 to 26 in 6a9c745
You can find a few dozen instances of this pattern in our codebase.
When
file.namehas a leading/, those calls toFileUtils#mkdir_pandFile.writewrite to the root directory. This causes anErrno::EACCES. For example, when Dependabot runs an update job for a JavaScript project with a local path dependency it produces the error"Permission denied @ rb_sysopen - /package.json".This PR attempts to address this problem by sanitizing
Dependabot::DependencyFilenames in the initializer. With this change, any file names with an absolute path are translated into relative paths that will be written into temporary directories instead of attempting to be written to system root.