Support URLs in hostDir policies (#146)

* Support URLs in hostDir policies We can't just blindly allow remote URLs since they might contain symlinks leading to outside the archive. Instead, let's support specifying URLs where the remote archive can come from. Fixes #145 * Ignore Lint issue * Reverted old validation logic
2023-10-24 13:01:34 -04:00 · 2023-10-24 13:01:34 -04:00 · dc3eeef5b1
parent 7c2c466d65
commit dc3eeef5b1
2 changed files with 18 additions and 0 deletions
--- a/pkg/resource/v1/host_dir_policy.go
+++ b/pkg/resource/v1/host_dir_policy.go
@ -14,6 +14,13 @@ type HostDirPolicy struct {
 }

 func NewHostDirPolicyFromString(s string) (HostDirPolicy, error) {
+	if strings.HasPrefix(s, "http://") || strings.HasPrefix(s, "https://") {
+		return HostDirPolicy{
+			PathPrefix: strings.TrimSuffix(s, ":ro"),
+			ReadOnly:   strings.HasSuffix(s, ":ro"),
+		}, nil
+	}
+
 	parts := strings.Split(s, ":")

 	if len(parts) > 2 {
--- a/pkg/resource/v1/host_dir_policy_test.go
+++ b/pkg/resource/v1/host_dir_policy_test.go
@ -61,3 +61,14 @@ func TestHostDirPolicyString(t *testing.T) {
 	policyRo := &v1.HostDirPolicy{PathPrefix: "/Users/ci/src", ReadOnly: true}
 	require.EqualValues(t, "/Users/ci/src:ro", policyRo.String())
 }
+
+func TestHTTPHostDirPolicyString(t *testing.T) {
+	policy, err := v1.NewHostDirPolicyFromString("https://github.com/actions/runner/releases/download")
+	require.NoError(t, err)
+	require.EqualValues(t, v1.HostDirPolicy{
+		PathPrefix: "https://github.com/actions/runner/releases/download",
+		ReadOnly:   false,
+	}, policy)
+	//nolint: lll
+	require.True(t, policy.Validate("https://github.com/actions/runner/releases/download/v2.309.0/actions-runner-osx-arm64-2.309.0.tar.gz", false))
+}