-
Notifications
You must be signed in to change notification settings - Fork 23
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve CI #201
Improve CI #201
Conversation
|
||
const readResources = (() => { | ||
return metadata.map(item => ({ | ||
name: item.name, | ||
aliases: item.aliases, | ||
kind: item.kind, | ||
content: fs.readFileSync(path.join(__dirname, 'resources', item.resourcePath)).toString('base64') | ||
content: fs.readFileSync(path.join(import.meta.dirname, 'resources', item.resourcePath)).toString('base64') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
reported by reviewdog 🐶
[semgrep] Detected possible user input going into a path.join
or path.resolve
function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.
Source: https://semgrep.dev/r/javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
Cc @thypon @bcaller
@@ -3,6 +3,7 @@ | |||
"version": "1.0.0", | |||
"description": "Custom resources and scriptlets used for Brave's adblocker", | |||
"main": "index.js", | |||
"type": "module", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
required for import
and stuff
@@ -1,30 +0,0 @@ | |||
name: CI |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's still there; just moved it to be combined into the other workflow
import test from 'node:test' | ||
import { Engine, FilterFormat, FilterSet } from 'adblock-rs' | ||
|
||
const getIDFromBase64PublicKey = (key) => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought you said we already have this code somewhere? Can we not just export that function?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's deep in brave-core-crx-packager
internals. I considered using it directly but it doesn't seem worth it to expose that and pull it in as a new dependency here just for CI purposes
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, @bcaller can you take a look
closes #199