added validations

nginx · Aug 7, 2024 · 94018a7 · 94018a7
1 parent fcb23e3
commit 94018a7
Show file tree

Hide file tree

Showing 5 changed files with 32 additions and 9 deletions.
diff --git a/Makefile b/Makefile
@@ -176,10 +176,11 @@ $(TEST_BUILD_DIR):
 
 # Unit tests
 unit-test: $(TEST_BUILD_DIR) test-core test-plugins test-sdk test-extensions ## Run unit tests
-	echo 'mode: atomic' > $(TEST_BUILD_DIR)/coverage.out
-	tail -q -n +2 $(TEST_BUILD_DIR)/*_coverage.out >> $(TEST_BUILD_DIR)/coverage.out
-	go tool cover -html=$(TEST_BUILD_DIR)/coverage.out -o $(TEST_BUILD_DIR)/coverage.html
-	@printf "\nTotal code coverage: " && go tool cover -func=$(TEST_BUILD_DIR)/coverage.out | grep 'total:' | awk '{print $$3}'
+	@tail -q -n +2 $(TEST_BUILD_DIR)/*_coverage.out >> $(TEST_BUILD_DIR)/tmp_coverage.out
+	@echo 'mode: atomic' > $(TEST_BUILD_DIR)/coverage.out
+	@cat $(TEST_BUILD_DIR)/tmp_coverage.out | grep -v ".pb.go" | grep -v ".gen.go" | grep -v ".pb.validate.go" | grep -v "fake_" | grep -v "_mock.go" | grep -v "_stub.go" >> $(TEST_BUILD_DIR)/coverage.out
+	@go tool cover -html=$(TEST_BUILD_DIR)/coverage.out -o $(TEST_BUILD_DIR)/coverage.html
+	@printf "\nTotal code coverage: " && $(GOTOOL) cover -func=$(TEST_BUILD_DIR)/coverage.out | grep 'total:' | awk '{print $$3}'
 
 test-core: $(TEST_BUILD_DIR) ## Run core unit tests
 	GOWORK=off CGO_ENABLED=0 go test -count=1 -coverprofile=$(TEST_BUILD_DIR)/core_coverage.out -covermode count ./src/core/...

diff --git a/src/core/environment_test.go b/src/core/environment_test.go
@@ -732,11 +732,6 @@ func TestWriteFilesNotAllowed(t *testing.T) {
 			Contents:    []byte("multi"),
 			Permissions: "0644",
 		},
-		{
-			Name:        "/etc/shadow",
-			Contents:    []byte("shadowfile1"),
-			Permissions: "0644",
-		},
 		{
 			Name:        "etc/shadow/multiple1.conf",
 			Contents:    []byte("shadowfile2"),

diff --git a/src/core/nginx.go b/src/core/nginx.go
@@ -502,6 +502,11 @@ func (n *NginxBinaryType) writeConfigWithWithFileActions(
 		return nil, err
 	}
 
+	confDir := filepath.Dir(details.ConfPath)
+	if err := ensureFilesAllowed(confFiles, n.config.AllowedDirectoriesMap, confDir); err != nil {
+		return configApply, err
+	}
+
 	for _, file := range confFiles {
 		rootDirectoryPath := filepath.Dir(details.ConfPath)
 		fileFullPath := file.Name
@@ -519,6 +524,10 @@ func (n *NginxBinaryType) writeConfigWithWithFileActions(
 		}
 	}
 
+	if err := ensureFilesAllowed(auxFiles, n.config.AllowedDirectoriesMap, confDir); err != nil {
+		return configApply, err
+	}
+
 	for _, file := range auxFiles {
 		rootDirectoryPath := config.GetZaux().GetRootDirectory()
 		fileFullPath := file.Name

diff --git a/test/integration/vendor/github.com/nginx/agent/v2/src/core/nginx.go b/test/integration/vendor/github.com/nginx/agent/v2/src/core/nginx.go
diff --git a/test/performance/vendor/github.com/nginx/agent/v2/src/core/nginx.go b/test/performance/vendor/github.com/nginx/agent/v2/src/core/nginx.go