Skip to content
This repository has been archived by the owner on Oct 28, 2021. It is now read-only.

Commit

Permalink
fix: disallow functions (#93)
Browse files Browse the repository at this point in the history
  • Loading branch information
@wass3r
wass3r authored Dec 29, 2020
1 parent adf85cc commit f1ace5f
Show file tree
Hide file tree
Showing 4 changed files with 65 additions and 1 deletion.
9 changes: 8 additions & 1 deletion template/native/render.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,11 +21,18 @@ func Render(tmpl string, s *types.Step) (types.StepSlice, error) {
templateFuncMap := map[string]interface{}{
"vela": velaFuncs.returnPlatformVar,
}
// modify Masterminds/sprig functions
// to remove OS functions
//
// https://masterminds.github.io/sprig/os.html
sf := sprig.TxtFuncMap()
delete(sf, "env")
delete(sf, "expandenv")

// parse the template with Masterminds/sprig functions
//
// https://pkg.go.dev/github.com/Masterminds/sprig?tab=doc#TxtFuncMap
t, err := template.New(s.Name).Funcs(sprig.TxtFuncMap()).Funcs(templateFuncMap).Parse(tmpl)
t, err := template.New(s.Name).Funcs(sf).Funcs(templateFuncMap).Parse(tmpl)
if err != nil {
return types.StepSlice{}, fmt.Errorf("unable to parse template %s: %v", s.Template.Name, err)
}
Expand Down
41 changes: 41 additions & 0 deletions template/native/render_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ package native

import (
"io/ioutil"
"reflect"
"testing"

"github.com/go-vela/types/raw"
Expand Down Expand Up @@ -82,3 +83,43 @@ func TestNative_Render(t *testing.T) {
})
}
}

func TestNative_Render_DisallowedFunc_Env(t *testing.T) {
// setup types
want := yaml.StepSlice{}

// run test
tmpl, err := ioutil.ReadFile("testdata/disallowed/tmpl_env.yml")
if err != nil {
t.Errorf("Reading file returned err: %v", err)
}

got, err := Render(string(tmpl), &yaml.Step{})
if err == nil {
t.Errorf("Render should have returned err")
}

if !reflect.DeepEqual(got, want) {
t.Errorf("Render is %v, want %v", got, want)
}
}

func TestNative_Render_DisallowedFunc_ExpandEnv(t *testing.T) {
// setup types
want := yaml.StepSlice{}

// run test
tmpl, err := ioutil.ReadFile("testdata/disallowed/tmpl_expandenv.yml")
if err != nil {
t.Errorf("Reading file returned err: %v", err)
}

got, err := Render(string(tmpl), &yaml.Step{})
if err == nil {
t.Errorf("Render should have returned err")
}

if !reflect.DeepEqual(got, want) {
t.Errorf("Render is %v, want %v", got, want)
}
}
8 changes: 8 additions & 0 deletions template/native/testdata/disallowed/tmpl_env.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
metadata:
template: true

steps:
- name: echo
commands:
- echo {{ env "VELA_SOURCE_CLIENT" }}
image: alpine:latest
8 changes: 8 additions & 0 deletions template/native/testdata/disallowed/tmpl_expandenv.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
metadata:
template: true

steps:
- name: echo
commands:
- echo {{ expandenv "Your client id is set to $VELA_SOURCE_CLIENT" }}
image: alpine:latest

0 comments on commit f1ace5f

Please # to comment.