This website requires JavaScript.
Explore
Help
Sign In
ylqjgm
/
canvas-lms
mirror of
https://github.com/instructure/canvas-lms.git
Watch
1
Star
0
Fork
You've already forked canvas-lms
0
Code
Issues
Packages
Projects
Releases
Wiki
Activity
00e15d2c3a
canvas-lms
/
gems
/
canvas_unzip
/
Rakefile
4 lines
59 B
Ruby
Raw
Normal View
History
Unescape
Escape
add frozen_string_literal comment to engines and gems Change-Id: Ifb661509145c16937c9f1c28803687b7cec4b3a4 Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/261815 Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> Reviewed-by: Rob Orton <rob@instructure.com> QA-Review: Rob Orton <rob@instructure.com> Product-Review: Rob Orton <rob@instructure.com>
2021-03-30 06:09:42 +08:00
# frozen_string_literal: true
ignore zip entries containing '..' elements or symlinks extract core unzip functionality into canvas_unzip gem, and put security logic there. use this gem instead of shelling out to `unzip` (which does not have the option to skip symlinks). test plan: 1. import 'evil_course_2.imscc' from CNVS-14338 * there should be an import warning * you should get a blank syllabus body and definitely not see sensitive system data 2. import 'evil_sis_import.zip' from CNVS-14346 * a file called '/tmp/pwn3d' should not have been created on your app server 3. sanity check the parts of canvas that unzip things: * course copy * course import * zip content imports via the API * zip file uploads from files page * assignment submission comments download/upload * sis imports fixes CNVS-14338 fixes CNVS-14346 Change-Id: I38fa141653eb7bc483e99a28a135831b8cb3b2a6 Reviewed-on: https://gerrit.instructure.com/37959 Reviewed-by: Cody Cutrer <cody@instructure.com> QA-Review: Clare Strong <clare@instructure.com> Tested-by: Jenkins <jenkins@instructure.com> Product-Review: Jeremy Stanley <jeremy@instructure.com>
2014-07-22 05:59:11 +08:00
require
"
bundler/gem_tasks
"
