mvdan.cc / cue
this repo has no description
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

cmd/cue: clarify the restrictions around @embed file paths

Only files in the same module containing the CUE file can be embedded.
Parent directory references are not allowed, which was not clear
from the documentation.

Update the Go package docs and help text, and add a test case.

Signed-off-by: Daniel Martí <mvdan@mvdan.cc>
Change-Id: Icc7c4588804d37135644f50e8c0e5c1f5d2eeac4
Reviewed-on: https://review.gerrithub.io/c/cue-lang/cue/+/1229764
Unity-Result: CUE porcuepine <cue.porcuepine@gmail.com>
Reviewed-by: Matthew Sackman <matthew@cue.works>
TryBot-Result: CUEcueckoo <cueckoo@cuelang.org>

Daniel Martí dc9a1890 60b5bd9a

+26 -4
+3 -2
cmd/cue/cmd/help.go
··· 265 265 For NDJSON or multi-document YAML files, embed as type=text 266 266 and use APIs like yaml.Extract to decode as a list. 267 267 268 - For security reasons, only files contained in the same module 269 - can be embedded. Embedding is forbidden when outside a module. 268 + Only files in the same module containing the CUE file can be embedded. 269 + Embedding is forbidden when outside a module, and parent directory 270 + references are not allowed. 270 271 271 272 Note that embedding CUE files is not supported at this time. 272 273
+20
cmd/cue/cmd/testdata/script/embed_err.txtar
··· 2 2 ! stdout . 3 3 cmp stderr out/err 4 4 5 + # Test that parent directory references are rejected even when the target 6 + # file is still inside the same module. 7 + ! exec cue eval ./subpkg 8 + ! stdout . 9 + cmp stderr out/subpkg-err 10 + 5 11 # On systems with symlink support, we follow symlinks when embedding files. 6 12 # TODO: add a test case for a symlink pointing to a file 7 13 # outside of the current module, as that should likely be forbidden. ··· 110 116 language: version: "v0.9.0" 111 117 -- a/b/foo.json -- 112 118 {"a": 1, "b": 2} 119 + -- subpkg/embed.cue -- 120 + @extern(embed) 121 + 122 + package subpkg 123 + 124 + // This file is in a subdirectory but ../test.json is still inside the module. 125 + // Parent directory references should still be rejected. 126 + parentFile: _ @embed(file="../test.json") 127 + parentGlob: _ @embed(glob="../*.json") 128 + -- out/subpkg-err -- 129 + @embed: cannot refer to parent directory: 130 + ./subpkg/embed.cue:7:15 131 + @embed: cannot refer to parent directory: 132 + ./subpkg/embed.cue:8:15 113 133 -- out/err -- 114 134 @embed: attribute must have file or glob field: 115 135 ./test.cue:5:8
+3 -2
cue/interpreter/embed/embed.go
··· 24 24 // all. This allows the @embed attribute to be used to load a file within a CUE 25 25 // module into a field. 26 26 // 27 - // References to files are always relative to directory in which the referring 28 - // file resides. Only files that exist within the CUE module are accessible. 27 + // References to files are always relative to the directory in which the 28 + // referring file resides. Only files in the same module containing the CUE 29 + // file can be embedded, and parent directory references are not allowed. 29 30 // 30 31 // # The @embed attribute 31 32 //