Require roots for all CLI tools #101
Conversation
…hs and specified roots to fall under those roots
|
cc @domesticmouse I know you said you were giving a demo soon, this could affect that so I will wait to land this until your demo is done, please let me know when its safe :) |
PR HealthChangelog Entry ✔️
Changes to files need to be accounted for in their respective changelogs. |
| /// Returns whether or not [rootUri] is an allowed root, either exactly matching | ||
| /// or under on of the [knownRoots]. | ||
| bool _isAllowedRoot(String rootUri, List<Root> knownRoots) => | ||
| knownRoots.any((knownRoot) => knownRoot.uri.startsWith(rootUri)); |
There was a problem hiding this comment.
shouldn't this check that rootUri.startsWith(knownRoot.uri) instead?
There was a problem hiding this comment.
I rewrote this to also make sure you can't circumvent it using ../ and added tests
| // BSD-style license that can be found in the LICENSE file. | ||
|
|
||
| /// A namespace for all the parameter names. | ||
| extension ParameterNames on Never { |
There was a problem hiding this comment.
why extend Never rather than just creating a new abstract class?
There was a problem hiding this comment.
Extensions are a bit more restricted (can't be implemented/extended etc), and don't create a real type (they disappear at runtime entirely) so they are technically cheaper.
There was a problem hiding this comment.
Note also that static methods on extensions are not actually added to Never either, so this has no impact on the Never type anywhere it appears.
Updates all CLI tools to only allow them to be ran under one of the client specified roots. - If paths are specified, those also must not escape the roots. - Make roots not required any longer, use the client specified roots by default for all tools. - Create some shared constants for argument names and a shared function to create the schemas for the roots parameters.
Updates all CLI tools to only allow them to be ran under one of the client specified roots.