From 90d229167994a15589aaf5889c2e4df816c8960d Mon Sep 17 00:00:00 2001 From: Peter Gundel Date: Tue, 12 Apr 2022 21:15:01 +0200 Subject: [PATCH] Reduce file permission As suggested by @pjbgf Co-authored-by: Paulo Gomes Co-authored-by: Paulo Gomes Signed-off-by: Peter Gundel --- controllers/storage.go | 4 +-- controllers/storage_test.go | 12 +++---- internal/fs/fs_test.go | 36 +++++++++---------- internal/helm/chart/builder_local_test.go | 4 +-- internal/helm/chart/metadata_test.go | 4 +-- .../helm/repository/chart_repository_test.go | 2 +- main.go | 2 +- pkg/sourceignore/sourceignore_test.go | 4 +-- tests/fuzz/gitrepository_fuzzer.go | 2 +- 9 files changed, 35 insertions(+), 35 deletions(-) diff --git a/controllers/storage.go b/controllers/storage.go index bcd1b17e0..13f1fa0aa 100644 --- a/controllers/storage.go +++ b/controllers/storage.go @@ -112,7 +112,7 @@ func (s Storage) SetHostname(URL string) string { // MkdirAll calls os.MkdirAll for the given v1beta1.Artifact base dir. func (s *Storage) MkdirAll(artifact sourcev1.Artifact) error { dir := filepath.Dir(s.LocalPath(artifact)) - return os.MkdirAll(dir, 0o777) + return os.MkdirAll(dir, 0o770) } // RemoveAll calls os.RemoveAll for the given v1beta1.Artifact base dir. @@ -432,7 +432,7 @@ func (s *Storage) Archive(artifact *sourcev1.Artifact, dir string, filter Archiv return err } - if err := os.Chmod(tmpName, 0o644); err != nil { + if err := os.Chmod(tmpName, 0o640); err != nil { return err } diff --git a/controllers/storage_test.go b/controllers/storage_test.go index a699ff5e4..e3550bd59 100644 --- a/controllers/storage_test.go +++ b/controllers/storage_test.go @@ -136,7 +136,7 @@ func TestStorage_Archive(t *testing.T) { } for name, b := range files { absPath := filepath.Join(dir, name) - if err = os.MkdirAll(filepath.Dir(absPath), 0o755); err != nil { + if err = os.MkdirAll(filepath.Dir(absPath), 0o750); err != nil { return } f, err := os.Create(absPath) @@ -316,7 +316,7 @@ func TestStorageRemoveAllButCurrent(t *testing.T) { // Create artifact dir and artifacts. artifactDir := path.Join(dir, "foo", "bar") - g.Expect(os.MkdirAll(artifactDir, 0o755)).NotTo(HaveOccurred()) + g.Expect(os.MkdirAll(artifactDir, 0o750)).NotTo(HaveOccurred()) current := []string{ path.Join(artifactDir, "artifact1.tar.gz"), } @@ -378,7 +378,7 @@ func TestStorageRemoveAll(t *testing.T) { } if tt.createArtifactPath { - g.Expect(os.MkdirAll(path.Join(dir, tt.artifactPath), 0o755)).ToNot(HaveOccurred()) + g.Expect(os.MkdirAll(path.Join(dir, tt.artifactPath), 0o750)).ToNot(HaveOccurred()) } deleted, err := s.RemoveAll(artifact) @@ -412,7 +412,7 @@ func TestStorageCopyFromPath(t *testing.T) { } t.Cleanup(cleanupStoragePath(dir)) absPath = filepath.Join(dir, file.Name) - if err = os.MkdirAll(filepath.Dir(absPath), 0o755); err != nil { + if err = os.MkdirAll(filepath.Dir(absPath), 0o750); err != nil { return } f, err := os.Create(absPath) @@ -591,7 +591,7 @@ func TestStorage_getGarbageFiles(t *testing.T) { artifact := sourcev1.Artifact{ Path: tt.artifactPaths[len(tt.artifactPaths)-1], } - g.Expect(os.MkdirAll(path.Join(dir, artifactFolder), 0o755)).ToNot(HaveOccurred()) + g.Expect(os.MkdirAll(path.Join(dir, artifactFolder), 0o750)).ToNot(HaveOccurred()) for _, artifactPath := range tt.artifactPaths { f, err := os.Create(path.Join(dir, artifactPath)) g.Expect(err).ToNot(HaveOccurred()) @@ -667,7 +667,7 @@ func TestStorage_GarbageCollect(t *testing.T) { artifact := sourcev1.Artifact{ Path: tt.artifactPaths[len(tt.artifactPaths)-1], } - g.Expect(os.MkdirAll(path.Join(dir, artifactFolder), 0o755)).ToNot(HaveOccurred()) + g.Expect(os.MkdirAll(path.Join(dir, artifactFolder), 0o750)).ToNot(HaveOccurred()) for i, artifactPath := range tt.artifactPaths { f, err := os.Create(path.Join(dir, artifactPath)) g.Expect(err).ToNot(HaveOccurred()) diff --git a/internal/fs/fs_test.go b/internal/fs/fs_test.go index 4f3a4f20f..fa51eae4a 100644 --- a/internal/fs/fs_test.go +++ b/internal/fs/fs_test.go @@ -42,12 +42,12 @@ func TestRenameWithFallback(t *testing.T) { } srcpath = filepath.Join(dir, "a") - if err = os.MkdirAll(srcpath, 0o777); err != nil { + if err = os.MkdirAll(srcpath, 0o770); err != nil { t.Fatal(err) } dstpath := filepath.Join(dir, "b") - if err = os.MkdirAll(dstpath, 0o777); err != nil { + if err = os.MkdirAll(dstpath, 0o770); err != nil { t.Fatal(err) } @@ -64,7 +64,7 @@ func TestCopyDir(t *testing.T) { defer os.RemoveAll(dir) srcdir := filepath.Join(dir, "src") - if err := os.MkdirAll(srcdir, 0o755); err != nil { + if err := os.MkdirAll(srcdir, 0o750); err != nil { t.Fatal(err) } @@ -81,7 +81,7 @@ func TestCopyDir(t *testing.T) { for i, file := range files { fn := filepath.Join(srcdir, file.path) dn := filepath.Dir(fn) - if err = os.MkdirAll(dn, 0o755); err != nil { + if err = os.MkdirAll(dn, 0o750); err != nil { t.Fatal(err) } @@ -151,7 +151,7 @@ func TestCopyDirFail_SrcInaccessible(t *testing.T) { cleanup := setupInaccessibleDir(t, func(dir string) error { srcdir = filepath.Join(dir, "src") - return os.MkdirAll(srcdir, 0o755) + return os.MkdirAll(srcdir, 0o750) }) defer cleanup() @@ -184,7 +184,7 @@ func TestCopyDirFail_DstInaccessible(t *testing.T) { defer os.RemoveAll(dir) srcdir = filepath.Join(dir, "src") - if err = os.MkdirAll(srcdir, 0o755); err != nil { + if err = os.MkdirAll(srcdir, 0o750); err != nil { t.Fatal(err) } @@ -235,12 +235,12 @@ func TestCopyDirFail_DstExists(t *testing.T) { defer os.RemoveAll(dir) srcdir = filepath.Join(dir, "src") - if err = os.MkdirAll(srcdir, 0o755); err != nil { + if err = os.MkdirAll(srcdir, 0o750); err != nil { t.Fatal(err) } dstdir = filepath.Join(dir, "dst") - if err = os.MkdirAll(dstdir, 0o755); err != nil { + if err = os.MkdirAll(dstdir, 0o750); err != nil { t.Fatal(err) } @@ -273,7 +273,7 @@ func TestCopyDirFailOpen(t *testing.T) { defer os.RemoveAll(dir) srcdir = filepath.Join(dir, "src") - if err = os.MkdirAll(srcdir, 0o755); err != nil { + if err = os.MkdirAll(srcdir, 0o750); err != nil { t.Fatal(err) } @@ -285,7 +285,7 @@ func TestCopyDirFailOpen(t *testing.T) { srcf.Close() // setup source file so that it cannot be read - if err = os.Chmod(srcfn, 0o222); err != nil { + if err = os.Chmod(srcfn, 0o220); err != nil { t.Fatal(err) } @@ -419,11 +419,11 @@ func TestCopyFileLongFilePath(t *testing.T) { } fullPath := filepath.Join(dir, dirName, string(os.PathSeparator)) - if err := os.MkdirAll(fullPath, 0o755); err != nil && !os.IsExist(err) { + if err := os.MkdirAll(fullPath, 0o750); err != nil && !os.IsExist(err) { t.Fatalf("%+v", fmt.Errorf("unable to create temp directory: %s", fullPath)) } - err = os.WriteFile(fullPath+"src", []byte(nil), 0o644) + err = os.WriteFile(fullPath+"src", []byte(nil), 0o640) if err != nil { t.Fatalf("%+v", err) } @@ -460,7 +460,7 @@ func TestCopyFileFail(t *testing.T) { cleanup := setupInaccessibleDir(t, func(dir string) error { dstdir = filepath.Join(dir, "dir") - return os.Mkdir(dstdir, 0o777) + return os.Mkdir(dstdir, 0o770) }) defer cleanup() @@ -493,7 +493,7 @@ func setupInaccessibleDir(t *testing.T, op func(dir string) error) func() { subdir := filepath.Join(dir, "dir") cleanup := func() { - if err := os.Chmod(subdir, 0o777); err != nil { + if err := os.Chmod(subdir, 0o770); err != nil { t.Error(err) } if err := os.RemoveAll(dir); err != nil { @@ -501,7 +501,7 @@ func setupInaccessibleDir(t *testing.T, op func(dir string) error) func() { } } - if err := os.Mkdir(subdir, 0o777); err != nil { + if err := os.Mkdir(subdir, 0o770); err != nil { cleanup() t.Fatal(err) return nil @@ -513,7 +513,7 @@ func setupInaccessibleDir(t *testing.T, op func(dir string) error) func() { return nil } - if err := os.Chmod(subdir, 0o666); err != nil { + if err := os.Chmod(subdir, 0o660); err != nil { cleanup() t.Fatal(err) return nil @@ -532,7 +532,7 @@ func TestIsDir(t *testing.T) { cleanup := setupInaccessibleDir(t, func(dir string) error { dn = filepath.Join(dir, "dir") - return os.Mkdir(dn, 0o777) + return os.Mkdir(dn, 0o770) }) defer cleanup() @@ -575,7 +575,7 @@ func TestIsSymlink(t *testing.T) { defer os.RemoveAll(dir) dirPath := filepath.Join(dir, "directory") - if err = os.MkdirAll(dirPath, 0o777); err != nil { + if err = os.MkdirAll(dirPath, 0o770); err != nil { t.Fatal(err) } diff --git a/internal/helm/chart/builder_local_test.go b/internal/helm/chart/builder_local_test.go index e63888fff..57f828f4c 100644 --- a/internal/helm/chart/builder_local_test.go +++ b/internal/helm/chart/builder_local_test.go @@ -201,7 +201,7 @@ fullnameOverride: "full-foo-name-override"`), // Write value file in the base dir. for _, f := range tt.valuesFiles { vPath := filepath.Join(localRef.WorkDir, f.Name) - g.Expect(os.WriteFile(vPath, f.Data, 0o644)).ToNot(HaveOccurred()) + g.Expect(os.WriteFile(vPath, f.Data, 0o640)).ToNot(HaveOccurred()) } // Write chart dependencies in the base dir. @@ -336,7 +336,7 @@ func Test_mergeFileValues(t *testing.T) { defer os.RemoveAll(baseDir) for _, f := range tt.files { - g.Expect(os.WriteFile(filepath.Join(baseDir, f.Name), f.Data, 0o644)).To(Succeed()) + g.Expect(os.WriteFile(filepath.Join(baseDir, f.Name), f.Data, 0o640)).To(Succeed()) } got, err := mergeFileValues(baseDir, tt.paths) diff --git a/internal/helm/chart/metadata_test.go b/internal/helm/chart/metadata_test.go index b7cf4611b..20c39bc7a 100644 --- a/internal/helm/chart/metadata_test.go +++ b/internal/helm/chart/metadata_test.go @@ -140,7 +140,7 @@ func TestLoadChartMetadataFromDir(t *testing.T) { copy.Copy("../testdata/charts/helmchart", tmpDir) bigRequirementsFile := filepath.Join(tmpDir, "requirements.yaml") data := make([]byte, helm.MaxChartFileSize+10) - g.Expect(os.WriteFile(bigRequirementsFile, data, 0o644)).ToNot(HaveOccurred()) + g.Expect(os.WriteFile(bigRequirementsFile, data, 0o640)).ToNot(HaveOccurred()) tests := []struct { name string @@ -205,7 +205,7 @@ func TestLoadChartMetadataFromArchive(t *testing.T) { defer os.RemoveAll(tmpDir) bigArchiveFile := filepath.Join(tmpDir, "chart.tgz") data := make([]byte, helm.MaxChartSize+10) - g.Expect(os.WriteFile(bigArchiveFile, data, 0o644)).ToNot(HaveOccurred()) + g.Expect(os.WriteFile(bigArchiveFile, data, 0o640)).ToNot(HaveOccurred()) tests := []struct { name string diff --git a/internal/helm/repository/chart_repository_test.go b/internal/helm/repository/chart_repository_test.go index e1fceffda..ce33d8f0f 100644 --- a/internal/helm/repository/chart_repository_test.go +++ b/internal/helm/repository/chart_repository_test.go @@ -363,7 +363,7 @@ func TestChartRepository_LoadIndexFromFile(t *testing.T) { defer os.RemoveAll(tmpDir) bigIndexFile := filepath.Join(tmpDir, "index.yaml") data := make([]byte, helm.MaxIndexSize+10) - g.Expect(os.WriteFile(bigIndexFile, data, 0o644)).ToNot(HaveOccurred()) + g.Expect(os.WriteFile(bigIndexFile, data, 0o640)).ToNot(HaveOccurred()) tests := []struct { name string diff --git a/main.go b/main.go index 0be197a92..5b6af0e39 100644 --- a/main.go +++ b/main.go @@ -299,7 +299,7 @@ func mustInitStorage(path string, storageAdvAddr string, artifactRetentionTTL ti if path == "" { p, _ := os.Getwd() path = filepath.Join(p, "bin") - os.MkdirAll(path, 0o777) + os.MkdirAll(path, 0o770) } storage, err := controllers.NewStorage(path, storageAdvAddr, artifactRetentionTTL, artifactRetentionRecords) diff --git a/pkg/sourceignore/sourceignore_test.go b/pkg/sourceignore/sourceignore_test.go index 3b0324e6b..cbd73352d 100644 --- a/pkg/sourceignore/sourceignore_test.go +++ b/pkg/sourceignore/sourceignore_test.go @@ -209,10 +209,10 @@ func TestLoadExcludePatterns(t *testing.T) { "a/b/.sourceignore": "subdir.txt", } for n, c := range files { - if err = os.MkdirAll(filepath.Join(tmpDir, filepath.Dir(n)), 0o755); err != nil { + if err = os.MkdirAll(filepath.Join(tmpDir, filepath.Dir(n)), 0o750); err != nil { t.Fatal(err) } - if err = os.WriteFile(filepath.Join(tmpDir, n), []byte(c), 0o644); err != nil { + if err = os.WriteFile(filepath.Join(tmpDir, n), []byte(c), 0o640); err != nil { t.Fatal(err) } } diff --git a/tests/fuzz/gitrepository_fuzzer.go b/tests/fuzz/gitrepository_fuzzer.go index 32581d8b9..158c0650d 100644 --- a/tests/fuzz/gitrepository_fuzzer.go +++ b/tests/fuzz/gitrepository_fuzzer.go @@ -494,7 +494,7 @@ func createRandomFiles(f *fuzz.ConsumeFuzzer, fs billy.Filesystem, wt *git.Workt return errors.New("Dir contains '..'") } - err = fs.MkdirAll(dirPath, 0o777) + err = fs.MkdirAll(dirPath, 0o770) if err != nil { return errors.New("Could not create the subDir") }