From 9344eef60cbc66914104f9fd861235f64a912197 Mon Sep 17 00:00:00 2001 From: Rudi Grinberg Date: Wed, 30 Aug 2023 11:22:41 +0100 Subject: [PATCH] fix: forbid escaping the context root (#8539) Signed-off-by: Rudi Grinberg --- src/dune_rules/expander.ml | 11 ++++++++++- test/blackbox-tests/test-cases/github7962.t | 11 ++++++----- 2 files changed, 16 insertions(+), 6 deletions(-) diff --git a/src/dune_rules/expander.ml b/src/dune_rules/expander.ml index a8cfc066479..8ddcd35cfdd 100644 --- a/src/dune_rules/expander.ml +++ b/src/dune_rules/expander.ml @@ -771,7 +771,16 @@ let make let expand_path t sw = let+ v = expand t ~mode:Single sw in - Value.to_path v ~error_loc:(String_with_vars.loc sw) ~dir:(Path.build t.dir) + let loc = String_with_vars.loc sw in + let path = Value.to_path v ~error_loc:loc ~dir:(Path.build t.dir) in + let context_root = t.context.build_context.build_dir in + (match Path.as_in_build_dir path with + | Some p when not (Path.Build.is_descendant p ~of_:context_root) -> + (* TODO consider turning these into external paths, since we already allow + them to be specified as absolute paths. *) + User_error.raise ~loc [ Pp.text "path cannot escape the context root" ] + | _ -> ()); + path ;; let expand_str t sw = diff --git a/test/blackbox-tests/test-cases/github7962.t b/test/blackbox-tests/test-cases/github7962.t index 11244570064..e5a6f5a1053 100644 --- a/test/blackbox-tests/test-cases/github7962.t +++ b/test/blackbox-tests/test-cases/github7962.t @@ -15,8 +15,9 @@ external directory. > (deps (source_tree ../ext))) > EOF - $ (cd proj; dune runtest) 2>&1 | head -n 4 - Internal error, please report upstream including the contents of _build/log. - Description: - ("[gen_rules] did not specify rules for the context", - { context_or_install = "ext" }) + $ (cd proj; dune runtest) + File "dune", line 3, characters 20-26: + 3 | (deps (source_tree ../ext))) + ^^^^^^ + Error: path cannot escape the context root + [1]