feat(apps): stepped creation wizard, branch previews, and app-creation fixes
This session (frontend focus):
- Rebuild /apps/new as a 4-step wizard (Basics → Configure → Trigger → Review):
WizardRail, SourceKindPicker card grid, AppManifest review, per-step validation,
ConfirmDialog-based unsaved-changes guard.
- Extract lib/workload/sourceForms.ts (single source of truth for source_config)
+ {Image,Compose,Static,Dockerfile}SourceForm + StaticDiscoveryWizard; fold the
/apps/[id] edit form onto the same components (removes the duplication). Add
vitest + sourceForms unit tests.
- Branch preview environments UI: /chain is_preview/preview_branch + a Preview
environments panel on /apps/[id] (per-branch URLs, ConfirmDialog teardown, armed
state); RegistryImagePicker on the registry trigger and the image source.
- Fixes: image-inspect 404 -> admin-gated POST /api/discovery/image/inspect;
conflict-panel blur flicker; friendly localized discovery errors; CPU/Memory
label hints; dashboard + /apps "Total workloads" count only source_kind workloads
(drop stale trigger_kind gate); NPM cert/access-list name cache; EntityPicker
empty-list guard.
- Update CLAUDE.md frontend conventions + add a Build & Test section.
Also captures pre-existing in-progress platform work (not from this session):
workload notifications, Prometheus metrics export, store lockfile, health probes,
backup hardening, and related store/webhook/scheduler changes.
This commit is contained in:
@@ -169,6 +169,18 @@ func SaveFile(rootPath, relativePath string, r io.Reader) error {
|
||||
|
||||
// safePath resolves a relative path within rootPath and validates it doesn't escape.
|
||||
// Resolves symlinks to prevent symlink-based traversal attacks.
|
||||
//
|
||||
// The check used to be `strings.HasPrefix(absResolved, absRoot)` which has
|
||||
// a classic boundary bug: a sibling root at /data/vol10 would pass the
|
||||
// prefix test for /data/vol1. The fix enforces a separator boundary so
|
||||
// the only allowed cases are absResolved == absRoot OR absResolved begins
|
||||
// with absRoot + separator.
|
||||
//
|
||||
// For paths that don't yet exist (e.g. SaveFile creating a new file),
|
||||
// EvalSymlinks returns an error and we fall back to the lexical path.
|
||||
// In that case we walk every existing ancestor with EvalSymlinks too —
|
||||
// if any ancestor is a symlink that escapes the root, we reject. This
|
||||
// closes the prior gap where pre-planted symlinks could divert writes.
|
||||
func safePath(rootPath, relativePath string) (string, error) {
|
||||
if relativePath == "" {
|
||||
return rootPath, nil
|
||||
@@ -176,7 +188,7 @@ func safePath(rootPath, relativePath string) (string, error) {
|
||||
|
||||
// Clean and ensure no traversal.
|
||||
cleaned := filepath.Clean(relativePath)
|
||||
if strings.Contains(cleaned, "..") {
|
||||
if cleaned == ".." || strings.HasPrefix(cleaned, ".."+string(filepath.Separator)) || strings.Contains(cleaned, string(filepath.Separator)+".."+string(filepath.Separator)) {
|
||||
return "", fmt.Errorf("path traversal not allowed")
|
||||
}
|
||||
|
||||
@@ -191,18 +203,66 @@ func safePath(rootPath, relativePath string) (string, error) {
|
||||
absRoot = realRoot
|
||||
}
|
||||
|
||||
// Resolve the target path including symlinks.
|
||||
// Resolve the target path. If the leaf doesn't exist (write path),
|
||||
// walk parent directories — any of which may already be a symlink.
|
||||
absResolved, err := filepath.Abs(absPath)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("resolve path: %w", err)
|
||||
}
|
||||
if realResolved, err := filepath.EvalSymlinks(absResolved); err == nil {
|
||||
absResolved = realResolved
|
||||
} else {
|
||||
// Leaf missing — resolve the deepest existing ancestor and
|
||||
// re-join the unresolved tail. This catches a pre-planted
|
||||
// symlink in any parent dir. An error here means an ancestor
|
||||
// could not be resolved (e.g. a symlink we cannot follow): we MUST
|
||||
// reject rather than fall back to the lexical path, which still
|
||||
// carries the absRoot prefix and would let a symlink ancestor that
|
||||
// escapes the root slip past the boundary check below.
|
||||
resolved, tailErr := resolveExistingAncestor(absResolved)
|
||||
if tailErr != nil {
|
||||
return "", fmt.Errorf("path traversal not allowed")
|
||||
}
|
||||
if resolved != "" {
|
||||
absResolved = resolved
|
||||
}
|
||||
}
|
||||
|
||||
if !strings.HasPrefix(absResolved, absRoot) {
|
||||
if absResolved != absRoot && !strings.HasPrefix(absResolved, absRoot+string(filepath.Separator)) {
|
||||
return "", fmt.Errorf("path traversal not allowed")
|
||||
}
|
||||
|
||||
return absPath, nil
|
||||
}
|
||||
|
||||
// resolveExistingAncestor walks p upward until it finds an existing
|
||||
// directory, resolves its symlinks, then rejoins the missing tail.
|
||||
// Returns ("", nil) when no ancestor exists (vanishingly rare).
|
||||
func resolveExistingAncestor(p string) (string, error) {
|
||||
tail := ""
|
||||
cur := p
|
||||
for {
|
||||
if cur == "" || cur == "/" || cur == filepath.VolumeName(cur)+string(filepath.Separator) {
|
||||
return "", nil
|
||||
}
|
||||
info, err := os.Lstat(cur)
|
||||
if err == nil {
|
||||
real, rerr := filepath.EvalSymlinks(cur)
|
||||
if rerr != nil {
|
||||
return "", rerr
|
||||
}
|
||||
_ = info
|
||||
if tail == "" {
|
||||
return real, nil
|
||||
}
|
||||
return filepath.Join(real, tail), nil
|
||||
}
|
||||
// Move one level up.
|
||||
parent := filepath.Dir(cur)
|
||||
if parent == cur {
|
||||
return "", nil
|
||||
}
|
||||
tail = filepath.Join(filepath.Base(cur), tail)
|
||||
cur = parent
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user