Plugins: Use file extension allowlist when serving plugin assets instead of checking for UNIX executable (#37688)

* explicitly check for plugin binary * remove check completely * resolve conflicts * allow module + logos * add tests * simplify * rework to allowlist * add case * remove old stuff * simplify * add case insensitive test
2025-07-29 00:32:21 +08:00 · 2021-08-09 16:07:54 +02:00
parent fe500315f0
commit e0315dabe8
2 changed files with 107 additions and 9 deletions
--- a/pkg/api/plugins_test.go
+++ b/pkg/api/plugins_test.go
@ -0,0 +1,89 @@
+package api
+
+import (
+	"testing"
+)
+
+func Test_accessForbidden(t *testing.T) {
+	type testCase struct {
+		filename string
+	}
+	tests := []struct {
+		name            string
+		t               testCase
+		accessForbidden bool
+	}{
+		{
+			name: ".exe files are forbidden",
+			t: testCase{
+				filename: "test.exe",
+			},
+			accessForbidden: true,
+		},
+		{
+			name: ".sh files are forbidden",
+			t: testCase{
+				filename: "test.sh",
+			},
+			accessForbidden: true,
+		},
+		{
+			name: "js is not forbidden",
+			t: testCase{
+
+				filename: "module.js",
+			},
+			accessForbidden: false,
+		},
+		{
+			name: "logos are not forbidden",
+			t: testCase{
+
+				filename: "logo.svg",
+			},
+			accessForbidden: false,
+		},
+		{
+			name: "JPGs are not forbidden",
+			t: testCase{
+				filename: "img/test.jpg",
+			},
+			accessForbidden: false,
+		},
+		{
+			name: "JPEGs are not forbidden",
+			t: testCase{
+				filename: "img/test.jpeg",
+			},
+			accessForbidden: false,
+		},
+		{
+			name: "ext case is ignored",
+			t: testCase{
+				filename: "scripts/runThis.SH",
+			},
+			accessForbidden: true,
+		},
+		{
+			name: "no file ext is forbidden",
+			t: testCase{
+				filename: "scripts/runThis",
+			},
+			accessForbidden: true,
+		},
+		{
+			name: "empty file ext is forbidden",
+			t: testCase{
+				filename: "scripts/runThis.",
+			},
+			accessForbidden: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := accessForbidden(tt.t.filename); got != tt.accessForbidden {
+				t.Errorf("accessForbidden() = %v, accessForbidden %v", got, tt.accessForbidden)
+			}
+		})
+	}
+}