Support URLs in hostDir policies (#146)

fkorotkov · web-flow · commit dc3eeef5b113 · 2023-10-24T21:01:34.000+04:00
* Support URLs in hostDir policies We can't just blindly allow remote URLs since they might contain symlinks leading to outside the archive. Instead, let's support specifying URLs where the remote archive can come from. Fixes #145 * Ignore Lint issue * Reverted old validation logic
diff --git a/pkg/resource/v1/host_dir_policy.go b/pkg/resource/v1/host_dir_policy.go
@@ -14,6 +14,13 @@ type HostDirPolicy struct {
 }
 
 func NewHostDirPolicyFromString(s string) (HostDirPolicy, error) {
+	if strings.HasPrefix(s, "http://") || strings.HasPrefix(s, "https://") {
+		return HostDirPolicy{
+			PathPrefix: strings.TrimSuffix(s, ":ro"),
+			ReadOnly:   strings.HasSuffix(s, ":ro"),
+		}, nil
+	}
+
 	parts := strings.Split(s, ":")
 
 	if len(parts) > 2 {
diff --git a/pkg/resource/v1/host_dir_policy_test.go b/pkg/resource/v1/host_dir_policy_test.go
@@ -61,3 +61,14 @@ func TestHostDirPolicyString(t *testing.T) {
 	policyRo := &v1.HostDirPolicy{PathPrefix: "/Users/ci/src", ReadOnly: true}
 	require.EqualValues(t, "/Users/ci/src:ro", policyRo.String())
 }
+
+func TestHTTPHostDirPolicyString(t *testing.T) {
+	policy, err := v1.NewHostDirPolicyFromString("https://github.com/actions/runner/releases/download")
+	require.NoError(t, err)
+	require.EqualValues(t, v1.HostDirPolicy{
+		PathPrefix: "https://github.com/actions/runner/releases/download",
+		ReadOnly:   false,
+	}, policy)
+	//nolint: lll
+	require.True(t, policy.Validate("https://github.com/actions/runner/releases/download/v2.309.0/actions-runner-osx-arm64-2.309.0.tar.gz", false))
+}
