-
Notifications
You must be signed in to change notification settings - Fork 151
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Check for writes outside of the build directory #2974
base: master
Are you sure you want to change the base?
Conversation
@powerboat9 The MacOS CI broke, we repaired it but you need to rebase your branch now. |
That specific issue was addressed by #2947 "Move 'libformat_parser' build into the GCC build directory, and into libgrust" -- but yes, good idea to actually make sure we're not introducing similar things again! 👍 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of chmod -R a-w *
, it's good practice to use chmod -R a-w ./*
(or something similar) -- or just chmod -R a-w .
in fact 🙃 -- so that "malicious" files starting with -
can't possibly affect the chmod
command.
Eh, the build now actually is failing due to a similar issue:
...., so that'll need to be addressed first (in a similar way as #2947 "Move 'libformat_parser' build into the GCC build directory, and into libgrust", I suppose). |
From what I see from |
It's easy enough to try:
|
Looks like cargo is trying to update the lock file and fail. I've noticed ffi-polonius does not use the same cargo config as libformat parser. Maybe we should update the cargo invocation with a |
ChangeLog: * .github/workflows/ccpp.yml: Make files outside the build directory read-only. Signed-off-by: Owen Avery <powerboat9.gamer@gmail.com>
I noticed that
libgrust/libformat_parser/target
was seemingly generated outside the build directory on my machine. This should detect similar issues, and confirm/deny the aforementioned issue.