MCPcopy
hub / github.com/filebrowser/filebrowser / scopedUserStorage

Function scopedUserStorage

http/resource_test.go:124–147  ·  view source on GitHub ↗

scopedUserStorage returns a storage whose single user (ID 1) is scoped to userScope through a symlink-confining ScopedFs (via customFSUser), mirroring production. Used by the symlink scope-escape regression tests below.

(t *testing.T, userScope string, perm users.Permissions, key []byte)

Source from the content-addressed store, hash-verified

122// userScope through a symlink-confining ScopedFs (via customFSUser), mirroring
123// production. Used by the symlink scope-escape regression tests below.
124func scopedUserStorage(t *testing.T, userScope string, perm users.Permissions, key []byte) *storage.Storage {
125 t.Helper()
126 db, err := storm.Open(filepath.Join(t.TempDir(), "db"))
127 if err != nil {
128 t.Fatalf("failed to open db: %v", err)
129 }
130 t.Cleanup(func() { _ = db.Close() })
131
132 st, err := bolt.NewStorage(db)
133 if err != nil {
134 t.Fatalf("failed to get storage: %v", err)
135 }
136 if err := st.Users.Save(&users.User{Username: "u", Password: "pw", Perm: perm}); err != nil {
137 t.Fatalf("failed to save user: %v", err)
138 }
139 if err := st.Settings.Save(&settings.Settings{Key: key}); err != nil {
140 t.Fatalf("failed to save settings: %v", err)
141 }
142 st.Users = &customFSUser{
143 Store: st.Users,
144 fs: afero.NewBasePathFs(afero.NewOsFs(), userScope),
145 }
146 return st
147}
148
149// Regression for the dangling-symlink write escape (GHSA-8wc8-hf36-mjh9 /
150// GHSA-fh54-6rfh-r8f3): POSTing to an in-scope dangling symlink whose target is

Calls 4

NewStorageFunction · 0.92
CloseMethod · 0.65
SaveMethod · 0.65
OpenMethod · 0.45

Tested by

no test coverage detected