scopedUserStorage returns a storage whose single user (ID 1) is scoped to userScope through a symlink-confining ScopedFs (via customFSUser), mirroring production. Used by the symlink scope-escape regression tests below.
(t *testing.T, userScope string, perm users.Permissions, key []byte)
| 122 | // userScope through a symlink-confining ScopedFs (via customFSUser), mirroring |
| 123 | // production. Used by the symlink scope-escape regression tests below. |
| 124 | func scopedUserStorage(t *testing.T, userScope string, perm users.Permissions, key []byte) *storage.Storage { |
| 125 | t.Helper() |
| 126 | db, err := storm.Open(filepath.Join(t.TempDir(), "db")) |
| 127 | if err != nil { |
| 128 | t.Fatalf("failed to open db: %v", err) |
| 129 | } |
| 130 | t.Cleanup(func() { _ = db.Close() }) |
| 131 | |
| 132 | st, err := bolt.NewStorage(db) |
| 133 | if err != nil { |
| 134 | t.Fatalf("failed to get storage: %v", err) |
| 135 | } |
| 136 | if err := st.Users.Save(&users.User{Username: "u", Password: "pw", Perm: perm}); err != nil { |
| 137 | t.Fatalf("failed to save user: %v", err) |
| 138 | } |
| 139 | if err := st.Settings.Save(&settings.Settings{Key: key}); err != nil { |
| 140 | t.Fatalf("failed to save settings: %v", err) |
| 141 | } |
| 142 | st.Users = &customFSUser{ |
| 143 | Store: st.Users, |
| 144 | fs: afero.NewBasePathFs(afero.NewOsFs(), userScope), |
| 145 | } |
| 146 | return st |
| 147 | } |
| 148 | |
| 149 | // Regression for the dangling-symlink write escape (GHSA-8wc8-hf36-mjh9 / |
| 150 | // GHSA-fh54-6rfh-r8f3): POSTing to an in-scope dangling symlink whose target is |
no test coverage detected