| Age | Commit message (Collapse) | Author |
|---|
|
- Add url_decode function to handle percent-encoded sequences
- Check both raw and URL-decoded paths for traversal attacks
- Catch %2e%2e%2f (encoded ../) and similar bypasses
- Improved path traversal detection for patterns like /etc/../passwd
Fixes TPol-identified vulnerabilities:
- URL-encoded path traversal bypasses
- Missing path traversal detection in some patterns
|
|
Add validate function to uRI.ml that checks for:
- Acceptable schemes: http, https, ftp, sftp, file, ssh, git, darcs, pijul, fossil
- Path traversal attacks (../, ..\ patterns)
Returns Result type with specific error variants for invalid schemes
and path traversal attempts.
All 17 tests pass.
|
|
- Properly type annotate KDL.of_flow to return (t, [> `ParseError]) result
- Handle nested Results from Eio.Buf_read.parse_exn
- Fix Manifest.read to work with new Result type
- Fix nixtamal.ml error handling for Manifest and Lockfile errors
All 17 tests pass.
|
|
- Fix command injection in editor.ml using Filename.quote
- Change KDL.of_flow to return Result instead of failwith
- Update manifest.ml to handle new Result type
Security: Prevents shell injection when opening files with
malicious filenames containing shell metacharacters.
Error handling: KDL parsing errors now return Result type
instead of crashing with failwith.
|
|
Integrate bisect_ppx for code coverage across the test suite:
- Add bisect_ppx instrumentation to lib/dune and test/dune
- Add bisect_ppx dependency to dune-project, nixtamal.opam, and nix/package/nixtamal.nix
- Create bisect.yml configuration for HTML and text coverage reports
- Add .github/workflows/coverage.yml for CI-based coverage reporting
- Fix flake.nix devShell to include checkInputs for full development environment
- Add coverage checks to flake.nix checks output
New test suites for recently ported features:
- test/test_upgrade.ml: Tests for schema upgrade command (backup, dry-run, version validation)
- test/test_fossil.ml: Tests for Fossil VCS codec and lockfile roundtrips
- test/test_lockfile.ml: Tests for lockfile auto-creation and serialization
- test/test_main.ml: Register all new test suites
Documentation updates:
- AGENTS.md: Add contact info (website, XMPP MUC), note llm/ folder is gitignored
- README.asciidoc: Add website link, mention Fossil VCS, schema versioning, upgrade command
- .gitignore: Add _build/ and _coverage/ directories
Covers testing for previously ported features: schema upgrade, Fossil VCS support,
and lockfile auto-creation.
|
|
Fossil VCS
Ported from upstream darcs repository (v1.1.2):
- Cmdliner 2.x compatibility fixes (variable shadowing)
- Lockfile auto-creation when missing
- Schema upgrade command with backup/rollback
- Fossil VCS support (new VCS type)
- Clean up Cmdliner warning for unescaped $PWD
Files modified:
- lib/schema.ml (new): Schema versioning module
- lib/nixtamal.ml: Add upgrade function, Fossil meld support
- lib/error.ml: Add Fossil to prefetch_method, Upgrade error
- lib/input.ml: Add Fossil module, Kind variant
- lib/prefetch.ml: Add Fossil prefetch with SRI hash support
- lib/manifest.ml: Add Fossil codec
- lib/lockfile.ml: Add Fossil lockfile type
- lib/lock_loader.ml: Add Fossil feature flag
- lib/input_foreman.ml: Add Fossil display and prefetch check
- bin/cmd.ml: Cmdliner 2.x fixes, add Upgrade command
- bin/dune, lib/dune, test/dune: Deprecation flags
Builds successfully with all tests passing.
|
|
|
|
|
|
|
|
Useful for hashing
|
|
|
|
|
|
|
|
Now that the proof of concept of symlinks worked, we can actually call
nix-store --realize
|
|
|
|
|
|
|
|
|
|
|
|
Some tools, like OCamlβs Dune, will try to follow the symlinks into the
store which is a big problem
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
I really need to just write to my own buffer if Format isnβt gonna
support tabs :|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
