|
18 | 18 |
|
19 | 19 | import argparse |
20 | 20 | import collections |
| 21 | +import collections.abc |
21 | 22 | import functools |
22 | 23 | import io |
23 | 24 | import os |
@@ -73,13 +74,25 @@ def get_app_config(raw_config, base_image, config_file, source_dir): |
73 | 74 | config_file (str): Path to user's app.yaml (might be <service-name>.yaml) |
74 | 75 | source_dir (str): Directory container user's source code |
75 | 76 |
|
| 77 | + We validate the user input for security and better error messages. |
| 78 | +
|
| 79 | + Yaml parsing rules can lead to extremely unhelpful error messages. |
| 80 | + For example, parsing a string value where we expected a list. |
| 81 | + Python will happily use the string as a sequence of individual |
| 82 | + characters, leading to confusing results. |
| 83 | +
|
| 84 | + We also try to prevent Dockerfile and Bash injection attacks. For |
| 85 | + example, specifying entrypoint as "true\\nADD /etc/passwd /pwned" |
| 86 | + would allow the user to inject arbitrary directives into the |
| 87 | + Dockerfile, which is a support problem if nothing else. |
| 88 | +
|
76 | 89 | Returns: |
77 | 90 | AppConfig: valid configuration |
78 | 91 | """ |
79 | 92 | # Examine app.yaml |
80 | | - if not isinstance(raw_config, dict): |
| 93 | + if not isinstance(raw_config, collections.abc.Mapping): |
81 | 94 | raise ValueError( |
82 | | - 'Expected {} contents to be of type "dict", but found type "{}"'. |
| 95 | + 'Expected {} contents to be a Mapping type, but found type "{}"'. |
83 | 96 | format(config_file, type(raw_config))) |
84 | 97 |
|
85 | 98 | entrypoint = validation_utils.get_field_value(raw_config, 'entrypoint', str) |
@@ -117,7 +130,18 @@ def get_app_config(raw_config, base_image, config_file, source_dir): |
117 | 130 |
|
118 | 131 |
|
119 | 132 | def get_data(name): |
120 | | - """Return the contents of the named data resource""" |
| 133 | + """Return the contents of the named data resource |
| 134 | +
|
| 135 | + Args: |
| 136 | + name (str): Name of file, without directory |
| 137 | +
|
| 138 | + These templates are copied from the Google Cloud SDK at |
| 139 | + google-cloud-sdk/platform/ext-runtime/python/data |
| 140 | + and the two should be kept in sync. |
| 141 | +
|
| 142 | + Returns: |
| 143 | + str: Contents of data file |
| 144 | + """ |
121 | 145 | filename = os.path.join(os.path.dirname(__file__), 'data', name) |
122 | 146 | with io.open(filename, 'r', encoding='utf8') as template_file: |
123 | 147 | return template_file.read() |
|
0 commit comments