Ensure that only config from the local project is loaded. #6

gordonsyme · 2017-05-15T10:01:09Z

It may be possible for a malicious jar to include a circleci_test/config.clj resource. Since config.clj contains arbitrary code and is evaluated we need to ensure that only a config.clj from the local project will ever be read.

The text was updated successfully, but these errors were encountered:

technomancy · 2017-05-15T17:23:41Z

It may be possible for a malicious jar to include their own version of clojure/core.clj too. If an attacker can get files onto your classpath, it's already game over. It's difficult to imagine a scenario where an attacker would be foiled by a check on this file and not be able to trivially work around it by replacing a different file.

gordonsyme · 2017-05-23T10:24:34Z

Sure makes sense, it'd be nice to protect against accidental inclusion of test config in a library at any rate.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Ensure that only config from the local project is loaded. #6

Ensure that only config from the local project is loaded. #6

gordonsyme commented May 15, 2017

technomancy commented May 15, 2017

gordonsyme commented May 23, 2017

Ensure that only config from the local project is loaded. #6

Ensure that only config from the local project is loaded. #6

Comments

gordonsyme commented May 15, 2017

technomancy commented May 15, 2017

gordonsyme commented May 23, 2017