diff options
author | Robert Speicher <rspeicher@gmail.com> | 2016-11-09 11:06:49 +0000 |
---|---|---|
committer | Robert Speicher <rspeicher@gmail.com> | 2016-11-09 11:06:49 +0000 |
commit | de4334635e2f3cd992a91726a546ac5b324a8f4b (patch) | |
tree | 7bad8d494df1318ce0880fbcc70b015006a24fe5 /doc/development/shell_commands.md | |
parent | 57f9ee0b9f77dc1aa0882fe0423228b77b8e8a33 (diff) | |
download | gitlab-ce-de4334635e2f3cd992a91726a546ac5b324a8f4b.tar.gz |
Add more highlighting to Shell Commands docrs-doc-highlighting
[ci skip]
Diffstat (limited to 'doc/development/shell_commands.md')
-rw-r--r-- | doc/development/shell_commands.md | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/doc/development/shell_commands.md b/doc/development/shell_commands.md index 65cdd74bdb6..73893f9dd46 100644 --- a/doc/development/shell_commands.md +++ b/doc/development/shell_commands.md @@ -129,7 +129,7 @@ Various methods for opening and reading files in Ruby can be used to read the standard output of a process instead of a file. The following two commands do roughly the same: -``` +```ruby `touch /tmp/pawned-by-backticks` File.read('|touch /tmp/pawned-by-file-read') ``` @@ -142,7 +142,7 @@ attacker cannot control the start of the filename string you are opening. For instance, the following is sufficient to protect against accidentally starting a shell command with `|`: -``` +```ruby # we assume repo_path is not controlled by the attacker (user) path = File.join(repo_path, user_input) # path cannot start with '|' now. @@ -160,7 +160,7 @@ Path traversal is a security where the program (GitLab) tries to restrict user access to a certain directory on disk, but the user manages to open a file outside that directory by taking advantage of the `../` path notation. -``` +```ruby # Suppose the user gave us a path and they are trying to trick us user_input = '../other-repo.git/other-file' @@ -177,7 +177,7 @@ File.open(full_path) do # Oops! A good way to protect against this is to compare the full path with its 'absolute path' according to Ruby's `File.absolute_path`. -``` +```ruby full_path = File.join(repo_path, user_input) if full_path != File.absolute_path(full_path) raise "Invalid path: #{full_path.inspect}" |