Skip to content

Shell argument injection tweaks #638

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 11 commits into from
Oct 7, 2024
Merged

Shell argument injection tweaks #638

merged 11 commits into from
Oct 7, 2024

Conversation

david-a-wheeler
Copy link
Contributor

No description provided.

@david-a-wheeler
shell-argument-injection.html: Tweak allowed answer
85f7e4f 
Tweak required answer to be easier to read *and* more generous.
JavaScript allows string constants with '...' or "..." or `...`
(the last are a template, but you don't HAVE to use {...} inside them).
The shell: false parameter isn't required.

Also, whitespace is interpreted as "0 or more whitespace" in a pattern;
use that to make the patterns easier to read.

Signed-off-by: David A. Wheeler <[email protected]>
@david-a-wheeler
Add more hints
94a972b 
Signed-off-by: David A. Wheeler <[email protected]>
@david-a-wheeler
Tweak instructions
873d967 
We don't require validation, presumably that was done
elsewhere.

Signed-off-by: David A. Wheeler <[email protected]>
@david-a-wheeler
shell-argument-injection.html: Improve hints and formatting
dd01352 
Signed-off-by: David A. Wheeler <[email protected]>
@david-a-wheeler
Make name and filename equal
1964de5 
Signed-off-by: David A. Wheeler <[email protected]>
@david-a-wheeler
Add to list of available labs
c536a3a 
Signed-off-by: David A. Wheeler <[email protected]>
@david-a-wheeler
Remove text not relevant to lab
da03f98 
Since the lab doesn't require input validation, there
is not need to explain it. Other lessons cover that point.

Signed-off-by: David A. Wheeler <[email protected]>
@david-a-wheeler
Make it clear parameter 2 is a list
f1092e4 
Signed-off-by: David A. Wheeler <[email protected]>
@david-a-wheeler
MInor fixups
381261f 
Signed-off-by: David A. Wheeler <[email protected]>
@david-a-wheeler
Copy link
Contributor Author

@lirantal - Thanks so much for the lab. I made a number of tweaks, e.g., made it more general, removed some unnecessary text, and added a lot of hints. Some developers who take the course may not know JavaScript (or might not know it well), so hints for common mistakes can be a real help.

Please let me know what you think. If this is okay, let's declare this done.

@lirantal
Copy link
Contributor

lirantal commented Oct 2, 2024

Thanks will take a look 👀

@david-a-wheeler
Copy link
Contributor Author

@lirantal - great, thanks!

Hopefully this process wasn't too painful. If you're willing to do another, please look at the sections we haven't yet done, and ask me to add you as the assignee. That way, we won't have too many labs on the same sections, with other sections completely uncovered.

lirantal
lirantal approved these changes Oct 5, 2024
View reviewed changes
Copy link
Contributor

@lirantal lirantal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks excellent!
I proposed a small change to the wording but can land otherwise.

@lirantal
Copy link
Contributor

lirantal commented Oct 5, 2024

Have to admit, the regex parts for the hint checks is kinda annoying but you seem to master that so maybe you'll help me with the next lab too :-)

@david-a-wheeler
Copy link
Contributor Author

Python is the hardest for the regex. check.js has a mechanism for changing how it interprets regexes, but in this case, it's probably best to use it the way it is.

david-a-wheeler and others added 2 commits October 7, 2024 13:42
@david-a-wheeler david-a-wheeler mentioned this pull request Oct 7, 2024
Open
@david-a-wheeler david-a-wheeler merged commit 6cddf2c into main Oct 7, 2024
5 checks passed
@david-a-wheeler
Copy link
Contributor Author

We need to add the new lab to the course. Issue to remember that is here: ossf/secure-sw-dev-fundamentals#175

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@lirantal lirantal lirantal approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@david-a-wheeler @lirantal