CalvinBackup/gstack
1
0
Fork 0
mirror of https://github.com/garrytan/gstack.git synced 2026-06-17 07:10:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix(verify-rls): drop predictable $$-based tmp file fallback

Browse Source 
Same shape as gstack-telemetry-sync: on mktemp failure the script fell
back to '/tmp/verify-rls-$$-$TOTAL', which is fully predictable from the
PID and a per-check counter. On a shared box another user can pre-create
or symlink the path and either capture the HTTP response body (which may
leak what the RLS tests revealed) or corrupt an unrelated file that curl
writes through.

Make mktemp strict. On failure return from the check function; the caller
tallies a FAIL and the run moves on.
This commit is contained in:
RagavRida
2026-04-24 00:06:58 +05:30
committed by Garry Tan
parent 46821fe6d8
commit 3bba467289
1 changed files with 6 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
supabase/verify-rls.sh
+6 -1
View File
@@ -30,7 +30,12 @@ check() {
TOTAL=$(( TOTAL + 1 ))
local resp_file
resp_file="$(mktemp 2>/dev/null || echo "/tmp/verify-rls-$$-$TOTAL")"
# Use mktemp strictly. Don't fall back to a predictable $$-based path —
# that's a race/overwrite footgun on shared machines.
resp_file="$(mktemp "${TMPDIR:-/tmp}/verify-rls-XXXXXX")" || {
echo "verify-rls: mktemp failed, aborting" >&2
return 1
}
local http_code
if [ "$method" = "GET" ]; then