fix: CWE-22 path traversal in file:// URL handling (#258) #196
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | ||
| on: | ||
| push: | ||
| branches: [main] | ||
| pull_request: | ||
| branches: [main] | ||
| jobs: | ||
| lint: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v6 | ||
| - name: Shell lint | ||
| run: | | ||
| find scripts -name '*.sh' | while read f; do | ||
| echo "Checking $f" | ||
| bash -n "$f" | ||
| done | ||
| - name: Check install script | ||
| run: bash -n install.sh | ||
| test: | ||
| runs-on: ubuntu-latest | ||
| strategy: | ||
| matrix: | ||
| python-version: ['3.10', '3.11', '3.12', '3.13'] | ||
| steps: | ||
| - uses: actions/checkout@v6 | ||
| - name: Set up Python ${{ matrix.python-version }} | ||
| uses: actions/setup-python@v5 | ||
| with: | ||
| python-version: ${{ matrix.python-version }} | ||
| cache: 'pip' | ||
| - name: Syntax check (py_compile) | ||
| run: | | ||
| find scripts dashboard -name '*.py' | while read f; do | ||
| echo " checking $f" | ||
| python3 -m py_compile "$f" | ||
| done | ||
| - name: Install test dependencies | ||
| run: pip install pytest | ||
| - name: Run tests | ||
| run: pytest tests/ -v | ||
| docker-build: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v6 | ||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v4 | ||
| - name: Build Docker image | ||
| uses: docker/build-push-action@v7 | ||
| with: | ||
| context: . | ||
| push: false | ||
| tags: edict:test | ||
| cache-from: type=gha | ||
| cache-to: type=gha,mode=max | ||
| edict-backend: | ||
| runs-on: ubuntu-latest | ||
| services: | ||
| postgres: | ||
| image: postgres:16-alpine | ||
| env: | ||
| POSTGRES_DB: edict | ||
| POSTGRES_USER: edict | ||
| POSTGRES_PASSWORD: edict_dev_2024 | ||
| ports: | ||
| - 5432:5432 | ||
| options: >- | ||
| --health-cmd "pg_isready -U edict" | ||
| --health-interval 5s | ||
| --health-timeout 5s | ||
| --health-retries 5 | ||
| redis: | ||
| image: redis:7-alpine | ||
| ports: | ||
| - 6379:6379 | ||
| options: >- | ||
| --health-cmd "redis-cli ping" | ||
| --health-interval 5s | ||
| --health-timeout 5s | ||
| --health-retries 5 | ||
| env: | ||
| DATABASE_URL: postgresql+asyncpg://edict:edict_dev_2024@localhost:5432/edict | ||
| REDIS_URL: redis://localhost:6379/0 | ||
| steps: | ||
| - uses: actions/checkout@v6 | ||
| - name: Set up Python 3.12 | ||
| uses: actions/setup-python@v5 | ||
| with: | ||
| python-version: '3.12' | ||
| cache: 'pip' | ||
| cache-dependency-path: edict/backend/requirements.txt | ||
| - name: Install backend dependencies | ||
| run: pip install -r edict/backend/requirements.txt | ||
| - name: Syntax check (py_compile) | ||
| run: | | ||
| find edict/backend -name '*.py' | while read f; do | ||
| echo " checking $f" | ||
| python3 -m py_compile "$f" | ||
| done | ||
| - name: Run Alembic migrations | ||
| working-directory: edict | ||
| run: python -m alembic upgrade head | ||
| - name: Verify FastAPI app imports | ||
| working-directory: edict/backend | ||
| run: python -c "from app.main import app; print(f'FastAPI app loaded: {len(app.routes)} routes')" | ||
