circleci.test icon indicating copy to clipboard operation
circleci.test copied to clipboard

Published 20 hours ago verified publisher icon circleci

Ensure that only config from the local project is loaded.

Open gordonsyme opened this issue 8 years ago • 2 comments

It may be possible for a malicious jar to include a circleci_test/config.clj resource. Since config.clj contains arbitrary code and is evaluated we need to ensure that only a config.clj from the local project will ever be read.

gordonsyme avatar May 15 '17 10:05 gordonsyme

It may be possible for a malicious jar to include their own version of clojure/core.clj too. If an attacker can get files onto your classpath, it's already game over. It's difficult to imagine a scenario where an attacker would be foiled by a check on this file and not be able to trivially work around it by replacing a different file.

technomancy avatar May 15 '17 17:05 technomancy

Sure makes sense, it'd be nice to protect against accidental inclusion of test config in a library at any rate.

gordonsyme avatar May 23 '17 10:05 gordonsyme