[CI] Fix xharness local run. (#22236)

dotnet · Feb 24, 2025 · 30cce24 · 30cce24
1 parent 4f13e06
commit 30cce24
Showing 1 changed file with 40 additions and 1 deletion.
diff --git a/tests/xharness/Jenkins/TestServer.cs b/tests/xharness/Jenkins/TestServer.cs
@@ -14,6 +14,30 @@ namespace Xharness.Jenkins {
 
 	class TestServer {
 
+		static IReadOnlySet<string> AllowedPaths = new HashSet<string> (StringComparer.Ordinal) {
+		"/",
+		"/index.html",
+		"/set-option",
+		"/select",
+		"/deselect",
+		"/stop",
+		"/run",
+		"/build",
+		"/reload-devices",
+		"/reload-simulators",
+		"/quit",
+		"/favicon.ico",
+		"/index.html",
+	};
+
+		static IReadOnlySet<string> AllowedFiles = new HashSet<string> (StringComparer.Ordinal) {
+		"index.html",
+		"xharness.css",
+		"xharness.js",
+	};
+
+
+
 		public Task RunAsync (Jenkins jenkins, HtmlReportWriter htmlReportWriter)
 		{
 			HttpListener server;
@@ -95,8 +119,23 @@ IEnumerable<ITestTask> find_tasks (StreamWriter writer, string ids)
 						}
 
 						string serveFile = null;
+						// do not allow requests that are not http or https
+						if (request.Url.Scheme != Uri.UriSchemeHttp && request.Url.Scheme != Uri.UriSchemeHttps) {
+							response.StatusCode = 400;
+							response.StatusDescription = "Bad Request";
+							response.OutputStream.Write (System.Text.Encoding.UTF8.GetBytes ("Invalid local path"));
+							return;
+						}
 						var localPath = request.Url.LocalPath;
-						if (localPath.Contains ("..") || localPath.Contains ("/") || localPath.Contains ("\\")) {
+						var file = Path.GetFileName (localPath);
+						var directoryName = Path.GetDirectoryName (localPath);
+						var jenkinsDirectoryName = $"/{Path.GetFileName (jenkins.LogDirectory)}";
+
+						// for the request to be valid the local path has to be one of the following
+						// 1. local path should be one of the supported ones
+						// 2. Be index.html
+						// 3. Its directory name be the same as the log directory name, no other directory is allowed
+						if (!AllowedPaths.Contains (localPath) && !AllowedFiles.Contains (file) && !directoryName.StartsWith (jenkinsDirectoryName)) {
 							// Validate that we're not requested to serve any file on the file system.
 							// Ref: https://devdiv.visualstudio.com/DevDiv/_workitems/edit/2351243
 							response.StatusCode = 400;