You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In any code executed from browser, the path / stands for the website root folder (and not the machine root folder), in usual web development best / security practices.
However, the write command in juttle (while accessing from browser through remote machine) is allowing folder access at machine level root folders, which could be a security concern.
I would expect the /tmp/ to be relative to the location where juttle-engine is running (or configured as website's root). However, after running the above snippet I am seeing the /tmp/metadata.csv under the machine's /tmp folder and not relative.
The below line on the other hand is creating the file in relative tmp folder (at website's root level):
write file -file 'tmp/metadata.csv' -format 'csv'
The text was updated successfully, but these errors were encountered:
One small difference though is: in the present case, I am running juttle-engine in deamon mode with below command, without any additional configurations or root options set.
$ juttle-engine -d -o juttle-engine.log
Besides, no matter what the config, the server (any webservice), should never allow any folder beyond its designated root folder sub-tree to be accessed and/or modified through browser supplied code. It would become a security loophole.
In any code executed from browser, the path
/
stands for the website root folder (and not the machine root folder), in usual web development best / security practices.However, the
write
command in juttle (while accessing from browser through remote machine) is allowing folder access at machine level root folders, which could be a security concern.Consider this below case:
I would expect the
/tmp/
to be relative to the location where juttle-engine is running (or configured as website's root). However, after running the above snippet I am seeing the/tmp/metadata.csv
under the machine's/tmp
folder and not relative.The below line on the other hand is creating the file in relative tmp folder (at website's root level):
The text was updated successfully, but these errors were encountered: