From 262d080083facf51f03b6c3c901b01de199422a0 Mon Sep 17 00:00:00 2001 From: labkey-tchad Date: Thu, 2 Oct 2025 11:01:58 -0700 Subject: [PATCH 1/4] Add explicit permissions to GitHub workflows --- .github/workflows/branch_release.yml | 4 ++++ .github/workflows/merge_release.yml | 4 ++++ .github/workflows/validate_pr.yml | 3 +++ .../resources/scripts/validationTest/actionUrlTest.js | 10 +++++----- src/org/labkey/test/TestFileUtils.java | 4 ++++ 5 files changed, 20 insertions(+), 5 deletions(-) diff --git a/.github/workflows/branch_release.yml b/.github/workflows/branch_release.yml index b864e71565..e0b4cfc121 100644 --- a/.github/workflows/branch_release.yml +++ b/.github/workflows/branch_release.yml @@ -8,6 +8,10 @@ on: tags: - '*' +permissions: + pull-requests: write + contents: write + jobs: branch_release: if: github.event.created && github.event.sender.login == 'labkey-teamcity' diff --git a/.github/workflows/merge_release.yml b/.github/workflows/merge_release.yml index 440c9a3b61..f6d8d6ea03 100644 --- a/.github/workflows/merge_release.yml +++ b/.github/workflows/merge_release.yml @@ -8,6 +8,10 @@ on: types: - submitted +permissions: + pull-requests: write + contents: write + jobs: merge_release: if: > diff --git a/.github/workflows/validate_pr.yml b/.github/workflows/validate_pr.yml index b567d8aea9..69320ba9ee 100644 --- a/.github/workflows/validate_pr.yml +++ b/.github/workflows/validate_pr.yml @@ -10,6 +10,9 @@ on: - reopened - ready_for_review +permissions: + pull-requests: write + jobs: validate_pr: if: github.event.pull_request.head.repo.owner.login == 'LabKey' diff --git a/modules/simpletest/resources/scripts/validationTest/actionUrlTest.js b/modules/simpletest/resources/scripts/validationTest/actionUrlTest.js index 8ff225a500..d26732f654 100644 --- a/modules/simpletest/resources/scripts/validationTest/actionUrlTest.js +++ b/modules/simpletest/resources/scripts/validationTest/actionUrlTest.js @@ -21,21 +21,21 @@ function doTest() if (contextPath.length > 0) { var baseUrl = LABKEY.ActionURL.getBaseURL(); - if (baseUrl.indexOf("labkey/") != baseUrl.length - 7) + if (!baseUrl.endsWith(contextPath + "/")) errors[errors.length] = new Error("ActionURL.getBaseURL() = " + baseUrl); } var queryString = LABKEY.ActionURL.queryString(urlParameters); - if( queryString != 'x=fred&y=barney' ) + if( queryString !== 'x=fred&y=barney' ) errors[errors.length] = new Error("ActionURL.queryString = " + queryString); var url = LABKEY.ActionURL.buildURL(controller, action, containerPath, urlParameters); - if( url != contextPath + "/" + controller + "/" + containerPath + "/" + action + ".view?" + queryString && - url != contextPath + "/" + containerPath + "/" + controller + "-" + action + ".view?" + queryString) + if( url !== contextPath + "/" + controller + "/" + containerPath + "/" + action + ".view?" + queryString && + url !== contextPath + "/" + containerPath + "/" + controller + "-" + action + ".view?" + queryString) errors[errors.length] = new Error("ActionURL.buildUrl() = " + url); var parameters = LABKEY.ActionURL.getParameters(url); - if( Ext.util.JSON.encode(parameters) != Ext.util.JSON.encode(urlParameters) ) + if( Ext.util.JSON.encode(parameters) !== Ext.util.JSON.encode(urlParameters) ) errors[errors.length] = new Error("ActionURL.getParameters() = " + Ext.util.JSON.encode(parameters)); if( errors.length > 0 ) diff --git a/src/org/labkey/test/TestFileUtils.java b/src/org/labkey/test/TestFileUtils.java index f87b5c1601..59d47c9de3 100644 --- a/src/org/labkey/test/TestFileUtils.java +++ b/src/org/labkey/test/TestFileUtils.java @@ -635,6 +635,10 @@ private static List unTar(final File inputFile, final File outputDir) thro while ((entry = inputStream.getNextEntry()) != null) { final File outputFile = new File(outputDir, entry.getName()); + + if (!outputFile.toPath().normalize().startsWith(outputDir.toPath())) + throw new IOException("Bad zip entry (" + entry.getName() + ") in " + inputFile.getAbsolutePath()); + if (entry.isDirectory()) { if (!outputFile.exists()) From 5687257adf0995a26ad96beb515ccfb68ac29df6 Mon Sep 17 00:00:00 2001 From: labkey-tchad Date: Thu, 2 Oct 2025 11:03:49 -0700 Subject: [PATCH 2/4] Only need read to comment on PRs --- .github/workflows/validate_pr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/validate_pr.yml b/.github/workflows/validate_pr.yml index 69320ba9ee..82d9a7a736 100644 --- a/.github/workflows/validate_pr.yml +++ b/.github/workflows/validate_pr.yml @@ -11,7 +11,7 @@ on: - ready_for_review permissions: - pull-requests: write + pull-requests: read jobs: validate_pr: From b2f9354d5708ed58b0c39364f355b1f4cd02469f Mon Sep 17 00:00:00 2001 From: labkey-tchad Date: Thu, 2 Oct 2025 11:23:12 -0700 Subject: [PATCH 3/4] Explicitly narrow number conversions --- src/org/labkey/test/BaseWebDriverTest.java | 2 +- src/org/labkey/test/tests/SpecimenTest.java | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/org/labkey/test/BaseWebDriverTest.java b/src/org/labkey/test/BaseWebDriverTest.java index d4c0eea4b3..6f45e2cd39 100644 --- a/src/org/labkey/test/BaseWebDriverTest.java +++ b/src/org/labkey/test/BaseWebDriverTest.java @@ -543,7 +543,7 @@ Statement createFailOnTimeoutStatement(Statement statement, Class testClass) else minutes = ClassTimeout.DEFAULT; - minutes *= timeoutMultiplier; + minutes = Math.round(minutes * timeoutMultiplier); if (minutes == 0) minutes = 1; diff --git a/src/org/labkey/test/tests/SpecimenTest.java b/src/org/labkey/test/tests/SpecimenTest.java index 0277fc6e05..6dea72c0af 100644 --- a/src/org/labkey/test/tests/SpecimenTest.java +++ b/src/org/labkey/test/tests/SpecimenTest.java @@ -825,7 +825,7 @@ private void verifyRequestingLocationCounts(StudyLocationType... types) waitForElement(Locators.bodyTitle().withText("New Specimen Request")); int expectedLocationCount = StudyLocationType.untypedSites(); - long additionalLocations = Math.round(Math.pow(2, StudyLocationType.values().length - 1)); + int additionalLocations = (int) Math.round(Math.pow(2, StudyLocationType.values().length - 1)); for (StudyLocationType type : StudyLocationType.values()) { From 8e00808303bcf3a9d170aed51044dd4fc115406d Mon Sep 17 00:00:00 2001 From: labkey-tchad Date: Thu, 2 Oct 2025 15:06:56 -0700 Subject: [PATCH 4/4] Stash normalized path outside of loop --- src/org/labkey/test/TestFileUtils.java | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/org/labkey/test/TestFileUtils.java b/src/org/labkey/test/TestFileUtils.java index 59d47c9de3..2a9af3401c 100644 --- a/src/org/labkey/test/TestFileUtils.java +++ b/src/org/labkey/test/TestFileUtils.java @@ -632,11 +632,13 @@ private static List unTar(final File inputFile, final File outputDir) thro TarArchiveInputStream inputStream = new ArchiveStreamFactory().createArchiveInputStream("tar", is)) { TarArchiveEntry entry; + Path normalizedOutputPath = outputDir.toPath().normalize(); + while ((entry = inputStream.getNextEntry()) != null) { final File outputFile = new File(outputDir, entry.getName()); - if (!outputFile.toPath().normalize().startsWith(outputDir.toPath())) + if (!outputFile.toPath().normalize().startsWith(normalizedOutputPath)) throw new IOException("Bad zip entry (" + entry.getName() + ") in " + inputFile.getAbsolutePath()); if (entry.isDirectory())