add patched hedera version and fix code security issue

jeromy-cannon · jeromy-cannon · commit f801a0cc44b7 · 2024-04-04T18:44:21.000+01:00
Signed-off-by: Jeromy Cannon &lt;jeromy@swirldslabs.com&gt;
diff --git a/src/commands/node.mjs b/src/commands/node.mjs
@@ -20,7 +20,7 @@ import { Listr } from 'listr2'
 import path from 'path'
 import { FullstackTestingError, IllegalArgumentError } from '../core/errors.mjs'
 import * as helpers from '../core/helpers.mjs'
-import { getTmpDir, sleep } from '../core/helpers.mjs'
+import { getTmpDir, sleep, validatePath } from '../core/helpers.mjs'
 import { constants, Templates } from '../core/index.mjs'
 import { BaseCommand } from './base.mjs'
 import * as flags from './flags.mjs'
@@ -313,10 +313,11 @@ export class NodeCommand extends BaseCommand {
   }
 
   async initializeSetup (config, configManager, k8) {
+    const cacheDir = validatePath(config.cacheDir)
     // compute other config parameters
     config.releasePrefix = Templates.prepareReleasePrefix(config.releaseTag)
-    config.buildZipFile = `${config.cacheDir}/${config.releasePrefix}/build-${config.releaseTag}.zip`
-    config.keysDir = path.join(config.cacheDir, 'keys')
+    config.buildZipFile = `${cacheDir}/${config.releasePrefix}/build-${config.releaseTag}.zip`
+    config.keysDir = path.join(cacheDir, 'keys')
     config.stagingDir = Templates.renderStagingDir(configManager, flags)
     config.stagingKeysDir = path.join(config.stagingDir, 'keys')
 
diff --git a/src/core/helpers.mjs b/src/core/helpers.mjs
@@ -164,3 +164,10 @@ export function backupOldPemKeys (nodeIds, keysDir, curDate = new Date(), dirPre
 
   return backupDir
 }
+
+export function validatePath (input) {
+  if (input.indexOf('\0') !== -1) {
+    throw new FullstackTestingError(`access denied for path: ${input}`)
+  }
+  return input
+}
diff --git a/test/e2e/commands/node.test.mjs b/test/e2e/commands/node.test.mjs
@@ -35,8 +35,8 @@ import {
 import { sleep } from '../../../src/core/helpers.mjs'
 
 describe.each([
-  { releaseTag: 'v0.47.0-alpha.0', keyFormat: constants.KEY_FORMAT_PFX, testName: 'node-cmd-e2e-pfx' },
-  { releaseTag: 'v0.47.0-alpha.0', keyFormat: constants.KEY_FORMAT_PEM, testName: 'node-cmd-e2e-pem' }
+  { releaseTag: 'v0.49.0-alpha.1', keyFormat: constants.KEY_FORMAT_PFX, testName: 'node-cmd-e2e-pfx' },
+  { releaseTag: 'v0.49.0-alpha.1', keyFormat: constants.KEY_FORMAT_PEM, testName: 'node-cmd-e2e-pem' }
 ])('NodeCommand', (input) => {
   const testName = input.testName
   const namespace = testName
diff --git a/test/e2e/setup-e2e.sh b/test/e2e/setup-e2e.sh
@@ -13,7 +13,6 @@ kind create cluster -n "${SOLO_CLUSTER_NAME}" --image "${KIND_IMAGE}" || exit 1
 # Most of the e2e test should bootstrap its own network in its own namespace. However, some tests can use this as a
 # shared resource if required.
 # **********************************************************************************************************************
-# TODO update hedera version for upcoming patch
 solo init --namespace "${SOLO_NAMESPACE}" -i node0,node1,node2 -t v0.42.5 -s "${SOLO_CLUSTER_SETUP_NAMESPACE}" --dev || exit 1 # cache args for subsequent commands
 solo cluster setup  || exit 1
 helm list --all-namespaces
diff --git a/test/test_util.js b/test/test_util.js
@@ -193,7 +193,7 @@ export function bootstrapNetwork (testName, argv,
 
     it('should succeed with network deploy', async () => {
       await networkCmd.deploy(argv)
-    }, 60000)
+    }, 120000)
 
     it('should succeed with node setup command', async () => {
       expect.assertions(1)
