test(routes/api/tasks): limit file permissions #89
Conversation
Signed-off-by: Frazer Smith <frazer.dev@icloud.com>
test/routes/api/tasks/tasks.test.ts
Outdated
| @@ -629,7 +629,7 @@ describe('Tasks api (logged user only)', () => { | |||
| const largeTestImagePath = path.join(tmpDir, 'large-test-image.jpg') | |||
|
|
|||
| const largeBuffer = Buffer.alloc(1024 * 1024 * 1.5, 'a') // Max file size in bytes is 1 MB | |||
| fs.writeFileSync(largeTestImagePath, largeBuffer) | |||
| fs.writeFileSync(largeTestImagePath, largeBuffer, { mode: 0o600 }) // 0600 permissions (read/write for owner only) | |||
There was a problem hiding this comment.
Can you plz explain why you think this is a good idea? Even for a test file?
And can you plz write a comment a little bite more elaborated as the demo has an educational purpose.
There was a problem hiding this comment.
CodeQL was reporting this as a security issue and it was an easy fix.
File permissions should follow the principle of least privilege.
As this is an educational demo as you said, I think it's good to show that test files should also follow security best practices. :)
There was a problem hiding this comment.
As this is an educational demo as you said, I think it's good to show that test files should also follow security best practices. :)
I meant that it would be nice to add the explanations in the code as a comment.
Maybe the link to Snyk article is a good idea.
There was a problem hiding this comment.
We often share links in the code base to help understand code implementation.
Signed-off-by: Frazer Smith <frazer.dev@icloud.com>
|
Closes https://github.com/fastify/demo/security/code-scanning/2
Checklist
npm run testandnpm run benchmarkand the Code of conduct