Skip to content

Feat/cli support v1#14

Open
youssef-itanii wants to merge 3 commits into
feat/arm-supportfrom
feat/cli-support-v1
Open

Feat/cli support v1#14
youssef-itanii wants to merge 3 commits into
feat/arm-supportfrom
feat/cli-support-v1

Conversation

@youssef-itanii

Copy link
Copy Markdown

No description provided.

- Addition of ARM Template detection in detect.go in order to use Infracost on ARM Templates. However, this only works with config files for the moment.
- Addition of a test in the breadkdown_test.go file in order to test if the cost estimation through the breakdown command is working
@youssef-itanii youssef-itanii force-pushed the feat/arm-support branch 2 times, most recently from 10b5c5a to d7a3696 Compare August 7, 2024 08:41
pull Bot pushed a commit that referenced this pull request Jun 26, 2026
…-318] (infracost#3586)

The config-template parser (readFile/pathExists/isDir/matchPaths) and the
hosted-app file()/templatefile() guard both confined paths with a lexical
Rel/HasPrefix check plus a leaf-only Lstat/EvalSymlinks. An intermediate
in-repo directory symlink (evil -> /etc, then readFile "evil/passwd")
defeats both: the path is lexically clean and the leaf isn't a symlink, so
it passed - but the read followed the symlink out of the repo.

Add internal/security.IsPathAllowed as the single containment boundary: it
resolves symlinks anywhere in the path (leaf and intermediate) before a
segment-aware prefix compare against the resolved parent, with a
longest-existing-prefix fallback for not-yet-existent paths and a
process-wide resolve cache. Route the template parser and the Terraform
funcs guard through it and drop the old isSubdirectory/symlinkPath helpers.

Mirrors the recent fixes in the v2 config (#14) and parser (infracost#144) repos.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant