Skip to content

Restrict parent directory traversal for finding the associated project #251

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 6, 2024
Merged

Restrict parent directory traversal for finding the associated project #251

merged 1 commit into from
Sep 6, 2024

Conversation

sid-srini
Copy link
Member

@sid-srini sid-srini commented Sep 2, 2024
edited
Loading

Changes

  1. Added a launch-time JVM property for the netbeans LSP server "project.limitScanRoot", with its value set to the user's home directory path and the workspace folders, if any.
    • This is obtained using Node's os.homedir() function in nbcode.ts
    • Multiple paths are delimited by the OS-specific separator.
  2. Added a configuration property "jdk.advanced.disable.projectSearchLimit" which can be used to turn off this new behaviour.

Reasons

  • NetBeans supports searching for the build project information in the ancestor directories of the file or folder opened in a workspace.
  • Thus, NetBeans org.netbeans.modules.projectapi.SimpleFileOwnerQueryImplementation supports a JVM launch property (i.e. System property) called project.limitScanRoot.
  • This prevents searching for the build project information when the opened file or folder is outside this specified path.

@oracle-contributor-agreement oracle-contributor-agreement bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Sep 2, 2024
@sid-srini sid-srini force-pushed the restrict_parent_directory_traversal_for_project branch from ced505f to 1465694 Compare September 2, 2024 06:06
@lahodaj
Copy link
Member

lahodaj commented Sep 2, 2024

When written like this, I see a problem if the user will have a folder in the workspace that is not under the user's home. For example, having a Maven project /tmp/prj1 open as a workspace. The (Simple)FileOwnerQuery then will not be able to lookup the project, and things will work poorly. I think we should at the very least:

  • permit search up until (any) workspace folder, if the folder is not inside the user's home,
  • or: stop the search at user's home only if the search started inside the user's home,
  • in addition to that: consider adding an option to disable this restriction in project search (although it may be difficult for the user's to understand that).

@sid-srini
Copy link
Member Author

When written like this, I see a problem if the user will have a folder in the workspace that is not under the user's home. For example, having a Maven project /tmp/prj1 open as a workspace. The (Simple)FileOwnerQuery then will not be able to lookup the project, and things will work poorly. I think we should at the very least:

  • permit search up until (any) workspace folder, if the folder is not inside the user's home,
  • or: stop the search at user's home only if the search started inside the user's home,
  • in addition to that: consider adding an option to disable this restriction in project search (although it may be difficult for the user's to understand that).

Understood.

  • I will update for points 1 & 3 in this PR.
  • For point 2, I will be adding a separate PR in the NB repo and incorporate the patch once it is approved there.

@sid-srini sid-srini marked this pull request as draft September 2, 2024 12:34
@sid-srini sid-srini force-pushed the restrict_parent_directory_traversal_for_project branch 2 times, most recently from fec8965 to 992b22d Compare September 2, 2024 12:57
@sid-srini sid-srini marked this pull request as ready for review September 2, 2024 13:04
@Achal1607 Achal1607 mentioned this pull request Sep 3, 2024
Merged
Achal1607
Achal1607 reviewed Sep 3, 2024
View reviewed changes
@sid-srini sid-srini marked this pull request as draft September 4, 2024 02:37
@sid-srini
Restrict parent directory traversal for finding the associated project
90d6615 
**Changes**
1. Added a launch-time JVM property for the netbeans LSP server
    "project.limitScanRoot", with its value set to the user's home
    directory path and the workspace folders, if any.
    - This is obtained using Node's `os.homedir()` function in *nbcode.ts*
    - Multiple paths are delimited by the OS-specific separator.
2. Added a configuration property "jdk.advanced.disable.projectSearchLimit"
   which can be used to turn off this new behaviour.

**Reasons**
- NetBeans supports searching for the build project information in the
  ancestor directories of the file or folder opened in a workspace.
- Thus, NetBeans `org.netbeans.modules.projectapi.SimpleFileOwnerQueryImplementation`
  supports a JVM launch property (i.e. System property) called **project.limitScanRoot**.
- This prevents searching for the build project information when the
  opened file or folder is outside this specified path.

Signed-off-by: Siddharth Srinivasan <[email protected]>
@sid-srini sid-srini force-pushed the restrict_parent_directory_traversal_for_project branch from 992b22d to 90d6615 Compare September 6, 2024 17:21
@sid-srini sid-srini marked this pull request as ready for review September 6, 2024 17:23
@sid-srini sid-srini requested a review from Achal1607 September 6, 2024 17:24
Achal1607
Achal1607 approved these changes Sep 6, 2024
View reviewed changes
Copy link
Member

@Achal1607 Achal1607 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks @sid-srini

@Achal1607 Achal1607 merged commit 56cf2d8 into oracle:23.0.0 Sep 6, 2024
3 checks passed
@sid-srini sid-srini deleted the restrict_parent_directory_traversal_for_project branch September 18, 2024 08:40
@sid-srini sid-srini mentioned this pull request Oct 22, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Achal1607 Achal1607 Achal1607 approved these changes

Assignees
No one assigned
Labels
OCA Verified All contributors have signed the Oracle Contributor Agreement.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@sid-srini @lahodaj @Achal1607