Hi all,
Justin and I have been working on a small application gathering logs of kernel
tests and giving the kernel maintainers some stats about these results
The idea is that there is a script running tests on a kernel. That script is ran
for every kernel built by the kernel team but also anyone can run the tests and
also submit their results (with a final idea to provide badges to the users that
do).
There are three possibilities to submit one's results
- Via the UI of the application, just login, select the `upload` tab at the top
and upload your result file
- Via curl or any other tool that can make POST request
- either with an API key that is kept secret
This API key is used by the automatic testing tool used by the kernel team,
it ensures these results are trusted
- either via a public endpoint. This endpoint support both anonymous and
logged-in (via openid) uploads
The challenge is of course about allowing anonymous upload while not giving too
much space for people to abuse it.
So we are restricting the uploads by their mime type and size (10Kb by default).
The mime type is however something that is easy to circumvent but at least that
means they'll check the sources.
(I was just thinking, maybe we could enforce a dedicated mime type for the CL
upload)
Also, any file that do no contain the expected pattern will be discarded.
I am fairly confident about the application but I would not mind more eyes
looking at the code and checking if we missed obvious solutions to limit the
potential angles of attack.
For those interested:
The code is at: https://github.com/jmflinuxtx/kerneltest-harness
(see the frontend folder)
A sample input file is at: http://paste.fedoraproject.org/107782/02061911
Thanks in advance for your help :)
Pierre
_______________________________________________
infrastructure mailing list
infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
