Only download GHFM spec.txt when specified
What does this MR do and why?
Address security follow-up from !84347 (comment 948380485)
Add UPDATE_GFM_SPEC_TXT
env var, and only download latest GFM spec.txt
when it is set. Otherwise, use the current version committed to the repo. This will be a guard against potential injection attacks if the canonical GFM spec.txt hosted by GitHub is temporarily compromised. See related threads here and here
Related: Tracking Issue: Implement GLFM scripts per the ... (#361241)
How to set up and validate locally
- Modify
glfm_specification/input/github_flavored_markdown/ghfm_spec_v_0.29.txt
to some random text in the beginning of the# Preliminaries
section. - Run
scripts/glfm/update-specification.rb
, withUPDATE_GHFM_SPEC_TXT
undefined or set to false. - See output:
Reading existing .../glfm_specification/input/github_flavored_markdown/ghfm_spec_v_0.29.txt...
- See your random text in
glfm_specification/output/spec.txt
- Re-run
scripts/glfm/update-specification.rb
, withUPDATE_GHFM_SPEC_TXT
set totrue
. - See output:
Writing .../glfm_specification/input/github_flavored_markdown/ghfm_spec_v_0.29.txt...
- See your random text removed from
glfm_specification/input/github_flavored_markdown/ghfm_spec_v_0.29.txt
andglfm_specification/output/spec.txt
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Chad Woolley