Delete bundled db before recreating

github · Dec 1, 2021 · c82e09a · c82e09a
1 parent 460d053
commit c82e09a
Show file tree

Hide file tree

Showing 6 changed files with 28 additions and 10 deletions.
diff --git a/lib/database-upload.js b/lib/database-upload.js
diff --git a/lib/database-upload.js.map b/lib/database-upload.js.map
diff --git a/lib/util.js b/lib/util.js
diff --git a/lib/util.js.map b/lib/util.js.map
diff --git a/src/database-upload.ts b/src/database-upload.ts
@@ -57,7 +57,10 @@ export async function uploadDatabases(
 
   const codeql = await getCodeQL(config.codeQLCmd);
   for (const language of config.languages) {
-    // Upload the database bundle
+    // Upload the database bundle.
+    // Although we are uploading arbitrary file contents to the API, it's worth
+    // noting that it's the API's job to validate that the contents is acceptable.
+    // This API method is available to anyone with write access to the repo.
     const payload = fs.readFileSync(await bundleDb(config, language, codeql));
     try {
       if (useUploadDomain) {

diff --git a/src/util.ts b/src/util.ts
@@ -559,9 +559,15 @@ export async function bundleDb(
     config.dbLocation,
     `${databasePath}.zip`
   );
-  if (!fs.existsSync(databaseBundlePath)) {
-    await codeql.databaseBundle(databasePath, databaseBundlePath);
-  }
+  // For a tiny bit of added safety, delete the file if it exists.
+  // The file is probably from an earlier call to this function, either
+  // as part of this action step or a previous one, but it could also be
+  // from somewhere else or someone trying to make the action upload a
+  // non-database file.
+  if (fs.existsSync(databaseBundlePath)) {
+    fs.rmSync(databaseBundlePath, { recursive: true });
+  }
+  await codeql.databaseBundle(databasePath, databaseBundlePath);
   return databaseBundlePath;
 }