Radish alpha
H
HardenedBSD-pkg
rad:z3QDZAW2FAfuLvihrhiyDC9fAD8G9
HardenedBSD Package Manager
Radicle
Git
Commits 1e888a8
triggers: only allow lua triggers and remove entirely shell triggers
Baptiste Daroussin committed 5 years ago
commit 1e888a833e42c36419fa77d195467668d48d792e
parent 71379d9
2 files changed +10 -130
modified libpkg/triggers.c
@@ -55,8 +55,6 @@ get_script_type(const char *str)
{

	if (strcasecmp(str, "lua") == 0)

		return (SCRIPT_LUA);
- 
	if (strcasecmp(str, "shell") == 0)
- 
		return (SCRIPT_SHELL);

	return (SCRIPT_UNKNOWN);

}
@@ -88,7 +86,7 @@ trigger_open_schema(void)
		"        type = { "

		"          type = string,"

		"          sandbox = boolean, "
- 
		"          enum: [lua, shell];"
+ 
		"          enum: [lua];"

		"        };"

		"        script = { type = string };"

		"      }; "
@@ -100,7 +98,7 @@ trigger_open_schema(void)
		"        type = { "

		"          type = string,"

		"          sandbox = boolean, "
- 
		"          enum: [lua, shell];"
+ 
		"          enum: [lua];"

		"        };"

		"        script = { type = string };"

		"      }; "
@@ -343,14 +341,10 @@ get_random_name(char name[])
}



static void
- 
save_trigger(const char *script, bool sandbox, kh_strings_t *args, bool lua)
+ 
save_trigger(const char *script, bool sandbox, kh_strings_t *args)

{

	int db = ctx.pkg_dbdirfd;

	const char *dir;
- 
	const char *comment = "-- ";
-
- 
	if (!lua)
- 
		comment = "# ";



	if (!mkdirat_p(db, "triggers"))

		return;
@@ -381,97 +375,24 @@ save_trigger(const char *script, bool sandbox, kh_strings_t *args, bool lua)
	close(trigfd);

	FILE *f = fdopen(fd, "w");

	if (sandbox)
- 
		fprintf(f, "%ssandbox\n", comment);
- 
	fprintf(f, "%sbegin args\n", comment);
+ 
		fputs("--sandbox\n", f);
+ 
	fputs("--begin args\n", f);

	kh_foreach_value(args, dir, {

		fprintf(f, "-- %s\n", dir);

	});
- 
	fprintf(f, "%send args\n--\n", comment);
+ 
	fputs("--end args\n--\n", f);

	fprintf(f, "%s\n", script);

	fclose(f);

}



static int
- 
trigger_execute_shell(const char *script, bool sandboxed __unused, kh_strings_t *args __unused)
- 
{
- 
	posix_spawn_file_actions_t action;
- 
	int stdin_pipe[2] = {-1, -1};
- 
	const char *argv[3];
- 
	const char *script_p;
- 
	size_t len;
- 
	ssize_t bw;
- 
	int error, pstat;
- 
	int ret = EPKG_OK;
- 
	pid_t pid;
-
- 
	if (ctx.defer_triggers) {
- 
		save_trigger(script, false, args, false);
- 
		return (EPKG_OK);
- 
	}
-
- 
	if (pipe(stdin_pipe) < 0)
- 
		return (EPKG_FATAL);
-
- 
	posix_spawn_file_actions_init(&action);
- 
	posix_spawn_file_actions_adddup2(&action, stdin_pipe[0], STDIN_FILENO);
- 
	posix_spawn_file_actions_addclose(&action, stdin_pipe[1]);
-
- 
	argv[0] = _PATH_BSHELL;
- 
	argv[1] = "-s";
- 
	argv[2] = NULL;
-
- 
	if ((error = posix_spawn(&pid, _PATH_BSHELL, &action, NULL,
- 
	    __DECONST(char **, argv), environ)) != 0) {
- 
		errno = error;
- 
		pkg_errno("Cannot run trigger script %s", script);
- 
		posix_spawn_file_actions_destroy(&action);
- 
		ret = EPKG_FATAL;
- 
		goto cleanup;
- 
	}
- 
	posix_spawn_file_actions_destroy(&action);
- 
	len = strlen(script);
-
- 
	while (len > 0) {
- 
		script_p = script;
- 
		if ((bw = write(stdin_pipe[1], script_p, len)) == -1) {
- 
			if (errno == EINTR)
- 
				continue;
- 
			ret = EPKG_FATAL;
- 
			goto cleanup;
- 
		}
- 
		script_p += bw;
- 
		len -= bw;
- 
	}
- 
	close(stdin_pipe[1]);
-
- 
	while (waitpid(pid, &pstat, 0) == -1) {
- 
		if (errno != EINTR) {
- 
			pkg_emit_error("waitpid() failed: %s", strerror(errno));
- 
			ret = EPKG_FATAL;
- 
			goto cleanup;
- 
		}
- 
	}
-
- 
	if (WEXITSTATUS(pstat) != 0)
- 
		ret = EPKG_FATAL;
-
- 
cleanup:
- 
	if (stdin_pipe[0] != -1)
- 
		close(stdin_pipe[0]);
- 
	if (stdin_pipe[1] != -1)
- 
		close(stdin_pipe[1]);
-
- 
	return (ret);
- 
}
-
- 
static int

trigger_execute_lua(const char *script, bool sandbox, kh_strings_t *args)

{

	lua_State *L;

	int pstat;



	if (ctx.defer_triggers) {
- 
		save_trigger(script, sandbox, args, true);
+ 
		save_trigger(script, sandbox, args);

		return (EPKG_OK);

	}
@@ -600,8 +521,6 @@ triggers_execute(struct trigger *cleanup_triggers)
		if (t->cleanup.type == SCRIPT_LUA) {

			ret = trigger_execute_lua(t->cleanup.script,

			    t->cleanup.sandbox, NULL);
- 
		} else if (t->cleanup.type == SCRIPT_SHELL) {
- 
			ret = trigger_execute_shell(t->cleanup.script, false, NULL);

		}

		if (ret != EPKG_OK)

			goto cleanup;
@@ -623,8 +542,6 @@ triggers_execute(struct trigger *cleanup_triggers)
		if (t->script.type == SCRIPT_LUA) {

			ret = trigger_execute_lua(t->script.script,

			    t->script.sandbox, t->matched);
- 
		} else if (t->script.type == SCRIPT_SHELL) {
- 
			ret = trigger_execute_shell(t->script.script, false, t->matched);

		}

		if (ret != EPKG_OK)

			goto cleanup;
@@ -661,8 +578,6 @@ append_touched_file(const char *path)
void

exec_deferred(int dfd, const char *name)

{
- 
	int (*trigger_exec)(const char *, bool , kh_strings_t *);
- 
	const char *comment = NULL;

	bool sandbox = false;

	kh_strings_t *args = NULL;

	xstring *script = NULL;
@@ -684,17 +599,8 @@ exec_deferred(int dfd, const char *name)
	char *walk;

	bool inargs = false;

	while ((linelen = getline(&line, &linecap, f)) > 0) {
- 
		if (comment == NULL) {
- 
			if (*line == '#') {
- 
				trigger_exec = &trigger_execute_shell;
- 
				comment = "#";
- 
			} else {
- 
				trigger_exec = &trigger_execute_lua;
- 
				comment = "--";
- 
			}
- 
		}

		walk = line;
- 
		walk += strlen(comment);
+ 
		walk += 2; /* '--' aka lua comments */

		if (strncmp(walk, "sandbox", 7) == 0) {

			sandbox = true;

			continue;
@@ -725,7 +631,7 @@ exec_deferred(int dfd, const char *name)
		return;

	}

	char *s = xstring_get(script);
- 
	if (trigger_exec(s, sandbox, args) == EPKG_OK) {
+ 
	if (trigger_execute_lua(s, sandbox, args) == EPKG_OK) {

		unlinkat(dfd, name, 0);

	}

	free(s);
modified tests/frontend/triggers.sh
@@ -3,35 +3,8 @@
. $(atf_get_srcdir)/test_environment.sh



tests_init \
- 
	cleanup_shell \

	cleanup_lua
- 
cleanup_shell_body() {
- 
	atf_check -s exit:0 sh ${RESOURCEDIR}/test_subr.sh new_pkg "test" "test" "1" "/"
- 
	mkdir trigger_dir/
- 
	cat << EOF >> trigger_dir/trigger.ucl
- 
path: [ "/" ]
- 
cleanup: {
- 
	type: shell
- 
	script: <<EOS
- 
echo "Cleaning up"
- 
EOS
- 
}
- 
trigger: {
- 
	type: shell
- 
	script: <<EOS
- 
exit 0
- 
EOS
- 
}
- 
EOF
- 
	echo ${TMPDIR}/trigger_dir/trigger.ucl > plist
- 
	atf_check pkg create -M test.ucl -p plist
- 
	mkdir target
- 
	atf_check pkg -o REPOS_DIR=/dev/null -r ${TMPDIR}/target install -qfy ${TMPDIR}/test-1.pkg
- 
	atf_check pkg -o REPOS_DIR=/dev/null -o PKG_TRIGGERS_DIR="${TMPDIR}/trigger_dir" install -qfy ${TMPDIR}/test-1.pkg
- 
	atf_check -o inline:"Cleaning up\n" pkg -o REPOS_DIR=/dev/null -o PKG_TRIGGERS_DIR="${TMPDIR}/trigger_dir" delete -qy test
- 
}
- 


cleanup_lua_body() {

	atf_check -s exit:0 sh ${RESOURCEDIR}/test_subr.sh new_pkg "test" "test" "1" "/"

	mkdir trigger_dir/
@@ -54,6 +27,7 @@ EOF
	atf_check pkg create -M test.ucl -p plist

	mkdir target

	atf_check pkg -o REPOS_DIR=/dev/null -r ${TMPDIR}/target install -qfy ${TMPDIR}/test-1.pkg
+ 
	unset PKG_TRIGGERS_DIR

	atf_check pkg -o REPOS_DIR=/dev/null -o PKG_TRIGGERS_DIR="${TMPDIR}/trigger_dir" install -qfy ${TMPDIR}/test-1.pkg

	atf_check -o inline:"Cleaning up\n" pkg -o REPOS_DIR=/dev/null -o PKG_TRIGGERS_DIR="${TMPDIR}/trigger_dir" delete -qy test

}