forked from Mirror/pmbootstrap
Properly escape commands in pmb.chroot.user() (#1316)
## Introduction In #1302 we noticed that `pmb.chroot.user()` does not escape commands properly: When passing one string with spaces, it would pass them as two strings to the chroot. The use case is passing a description with a space inside to `newapkbuild` with `pmboostrap newapkbuild`. This is not a security issue, as we don't pass strings from untrusted input to this function. ## Functions for running commands in pmbootstrap To put the rest of the description in context: We have four high level functions that run commands: * `pmb.helpers.run.user()` * `pmb.helpers.run.root()` * `pmb.chroot.root()` * `pmb.chroot.user()` In addition, one low level function that the others invoke: * `pmb.helpers.run.core()` ## Flawed test case The issue described above did not get detected for so long, because we have a test case in place since day one, which verifies that all of the functions above escape everything properly: * `test/test_shell_escape.py` So the test case ran a given command through all these functions, and compared the result each time. However, `pmb.chroot.root()` modified the command variable (passed by reference) and did the escaping already, which means `pmb.chroot.user()` running directly afterwards only returns the right output when *not* doing any escaping. Without questioning the accuracy of the test case, I've escaped commands and environment variables with `shlex.quote()` *before* passing them to `pmb.chroot.user()`. In retrospective this does not make sense at all and is reverted with this commit. ## Environment variables By coincidence, we have only passed custom environment variables to `pmb.chroot.user()`, never to the other high level functions. This only worked, because we did not do any escaping and the passed line gets executed as shell command: ``` $ MYENV=test echo test2 test 2 ``` If it was properly escaped as one shell command: ``` $ 'MYENV=test echo test2' sh: MYENV=test echo test2: not found ``` So doing that clearly doesn't work anymore. I have added a new `env` parameter to `pmb.chroot.user()` (and to all other high level functions for consistency), where environment variables can be passed as a dictionary. Then the function knows what to do and we end up with properly escaped commands and environment variables. ## Details * Add new `env` parameter to all high level command execution functions * New `pmb.helpers.run.flat_cmd()` function, that takes a command as list and environment variables as dict, and creates a properly escaped flat string from the input. * Use that function for proper escaping in all high level exec funcs * Don't escape commands *before* passing them to `pmb.chroot.user()` * Describe parameters of the command execution functions * `pmbootstrap -v` writes the exact command to the log that was executed (in addition to the simplified form we always write down for readability) * `test_shell_escape.py`: verify that the command passed by reference has not been modified, add a new test for strings with spaces, add tests for new function `pmb.helpers.run.flat_cmd()` * Remove obsolete commend in `pmb.chroot.distccd` about environment variables, because we don't use any there anymore * Add `TERM=xterm` to default environment variables in the chroot, so running ncurses applications like `menuconfig` and `nano` works out of the box
This commit is contained in:
parent
571ddf741a
commit
3666388619
10 changed files with 236 additions and 87 deletions
|
@ -181,6 +181,9 @@ def test_is_necessary_warn_depends(args, monkeypatch):
|
|||
|
||||
|
||||
def test_init_buildenv(args, monkeypatch):
|
||||
# First init native chroot buildenv properly without patched functions
|
||||
pmb.build.init(args)
|
||||
|
||||
# Disable effects of functions we don't want to test here
|
||||
monkeypatch.setattr(pmb.build._package, "build_depends",
|
||||
return_fake_build_depends)
|
||||
|
@ -227,12 +230,11 @@ def test_run_abuild(args, monkeypatch):
|
|||
# Normal run
|
||||
output = "armhf/test-1-r2.apk"
|
||||
env = {"CARCH": "armhf", "SUDO_APK": "abuild-apk --no-progress"}
|
||||
sudo_apk = "SUDO_APK='abuild-apk --no-progress'"
|
||||
cmd = ["CARCH=armhf", sudo_apk, "abuild", "-d"]
|
||||
cmd = ["abuild", "-d"]
|
||||
assert func(args, apkbuild, "armhf") == (output, cmd, env)
|
||||
|
||||
# Force and strict
|
||||
cmd = ["CARCH=armhf", sudo_apk, "abuild", "-r", "-f"]
|
||||
cmd = ["abuild", "-r", "-f"]
|
||||
assert func(args, apkbuild, "armhf", True, True) == (output, cmd, env)
|
||||
|
||||
# cross=native
|
||||
|
@ -240,8 +242,7 @@ def test_run_abuild(args, monkeypatch):
|
|||
"SUDO_APK": "abuild-apk --no-progress",
|
||||
"CROSS_COMPILE": "armv6-alpine-linux-muslgnueabihf-",
|
||||
"CC": "armv6-alpine-linux-muslgnueabihf-gcc"}
|
||||
cmd = ["CARCH=armhf", sudo_apk, "CROSS_COMPILE=armv6-alpine-linux-muslgnueabihf-",
|
||||
"CC=armv6-alpine-linux-muslgnueabihf-gcc", "abuild", "-d"]
|
||||
cmd = ["abuild", "-d"]
|
||||
assert func(args, apkbuild, "armhf", cross="native") == (output, cmd, env)
|
||||
|
||||
# cross=distcc
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue