Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't allow special characters in sandbox rule paths #17700

Merged
merged 1 commit into from
Jul 13, 2024
Merged

Don't allow special characters in sandbox rule paths #17700

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 15 additions & 9 deletions Library/Homebrew/sandbox.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -231,17 +231,14 @@ def exec(*args)
end
end

private

sig { params(path: Pathname).returns(Pathname) }
def expand_realpath(path)
raise unless path.absolute?

path.exist? ? path.realpath : expand_realpath(path.parent)/path.basename
end

# @api private
sig { params(path: T.any(String, Pathname), type: Symbol).returns(String) }
def path_filter(path, type)
invalid_char = ['"', "'", "(", ")", "\n"].find do |c|
path.to_s.include?(c)
end
MikeMcQuaid marked this conversation as resolved.
Show resolved Hide resolved
raise ArgumentError, "Invalid character #{invalid_char} in path: #{path}" if invalid_char

case type
when :regex then "regex #\"#{path}\""
when :subpath then "subpath \"#{expand_realpath(Pathname.new(path))}\""
Expand All @@ -250,6 +247,15 @@ def path_filter(path, type)
end
end

private

sig { params(path: Pathname).returns(Pathname) }
def expand_realpath(path)
raise unless path.absolute?

path.exist? ? path.realpath : expand_realpath(path.parent)/path.basename
end

class SandboxRule
sig { returns(T::Boolean) }
attr_reader :allow
Expand Down
44 changes: 44 additions & 0 deletions Library/Homebrew/test/sandbox_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,50 @@
expect(file).to exist
end

describe "#path_filter" do
["'", '"', "(", ")", "\n"].each do |char|
it "fails if the path contains #{char}" do
expect do
sandbox.path_filter("foo#{char}bar", :subpath)
end.to raise_error(ArgumentError)
end
end
end

describe "#allow_write_cellar" do
it "fails when the formula has a name including )" do
f = formula do
url "https://brew.sh/foo-1.0.tar.gz"
version "1.0"

def initialize(*, **)
super
@name = "foo)bar"
end
end

expect do
sandbox.allow_write_cellar f
end.to raise_error(ArgumentError)
end

it "fails when the formula has a name including \"" do
f = formula do
url "https://brew.sh/foo-1.0.tar.gz"
version "1.0"

def initialize(*, **)
super
@name = "foo\"bar"
end
end

expect do
sandbox.allow_write_cellar f
end.to raise_error(ArgumentError)
end
end

describe "#exec" do
it "fails when writing to file not specified with ##allow_write" do
expect do
Expand Down