added perl to dangerous command
check trigger scripts too git-svn-id: svn+ssh://rpmlint.zarb.org/home/projects/rpmlint/svn/trunk@691 9bc8b190-ac0f-0410-8968-dc7d1f502856
This commit is contained in:
Frédéric Lepied
parent
d39dd06798
commit
2480001eaf
132
PostCheck.py
132
PostCheck.py
|
|
@ -15,6 +15,7 @@ import re
|
|||
import os
|
||||
import commands
|
||||
import string
|
||||
import types
|
||||
|
||||
DEFAULT_VALID_SHELLS=('/bin/sh',
|
||||
'/bin/bash',
|
||||
|
|
@ -29,7 +30,7 @@ braces_regex=re.compile('^[^#]*%', re.MULTILINE)
|
|||
double_braces_regex=re.compile('%%', re.MULTILINE)
|
||||
bracket_regex=re.compile('^[^#]*if.*[^ \]]\]', re.MULTILINE)
|
||||
home_regex=re.compile('[^a-zA-Z]+~/|\$HOME', re.MULTILINE)
|
||||
dangerous_command_regex=re.compile("(^|\s|;|/bin/)(cp|mv|ln|tar|rpm|chmod|chown|rm|cpio|install)\s", re.MULTILINE)
|
||||
dangerous_command_regex=re.compile("(^|\s|;|/bin/)(cp|mv|ln|tar|rpm|chmod|chown|rm|cpio|install|perl)\s", re.MULTILINE)
|
||||
single_command_regex=re.compile("^[ \n]*([^ \n]+)[ \n]*$")
|
||||
update_menu_regex=re.compile('update-menus', re.MULTILINE)
|
||||
tmp_regex=re.compile('\s(/var)?/tmp', re.MULTILINE)
|
||||
|
|
@ -45,31 +46,31 @@ for p in prereq_assoc:
|
|||
p[0] = re.compile('^[^#]+' + p[0], re.MULTILINE)
|
||||
|
||||
def incorrect_shell_script(shellscript):
|
||||
tmpfile = "%s/.bash-script.%d" % (extract_dir, os.getpid())
|
||||
tmpfile = '%s/.bash-script.%d' % (extract_dir, os.getpid())
|
||||
if not shellscript:
|
||||
return 0
|
||||
file=open(tmpfile, 'w')
|
||||
file.write(shellscript)
|
||||
file.close()
|
||||
ret=commands.getstatusoutput("/bin/bash -n %s" % tmpfile)
|
||||
ret=commands.getstatusoutput('/bin/bash -n %s' % tmpfile)
|
||||
os.remove(tmpfile)
|
||||
return ret[0]
|
||||
|
||||
def incorrect_perl_script(perlscript):
|
||||
tmpfile = "%s/.perl-script.%d" % (extract_dir, os.getpid())
|
||||
tmpfile = '%s/.perl-script.%d' % (extract_dir, os.getpid())
|
||||
if not perlscript:
|
||||
return 0
|
||||
file=open(tmpfile, 'w')
|
||||
file.write(perlscript)
|
||||
file.close()
|
||||
ret=commands.getstatusoutput("/usr/bin/perl -wc %s" % tmpfile)
|
||||
ret=commands.getstatusoutput('/usr/bin/perl -wc %s' % tmpfile)
|
||||
os.remove(tmpfile)
|
||||
return ret[0]
|
||||
|
||||
class PostCheck(AbstractCheck.AbstractCheck):
|
||||
|
||||
def __init__(self):
|
||||
AbstractCheck.AbstractCheck.__init__(self, "PostCheck")
|
||||
AbstractCheck.AbstractCheck.__init__(self, 'PostCheck')
|
||||
|
||||
def check(self, pkg):
|
||||
# Check only binary package
|
||||
|
|
@ -80,65 +81,21 @@ class PostCheck(AbstractCheck.AbstractCheck):
|
|||
prereq=map(lambda x: x[0], pkg.prereq())
|
||||
files=pkg.files().keys()
|
||||
|
||||
for tag in ((rpm.RPMTAG_PREIN, rpm.RPMTAG_PREINPROG, "%pre"),
|
||||
(rpm.RPMTAG_POSTIN, rpm.RPMTAG_POSTINPROG, "%post"),
|
||||
(rpm.RPMTAG_PREUN, rpm.RPMTAG_PREUNPROG, "%preun"),
|
||||
(rpm.RPMTAG_POSTUN, rpm.RPMTAG_POSTUNPROG, "%postun")):
|
||||
for tag in ((rpm.RPMTAG_PREIN, rpm.RPMTAG_PREINPROG, '%pre'),
|
||||
(rpm.RPMTAG_POSTIN, rpm.RPMTAG_POSTINPROG, '%post'),
|
||||
(rpm.RPMTAG_PREUN, rpm.RPMTAG_PREUNPROG, '%preun'),
|
||||
(rpm.RPMTAG_POSTUN, rpm.RPMTAG_POSTUNPROG, '%postun'),
|
||||
(rpm.RPMTAG_TRIGGERSCRIPTS, rpm.RPMTAG_TRIGGERSCRIPTPROG, '%trigger'),
|
||||
):
|
||||
script = pkg[tag[0]]
|
||||
prog = pkg[tag[1]]
|
||||
if script:
|
||||
if prog:
|
||||
if not prog in valid_shells:
|
||||
printError(pkg, "invalid-shell-in-" + tag[2], prog)
|
||||
if prog == "/bin/sh" or prog == "/bin/bash" or prog == "/usr/bin/perl":
|
||||
if braces_regex.search(script) and not double_braces_regex.search(script):
|
||||
printWarning(pkg, "percent-in-" + tag[2])
|
||||
if bracket_regex.search(script):
|
||||
printWarning(pkg, "spurious-bracket-in-" + tag[2])
|
||||
res=dangerous_command_regex.search(script)
|
||||
if res:
|
||||
printWarning(pkg, "dangerous-command-in-" + tag[2], res.group(2))
|
||||
if update_menu_regex.search(script):
|
||||
menu_error=1
|
||||
for f in files:
|
||||
if menu_regex.search(f):
|
||||
menu_error=0
|
||||
break
|
||||
if menu_error:
|
||||
printError(pkg, 'update-menus-without-menu-file-in-' + tag[2])
|
||||
if tmp_regex.search(script):
|
||||
printError(pkg, 'use-tmp-in-' + tag[2])
|
||||
for c in prereq_assoc:
|
||||
if c[0].search(script):
|
||||
found=0
|
||||
for p in c[1]:
|
||||
if p in prereq or p in files:
|
||||
found=1
|
||||
break
|
||||
if not found:
|
||||
printError(pkg, 'no-prereq-on', c[1][0])
|
||||
|
||||
if prog == "/bin/sh" or prog == "/bin/bash":
|
||||
if incorrect_shell_script(script):
|
||||
printError(pkg, "shell-syntax-error-in-" + tag[2])
|
||||
if home_regex.search(script):
|
||||
printError(pkg, "use-of-home-in-" + tag[2])
|
||||
res=bogus_var_regex.search(script)
|
||||
if res:
|
||||
printWarning(pkg, 'bogus-variable-use-in-' + tag[2], res.group(1))
|
||||
|
||||
if prog == "/usr/bin/perl":
|
||||
if incorrect_perl_script(script):
|
||||
printError(pkg, "perl-syntax-error-in-" + tag[2])
|
||||
|
||||
res=single_command_regex.search(script)
|
||||
if res:
|
||||
printWarning(pkg, 'one-line-command-in-' + tag[2], res.group(1))
|
||||
if type(script) != types.ListType:
|
||||
self.check_aux(pkg, files, prog, script, tag)
|
||||
else:
|
||||
if prog in valid_shells:
|
||||
printWarning(pkg, "empty-" + tag[2])
|
||||
|
||||
|
||||
for idx in range(0, len(prog)):
|
||||
self.check_aux(pkg, files, prog[idx], script[idx], tag)
|
||||
|
||||
ghost_files=pkg.ghostFiles()
|
||||
if ghost_files:
|
||||
postin=pkg[rpm.RPMTAG_POSTIN]
|
||||
|
|
@ -150,7 +107,60 @@ class PostCheck(AbstractCheck.AbstractCheck):
|
|||
if (not postin or string.find(postin, f) == -1) and \
|
||||
(not prein or string.find(prein, f) == -1):
|
||||
printWarning(pkg, 'postin-without-ghost-file-creation', f)
|
||||
|
||||
def check_aux(self, pkg, files, prog, script, tag):
|
||||
if script:
|
||||
if prog:
|
||||
if not prog in valid_shells:
|
||||
printError(pkg, 'invalid-shell-in-' + tag[2], prog)
|
||||
if prog == '/bin/sh' or prog == '/bin/bash' or prog == '/usr/bin/perl':
|
||||
if braces_regex.search(script) and not double_braces_regex.search(script):
|
||||
printWarning(pkg, 'percent-in-' + tag[2])
|
||||
if bracket_regex.search(script):
|
||||
printWarning(pkg, 'spurious-bracket-in-' + tag[2])
|
||||
res=dangerous_command_regex.search(script)
|
||||
if res:
|
||||
printWarning(pkg, 'dangerous-command-in-' + tag[2], res.group(2))
|
||||
if update_menu_regex.search(script):
|
||||
menu_error=1
|
||||
for f in files:
|
||||
if menu_regex.search(f):
|
||||
menu_error=0
|
||||
break
|
||||
if menu_error:
|
||||
printError(pkg, 'update-menus-without-menu-file-in-' + tag[2])
|
||||
if tmp_regex.search(script):
|
||||
printError(pkg, 'use-tmp-in-' + tag[2])
|
||||
for c in prereq_assoc:
|
||||
if c[0].search(script):
|
||||
found=0
|
||||
for p in c[1]:
|
||||
if p in prereq or p in files:
|
||||
found=1
|
||||
break
|
||||
if not found:
|
||||
printError(pkg, 'no-prereq-on', c[1][0])
|
||||
|
||||
if prog == '/bin/sh' or prog == '/bin/bash':
|
||||
if incorrect_shell_script(script):
|
||||
printError(pkg, 'shell-syntax-error-in-' + tag[2])
|
||||
if home_regex.search(script):
|
||||
printError(pkg, 'use-of-home-in-' + tag[2])
|
||||
res=bogus_var_regex.search(script)
|
||||
if res:
|
||||
printWarning(pkg, 'bogus-variable-use-in-' + tag[2], res.group(1))
|
||||
|
||||
if prog == '/usr/bin/perl':
|
||||
if incorrect_perl_script(script):
|
||||
printError(pkg, 'perl-syntax-error-in-' + tag[2])
|
||||
|
||||
res=single_command_regex.search(script)
|
||||
if res:
|
||||
printWarning(pkg, 'one-line-command-in-' + tag[2], res.group(1))
|
||||
else:
|
||||
if prog in valid_shells:
|
||||
printWarning(pkg, 'empty-' + tag[2])
|
||||
|
||||
# Create an object to enable the auto registration of the test
|
||||
check=PostCheck()
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue