New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
YETUS-1159. fixes for CVE-2022-24765 #254
Conversation
de8e465
to
5dd0c7e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. I have just a couple questions.
return 0 | ||
fi | ||
|
||
if [[ -n "${container}" ]]; then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Where does ${container}
come from?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From the reading I've done, lxc will set ${container}
to lxc
and some other container technologies will also set that to ... something. It's a terrible check, really, but what else can we do? 🤷
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've added some comments to this code block to hopefully better describe what is going on.
return 0 | ||
fi | ||
|
||
if [[ -d /proc/self/mountinfo ]]; then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is the order of these checks important? Is it better to start with one proc mount vs the other?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From the bit of playing I've done, not really. But I should really optimize the code to use a for loop now that I think about it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking at this again, I realize why I didn't use a for loop: awk is involved so the quoting gets a bit involved when any of this is in an environment variable.
{ | ||
if [[ ! -e "${BASEDIR}/.git" ]]; then | ||
yetus_error "ERROR: ${BASEDIR} is not a git repo." | ||
cleanup_and_exit 1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Forgive my ignorance. Is it a common pattern in our public API that functions prefixed with verify_
can exit the process when their condition is not met?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great question. This one might be the only one. I should probably rename it from verify to ... something else.. since it isn't really a verify function.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Renamed to check_
which makes a lot more sense.
…s_containers function
Thanks for review @ndimiduk ! I think I'm going to go ahead and merge this in if only to un-break the action test (hopefully. based upon my local tests it does at least). We can always open more issues or PRs if there is more to do. 😄 |
This patch does a few things:
NOTE: this code will almost certainly still fail the Action Test GHA until it is committed to main.