Skip to content

Commit

Permalink
Merge pull request from GHSA-95g6-7q26-mp9x
Browse files Browse the repository at this point in the history
Only use local files (file://) when they have explicit permissions a+r
  • Loading branch information
PromoFaux authored Mar 27, 2024
2 parents eaa878e + 9dd138b commit f3af031
Showing 1 changed file with 32 additions and 4 deletions.
36 changes: 32 additions & 4 deletions gravity.sh
Original file line number Diff line number Diff line change
Expand Up @@ -503,6 +503,7 @@ compareLists() {
gravity_DownloadBlocklistFromUrl() {
local url="${1}" adlistID="${2}" saveLocation="${3}" target="${4}" compression="${5}"
local heisenbergCompensator="" listCurlBuffer str httpCode success="" ip cmd_ext
local file_path permissions ip_addr port blocked=false download=true

# Create temp file to store content on disk instead of RAM
# We don't use '--suffix' here because not all implementations of mktemp support it, e.g. on Alpine
Expand All @@ -519,7 +520,6 @@ gravity_DownloadBlocklistFromUrl() {

str="Status:"
echo -ne " ${INFO} ${str} Pending..."
blocked=false
case $BLOCKINGMODE in
"IP-NODATA-AAAA"|"IP")
# Get IP address of this domain
Expand Down Expand Up @@ -560,16 +560,44 @@ gravity_DownloadBlocklistFromUrl() {
cmd_ext="--resolve $domain:$port:$ip"
fi

# shellcheck disable=SC2086
httpCode=$(curl --connect-timeout ${curl_connect_timeout} -s -L ${compression} ${cmd_ext} ${heisenbergCompensator} -w "%{http_code}" "${url}" -o "${listCurlBuffer}" 2> /dev/null)
# If we are going to "download" a local file, we first check if the target
# file has a+r permission. We explicitly check for all+read because we want
# to make sure that the file is readable by everyone and not just the user
# running the script.
if [[ $url == "file://"* ]]; then
# Get the file path
file_path=$(echo "$url" | cut -d'/' -f3-)
# Check if the file exists
if [[ ! -e $file_path ]]; then
# Output that the file does not exist
echo -e "${OVER} ${CROSS} ${file_path} does not exist"
download=false
else
# Check if the file has a+r permissions
permissions=$(stat -c "%a" "$file_path")
if [[ $permissions == "??4" || $permissions == "??5" || $permissions == "??6" || $permissions == "??7" ]]; then
# Output that we are using the local file
echo -e "${OVER} ${INFO} Using local file ${file_path}"
else
# Output that the file does not have the correct permissions
echo -e "${OVER} ${CROSS} Cannot read file (file needs to have a+r permission)"
download=false
fi
fi
fi

if [[ "${download}" == true ]]; then
# shellcheck disable=SC2086
httpCode=$(curl --connect-timeout ${curl_connect_timeout} -s -L ${compression} ${cmd_ext} ${heisenbergCompensator} -w "%{http_code}" "${url}" -o "${listCurlBuffer}" 2> /dev/null)
fi

case $url in
# Did we "download" a local file?
"file"*)
if [[ -s "${listCurlBuffer}" ]]; then
echo -e "${OVER} ${TICK} ${str} Retrieval successful"; success=true
else
echo -e "${OVER} ${CROSS} ${str} Not found / empty list"
echo -e "${OVER} ${CROSS} ${str} Retrieval failed / empty list"
fi;;
# Did we "download" a remote file?
*)
Expand Down

0 comments on commit f3af031

Please sign in to comment.