-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
mock-build to support --git-url option for scratch build #278
base: main
Are you sure you want to change the base?
Conversation
@@ -15,6 +16,16 @@ def options(self): | |||
|
|||
# this option cannot be used for diff-build tasks |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we need to change the comment?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure I understand. The changes in this MR doesn't change the behavior of diff-build
, I think it's still true that the option cannot be used for diff-build.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think diff-build
would not work with cspodman
anyway. It should probably work with version-diff-build
though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Latested updates applied both client/hub side validation.
@rhyw After installing the test rpm, run the command: |
@hanchuntao Did you also update the hub and worker? Note that links to the RH internal pastebin instance are not much useful for external community members. |
if profile != "cspodman": | ||
print("dist-git URL scan is incompatible with profile:", profile, file=sys.stderr) | ||
return None, 2 | ||
return self.analyze(analyzers, dist_git_url, profile, su_user, additional_arguments, **kwargs) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Where do we protect dist_git_url
against shell command injection? My quick check suggests that nowhere:
osh-cli mock-build --hub https://covscan.lab.eng.brq2.redhat.com/osh/xmlrpc --config=cspodman --git-url "https://example/ --help; ls -l ~/.config/configstore; #hash"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, I tested it
[root@chhan-rhel9 ~]# osh-cli mock-build --hub https://covscan.lab.eng.brq2.redhat.com/osh/xmlrpc --config=cspodman --git-url "https://example/ --help; ls -l ~/.config/configstore; #hash"
Task info: https://covscan.lab.eng.brq2.redhat.com/osh/task/467528/
Watching tasks (this may be safely interrupted)...
467528 MockBuild: FREE
--> FREE: 1 [total: 1]
467528 MockBuild: FREE -> OPEN (osh-test-worker-001.osh-001.preprod.iad2.dc.redhat.com)
--> OPEN: 1 [total: 1]
467528 MockBuild: OPEN (osh-test-worker-001.osh-001.preprod.iad2.dc.redhat.com) -> FAILED (osh-test-worker-001.osh-001.preprod.iad2.dc.redhat.com)
--> FAILED: 1 [total: 1]
[root@chhan-rhel9 ~]#
result in https://covscan.lab.eng.brq2.redhat.com/osh/task/467528/log/stdout.log
total 8
-rw-------. 1 csmock csmock 58 Nov 24 2023 snyk.json
-rw-------. 1 csmock csmock 58 Oct 10 2023 snyk.json.bak
Task did not produce any results
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is a dist git URL check here: https://github.com/openscanhub/openscanhub/pull/278/files#diff-26bebd5671ea9c96d9eba3bdf8d8fcdcd3a4f8c594e359d29464c3623ff3aee3R36
But it appears the error was thrown before the validation is even triggerred. I'll see what can be done to throw this error earlier, probably to add some validation in cspodman cli.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Validation in osh-cli
is not a solution to the security issue because anyone can comment out the validation in their copy of osh-cli
or just use the XML-RPC interface directly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
... and validation in cspodman
would not help either because the shell injection happens in the shell that runs cspodman
, not in the implementation of cspodman
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it's still helpful from client side because we should always raise/return earlier. I had this commit addressed: 69a902a
I'll see how similar sanitation/validation can be done from hub too. working in progress.
yes, I update osh-client, osh-worker, but forget update osh-hub, after update it, the command run correctly,and get correct result:
|
/packit rebuild-failed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rhyw Let's not over-complicate this. The git URL is now checked at multiple places using multiple regular expressions. Manually maintaining a set of disallowed characters is not a way to protect against shell command injection. To protect against shell injection, please use shlex.quote()
as we do for other arguments passed to csmock
or cspodman
. To reject invalid URLs before starting a scan, I would just rewrite the regex that splits the URL parts so that it explicitly lists the set of allowed characters in each part of the URL.
@kdudka thanks for the suggestion, I have revised the way how validation was done a bit. The existing REs we use in csmock/cspodman are not enough to check the validity of the git URLs, some additional checks are added in latest code. |
@rhyw Is this ready for review? The commits seem to be in wrong order with some unnecessary changes back and forth: |
The pipeline is failed though I was checking the cause of the failure.
I had some problem rebasing earlier due to merge conflicts. I'll mark this as Draft first, and mark it as Ready once these issues are fixed. Thanks |
so that it's easier to reuse the code snippets.
cmd construction to a separate function, output_path to be determined in a separate function. The change split the function into smaller ones, to make it ealier to partially re-use.
I think the pipeline failure is not relevent. I had some tests on stage, and I think it's working as expected. Validation is done on both cli/hub side. e.g., on client side with an invalid URL provided:
|
Resolves: https://issues.redhat.com/browse/OSH-592