mock-build to support --git-url option for scratch build #278
Conversation
| @@ -15,6 +16,16 @@ def options(self): | |||
|
|
|||
| # this option cannot be used for diff-build tasks | |||
There was a problem hiding this comment.
Should we need to change the comment?
There was a problem hiding this comment.
Not sure I understand. The changes in this MR doesn't change the behavior of diff-build, I think it's still true that the option cannot be used for diff-build.
There was a problem hiding this comment.
I think diff-build would not work with cspodman anyway. It should probably work with version-diff-build though.
There was a problem hiding this comment.
Latested updates applied both client/hub side validation.
|
@rhyw After installing the test rpm, run the command: |
|
@hanchuntao Did you also update the hub and worker? Note that links to the RH internal pastebin instance are not much useful for external community members. |
| if profile != "cspodman": | ||
| print("dist-git URL scan is incompatible with profile:", profile, file=sys.stderr) | ||
| return None, 2 | ||
| return self.analyze(analyzers, dist_git_url, profile, su_user, additional_arguments, **kwargs) |
There was a problem hiding this comment.
Where do we protect dist_git_url against shell command injection? My quick check suggests that nowhere:
osh-cli mock-build --hub https://covscan.lab.eng.brq2.redhat.com/osh/xmlrpc --config=cspodman --git-url "https://example/ --help; ls -l ~/.config/configstore; #hash"There was a problem hiding this comment.
yes, I tested it
[root@chhan-rhel9 ~]# osh-cli mock-build --hub https://covscan.lab.eng.brq2.redhat.com/osh/xmlrpc --config=cspodman --git-url "https://example/ --help; ls -l ~/.config/configstore; #hash"
Task info: https://covscan.lab.eng.brq2.redhat.com/osh/task/467528/
Watching tasks (this may be safely interrupted)...
467528 MockBuild: FREE
--> FREE: 1 [total: 1]
467528 MockBuild: FREE -> OPEN (osh-test-worker-001.osh-001.preprod.iad2.dc.redhat.com)
--> OPEN: 1 [total: 1]
467528 MockBuild: OPEN (osh-test-worker-001.osh-001.preprod.iad2.dc.redhat.com) -> FAILED (osh-test-worker-001.osh-001.preprod.iad2.dc.redhat.com)
--> FAILED: 1 [total: 1]
[root@chhan-rhel9 ~]#
result in https://covscan.lab.eng.brq2.redhat.com/osh/task/467528/log/stdout.log
total 8
-rw-------. 1 csmock csmock 58 Nov 24 2023 snyk.json
-rw-------. 1 csmock csmock 58 Oct 10 2023 snyk.json.bak
Task did not produce any results
There was a problem hiding this comment.
There is a dist git URL check here: https://github.com/openscanhub/openscanhub/pull/278/files#diff-26bebd5671ea9c96d9eba3bdf8d8fcdcd3a4f8c594e359d29464c3623ff3aee3R36
But it appears the error was thrown before the validation is even triggerred. I'll see what can be done to throw this error earlier, probably to add some validation in cspodman cli.
There was a problem hiding this comment.
Validation in osh-cli is not a solution to the security issue because anyone can comment out the validation in their copy of osh-cli or just use the XML-RPC interface directly.
There was a problem hiding this comment.
... and validation in cspodman would not help either because the shell injection happens in the shell that runs cspodman, not in the implementation of cspodman.
There was a problem hiding this comment.
I think it's still helpful from client side because we should always raise/return earlier. I had this commit addressed: 69a902a
I'll see how similar sanitation/validation can be done from hub too. working in progress.
yes, I update osh-client, osh-worker, but forget update osh-hub, after update it, the command run correctly,and get correct result: |
|
/packit rebuild-failed |
There was a problem hiding this comment.
@rhyw Let's not over-complicate this. The git URL is now checked at multiple places using multiple regular expressions. Manually maintaining a set of disallowed characters is not a way to protect against shell command injection. To protect against shell injection, please use shlex.quote() as we do for other arguments passed to csmock or cspodman. To reject invalid URLs before starting a scan, I would just rewrite the regex that splits the URL parts so that it explicitly lists the set of allowed characters in each part of the URL.
|
@kdudka thanks for the suggestion, I have revised the way how validation was done a bit. The existing REs we use in csmock/cspodman are not enough to check the validity of the git URLs, some additional checks are added in latest code. |
|
@rhyw Is this ready for review? The commits seem to be in wrong order with some unnecessary changes back and forth: |
The pipeline is failed though I was checking the cause of the failure.
I had some problem rebasing earlier due to merge conflicts. I'll mark this as Draft first, and mark it as Ready once these issues are fixed. Thanks |
so that it's easier to reuse the code snippets.
cmd construction to a separate function, output_path to be determined in a separate function. The change split the function into smaller ones, to make it ealier to partially re-use.
|
I think the pipeline failure is not relevent. I had some tests on stage, and I think it's working as expected. Validation is done on both cli/hub side. e.g., on client side with an invalid URL provided: |
Resolves: https://issues.redhat.com/browse/OSH-592