admin/brew
1
0
Fork 0
Code Issues Packages Projects Releases 6 Wiki Activity

Merge pull request #17700 from Homebrew/filter-special-chars-from-sandbox

Browse Source
This commit is contained in:
Mike McQuaid 2024-07-13 15:52:33 -04:00 committed by GitHub
commit 2ee6f29934
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 60 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
Library/Homebrew/sandbox.rb
View File

@ -231,6 +231,22 @@ class Sandbox
end end
end end
# @api private
sig { params(path: T.any(String, Pathname), type: Symbol).returns(String) }
def path_filter(path, type)
invalid_char = ['"', "'", "(", ")", "\n"].find do |c|
path.to_s.include?(c)
end
raise ArgumentError, "Invalid character #{invalid_char} in path: #{path}" if invalid_char
case type
when :regex then "regex #\"#{path}\""
when :subpath then "subpath \"#{expand_realpath(Pathname.new(path))}\""
when :literal then "literal \"#{expand_realpath(Pathname.new(path))}\""
else raise ArgumentError, "Invalid path filter type: #{type}"
end
end
private private
sig { params(path: Pathname).returns(Pathname) } sig { params(path: Pathname).returns(Pathname) }
@ -240,16 +256,6 @@ class Sandbox
path.exist? ? path.realpath : expand_realpath(path.parent)/path.basename path.exist? ? path.realpath : expand_realpath(path.parent)/path.basename
end end
sig { params(path: T.any(String, Pathname), type: Symbol).returns(String) }
def path_filter(path, type)
case type
when :regex then "regex #\"#{path}\""
when :subpath then "subpath \"#{expand_realpath(Pathname.new(path))}\""
when :literal then "literal \"#{expand_realpath(Pathname.new(path))}\""
else raise ArgumentError, "Invalid path filter type: #{type}"
end
end
class SandboxRule class SandboxRule
sig { returns(T::Boolean) } sig { returns(T::Boolean) }
attr_reader :allow attr_reader :allow

44
Library/Homebrew/test/sandbox_spec.rb
View File

@ -21,6 +21,50 @@ RSpec.describe Sandbox, :needs_macos do
expect(file).to exist expect(file).to exist
end end
describe "#path_filter" do
["'", '"', "(", ")", "\n"].each do |char|
it "fails if the path contains #{char}" do
expect do
sandbox.path_filter("foo#{char}bar", :subpath)
end.to raise_error(ArgumentError)
end
end
end
describe "#allow_write_cellar" do
it "fails when the formula has a name including )" do
f = formula do
url "https://brew.sh/foo-1.0.tar.gz"
version "1.0"
def initialize(*, **)
super
@name = "foo)bar"
end
end
expect do
sandbox.allow_write_cellar f
end.to raise_error(ArgumentError)
end
it "fails when the formula has a name including \"" do
f = formula do
url "https://brew.sh/foo-1.0.tar.gz"
version "1.0"
def initialize(*, **)
super
@name = "foo\"bar"
end
end
expect do
sandbox.allow_write_cellar f
end.to raise_error(ArgumentError)
end
end
describe "#exec" do describe "#exec" do
it "fails when writing to file not specified with ##allow_write" do it "fails when writing to file not specified with ##allow_write" do
expect do expect do