diff options
| author | Malfurious <m@lfurio.us> | 2023-09-09 12:14:27 -0400 |
|---|---|---|
| committer | Malfurious <m@lfurio.us> | 2023-09-10 04:47:40 -0400 |
| commit | 05bcbcb268d98279b8c6731689b45db9be3be86a (patch) | |
| tree | 6c915f3a94ce12fe09671d59e6958b2e2fdbdd77 | |
| parent | 7aba2b2be7ed8129e98205a58a637c388bccca51 (diff) | |
| download | cychedelic-05bcbcb268d98279b8c6731689b45db9be3be86a.tar.gz cychedelic-05bcbcb268d98279b8c6731689b45db9be3be86a.zip | |
acid: Sanitize filename inputs from the config
Prevent the creation or access of unintended files in the ACID
container. Also, assert that names are valid for docker before
attempting to deploy images.
Signed-off-by: Malfurious <m@lfurio.us>
| -rwxr-xr-x | acid/cyche-build | 6 | ||||
| -rwxr-xr-x | acid/cyche-source | 6 |
2 files changed, 12 insertions, 0 deletions
diff --git a/acid/cyche-build b/acid/cyche-build index 7f63117..6468276 100755 --- a/acid/cyche-build +++ b/acid/cyche-build @@ -25,6 +25,12 @@ cd "/services/$1" +# For <file>, no absolute paths and no '../' +if ! echo "$2" | grep -Evq '\.\.|^/'; then + echo "Bad file path: $2" + exit 1 +fi + if [ "$4" == "--self" ]; then prev=$(cat '.git/previous_slug') [ -z "$prev" ] && prev="$1" diff --git a/acid/cyche-source b/acid/cyche-source index ee4caca..7dca756 100755 --- a/acid/cyche-source +++ b/acid/cyche-source @@ -25,6 +25,12 @@ gethash() { cd '/services' +# For <name>, limit to a-z, 0-9, -, _ +if ! echo "$1" | grep -Eq '^[-_a-z0-9]*$'; then + echo "Bad service name: $1" >&2 + exit 2 +fi + if ! [ -d "$1" ]; then git clone "$2" "$1" >&2 || exit 2 touch "$1/.git/previous_hash" |