Symlink support

- added some security checks so that symlinks can be supported - also some code quality changes
2022-04-12 14:30:33 +08:00 · 2022-04-12 14:30:33 +08:00 · 9d8b6f41b4
commit 9d8b6f41b4
parent f2cb5fd8d3
1 changed files with 22 additions and 9 deletions
--- a/lib/worker_multibuild.py
+++ b/lib/worker_multibuild.py
@ -1,5 +1,5 @@
-from os import listdir
-from os.path import exists, isfile, join, islink
+from os import getcwd, listdir
+from os.path import exists, isfile, islink, join, realpath
 import requests
 import re
 from subprocess import Popen, PIPE
@ -69,14 +69,23 @@ def list_jobs(directory=".buildbot"):
        flag = False
        for fname in files:
            filepath = join(directory, item, fname)
+            # must exist
            if not exists(filepath):
                continue
-            if islink(filepath) or not isfile(filepath):
+            # must be a file
+            if not isfile(filepath):
+                flag = True
+                break
+            # symlink OK as long as it points to files within the repo
+            if islink(filepath) \
+                    and not realpath(filepath).startswith(getcwd()):
                flag = True
                break
        if flag:
            continue
-        if (exists(join(directory, item, 'Dockerfile')) and exists(join(directory, item, 'build.sh'))) or exists(join(directory, item, 'test.sh')):
+        if (exists(join(directory, item, 'Dockerfile'))
+                and exists(join(directory, item, 'build.sh'))) \
+                or exists(join(directory, item, 'test.sh')):
            results.append(item)
    return results

@ -90,7 +99,8 @@ def get_revision(branch):

 def _get_dockerfile_contents(dockerfile):
    """
-    Read contents of a Dockerfile and add extra contents for the given os_codename
+    Read contents of a Dockerfile and add buildbot worker bootstrap
+    for a given os_codename
    """
    os_codename = 'bionic'
    res = ""
@ -117,7 +127,8 @@ def _get_dockerfile_contents(dockerfile):
    return res + dockerfile_extra_contents[os_codename]


-def trigger_child_hooks(buildbotUrl: str, repository, branch, revision, directory=".buildbot"):
+def trigger_child_hooks(buildbotUrl: str, repository, branch, revision,
+                        directory=".buildbot"):
    request_url = buildbotUrl + ty
    # List all jobs in the directory
    jobs = list_jobs(directory)
@ -126,7 +137,7 @@ def trigger_child_hooks(buildbotUrl: str, repository, branch, revision, director
        "X-Multibuild-Trigger": get_secret(),
        "Accept": "text/plain",
    }
-    #revision = get_revision(branch)
+    # revision = get_revision(branch)

    # Check if build.sh or test.sh exists in each of the jobs
    for job in jobs:
@ -160,8 +171,10 @@ def trigger_child_hooks(buildbotUrl: str, repository, branch, revision, director
            "project": "/".join(repository.split("/")[-2:]),
        }

-        retval = requests.post(request_url, headers=request_headers, json=request_data)
-        print("Triggered job for {} on {}: {}".format(job, request_url, retval.text))
+        retval = requests.post(request_url, headers=request_headers,
+                               json=request_data)
+        print("Triggered job for {} on {}: {}".format(job, request_url,
+                                                      retval.text))


 if __name__ == "__main__":