From 9d8b6f41b4e7f7c5f701682127c25d2cd74a9c87 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Peter=20=C5=A0urda?= Date: Tue, 12 Apr 2022 14:30:33 +0800 Subject: [PATCH] Symlink support - added some security checks so that symlinks can be supported - also some code quality changes --- lib/worker_multibuild.py | 31 ++++++++++++++++++++++--------- 1 file changed, 22 insertions(+), 9 deletions(-) diff --git a/lib/worker_multibuild.py b/lib/worker_multibuild.py index 5a44b41..d889bae 100644 --- a/lib/worker_multibuild.py +++ b/lib/worker_multibuild.py @@ -1,5 +1,5 @@ -from os import listdir -from os.path import exists, isfile, join, islink +from os import getcwd, listdir +from os.path import exists, isfile, islink, join, realpath import requests import re from subprocess import Popen, PIPE @@ -69,14 +69,23 @@ def list_jobs(directory=".buildbot"): flag = False for fname in files: filepath = join(directory, item, fname) + # must exist if not exists(filepath): continue - if islink(filepath) or not isfile(filepath): + # must be a file + if not isfile(filepath): + flag = True + break + # symlink OK as long as it points to files within the repo + if islink(filepath) \ + and not realpath(filepath).startswith(getcwd()): flag = True break if flag: continue - if (exists(join(directory, item, 'Dockerfile')) and exists(join(directory, item, 'build.sh'))) or exists(join(directory, item, 'test.sh')): + if (exists(join(directory, item, 'Dockerfile')) + and exists(join(directory, item, 'build.sh'))) \ + or exists(join(directory, item, 'test.sh')): results.append(item) return results @@ -90,7 +99,8 @@ def get_revision(branch): def _get_dockerfile_contents(dockerfile): """ - Read contents of a Dockerfile and add extra contents for the given os_codename + Read contents of a Dockerfile and add buildbot worker bootstrap + for a given os_codename """ os_codename = 'bionic' res = "" @@ -117,7 +127,8 @@ def _get_dockerfile_contents(dockerfile): return res + dockerfile_extra_contents[os_codename] -def trigger_child_hooks(buildbotUrl: str, repository, branch, revision, directory=".buildbot"): +def trigger_child_hooks(buildbotUrl: str, repository, branch, revision, + directory=".buildbot"): request_url = buildbotUrl + ty # List all jobs in the directory jobs = list_jobs(directory) @@ -126,7 +137,7 @@ def trigger_child_hooks(buildbotUrl: str, repository, branch, revision, director "X-Multibuild-Trigger": get_secret(), "Accept": "text/plain", } - #revision = get_revision(branch) + # revision = get_revision(branch) # Check if build.sh or test.sh exists in each of the jobs for job in jobs: @@ -160,8 +171,10 @@ def trigger_child_hooks(buildbotUrl: str, repository, branch, revision, director "project": "/".join(repository.split("/")[-2:]), } - retval = requests.post(request_url, headers=request_headers, json=request_data) - print("Triggered job for {} on {}: {}".format(job, request_url, retval.text)) + retval = requests.post(request_url, headers=request_headers, + json=request_data) + print("Triggered job for {} on {}: {}".format(job, request_url, + retval.text)) if __name__ == "__main__":