Symlink support

- added some security checks so that symlinks can be supported
- also some code quality changes
This commit is contained in:
Peter Šurda 2022-04-12 14:30:33 +08:00
parent f2cb5fd8d3
commit 9d8b6f41b4
Signed by untrusted user: PeterSurda
GPG Key ID: 3E47497CF67ABB95

View File

@ -1,5 +1,5 @@
from os import listdir from os import getcwd, listdir
from os.path import exists, isfile, join, islink from os.path import exists, isfile, islink, join, realpath
import requests import requests
import re import re
from subprocess import Popen, PIPE from subprocess import Popen, PIPE
@ -69,14 +69,23 @@ def list_jobs(directory=".buildbot"):
flag = False flag = False
for fname in files: for fname in files:
filepath = join(directory, item, fname) filepath = join(directory, item, fname)
# must exist
if not exists(filepath): if not exists(filepath):
continue continue
if islink(filepath) or not isfile(filepath): # must be a file
if not isfile(filepath):
flag = True
break
# symlink OK as long as it points to files within the repo
if islink(filepath) \
and not realpath(filepath).startswith(getcwd()):
flag = True flag = True
break break
if flag: if flag:
continue continue
if (exists(join(directory, item, 'Dockerfile')) and exists(join(directory, item, 'build.sh'))) or exists(join(directory, item, 'test.sh')): if (exists(join(directory, item, 'Dockerfile'))
and exists(join(directory, item, 'build.sh'))) \
or exists(join(directory, item, 'test.sh')):
results.append(item) results.append(item)
return results return results
@ -90,7 +99,8 @@ def get_revision(branch):
def _get_dockerfile_contents(dockerfile): def _get_dockerfile_contents(dockerfile):
""" """
Read contents of a Dockerfile and add extra contents for the given os_codename Read contents of a Dockerfile and add buildbot worker bootstrap
for a given os_codename
""" """
os_codename = 'bionic' os_codename = 'bionic'
res = "" res = ""
@ -117,7 +127,8 @@ def _get_dockerfile_contents(dockerfile):
return res + dockerfile_extra_contents[os_codename] return res + dockerfile_extra_contents[os_codename]
def trigger_child_hooks(buildbotUrl: str, repository, branch, revision, directory=".buildbot"): def trigger_child_hooks(buildbotUrl: str, repository, branch, revision,
directory=".buildbot"):
request_url = buildbotUrl + ty request_url = buildbotUrl + ty
# List all jobs in the directory # List all jobs in the directory
jobs = list_jobs(directory) jobs = list_jobs(directory)
@ -126,7 +137,7 @@ def trigger_child_hooks(buildbotUrl: str, repository, branch, revision, director
"X-Multibuild-Trigger": get_secret(), "X-Multibuild-Trigger": get_secret(),
"Accept": "text/plain", "Accept": "text/plain",
} }
#revision = get_revision(branch) # revision = get_revision(branch)
# Check if build.sh or test.sh exists in each of the jobs # Check if build.sh or test.sh exists in each of the jobs
for job in jobs: for job in jobs:
@ -160,8 +171,10 @@ def trigger_child_hooks(buildbotUrl: str, repository, branch, revision, director
"project": "/".join(repository.split("/")[-2:]), "project": "/".join(repository.split("/")[-2:]),
} }
retval = requests.post(request_url, headers=request_headers, json=request_data) retval = requests.post(request_url, headers=request_headers,
print("Triggered job for {} on {}: {}".format(job, request_url, retval.text)) json=request_data)
print("Triggered job for {} on {}: {}".format(job, request_url,
retval.text))
if __name__ == "__main__": if __name__ == "__main__":