bitbake: lib/bb/utils: add safeguard against recursively deleting things we shouldn't

Add some very basic safeguard against recursively deleting paths such as / and /home in the event of bugs or user mistakes. Addresses [YOCTO #7620]. (Bitbake rev: 56cddeb9e1e4d249f84ccd6ef65db245636e38ea) Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Paul Eggleton <paul.eggleton@linux.intel.com> 2015-04-17 15:26:59 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2015-04-19 13:37:31 +0100
commit: 72d88f29da1ece634028420317233a45ff8e015b (patch)
tree: 78cbedae538c7895ca33c7f7ba734a05d5bedabf
parent: f9b160571f795dc9d9d42ad7e85969ec54b86430 (diff)
download: poky-72d88f29da1ece634028420317233a45ff8e015b.tar.gz
2 files changed, 38 insertions, 0 deletions
diff --git a/bitbake/lib/bb/tests/utils.py b/bitbake/lib/bb/tests/utils.py
index 507de2de3c..6e09858e51 100644
--- a/bitbake/lib/bb/tests/utils.py
+++ b/bitbake/lib/bb/tests/utils.py
@@ -21,6 +21,7 @@
 import unittest
 import bb
+import os
 class VerCmpString(unittest.TestCase):
@@ -88,3 +89,19 @@ class VerCmpString(unittest.TestCase):
        # Check that clearly invalid operator raises an exception
        self.assertRaises(bb.utils.VersionStringException, bb.utils.vercmp_string_op, '0', '0', '$')
+class Path(unittest.TestCase):
+    def test_unsafe_delete_path(self):
+        checkitems = [('/', True),
+                      ('//', True),
+                      ('///', True),
+                      (os.getcwd().count(os.sep) * ('..' + os.sep), True),
+                      (os.environ.get('HOME', '/home/test'), True),
+                      ('/home/someone', True),
+                      ('/home/other/', True),
+                      ('/home/other/subdir', False),
+                      ('', False)]
+        for arg1, correctresult in checkitems:
+            result = bb.utils._check_unsafe_delete_path(arg1)
+            self.assertEqual(result, correctresult, '_check_unsafe_delete_path("%s") != %s' % (arg1, correctresult))
diff --git a/bitbake/lib/bb/utils.py b/bitbake/lib/bb/utils.py
index 5ac9bcfbd4..c97f3ef81f 100644
--- a/bitbake/lib/bb/utils.py
+++ b/bitbake/lib/bb/utils.py
@@ -601,11 +601,30 @@ def build_environment(d):
        if export:
            os.environ[var] = d.getVar(var, True) or ""
+def _check_unsafe_delete_path(path):
+    """
+    Basic safeguard against recursively deleting something we shouldn't. If it returns True,
+    the caller should raise an exception with an appropriate message.
+    NOTE: This is NOT meant to be a security mechanism - just a guard against silly mistakes
+    with potentially disastrous results.
+    """
+    extra = ''
+    # HOME might not be /home/something, so in case we can get it, check against it
+    homedir = os.environ.get('HOME', '')
+    if homedir:
+        extra = '|%s' % homedir
+    if re.match('(/|//|/home|/home/[^/]*%s)$' % extra, os.path.abspath(path)):
+        return True
+    return False
 def remove(path, recurse=False):
    """Equivalent to rm -f or rm -rf"""
    if not path:
        return
    if recurse:
+        for name in glob.glob(path):
+            if _check_unsafe_delete_path(path):
+                raise Exception('bb.utils.remove: called with dangerous path "%s" and recurse=True, refusing to delete!' % path)
        # shutil.rmtree(name) would be ideal but its too slow
        subprocess.call(['rm', '-rf'] + glob.glob(path))
        return
@@ -619,6 +638,8 @@ def remove(path, recurse=False):
 def prunedir(topdir):
    # Delete everything reachable from the directory named in 'topdir'.
    # CAUTION:  This is dangerous!
+    if _check_unsafe_delete_path(topdir):
+        raise Exception('bb.utils.prunedir: called with dangerous path "%s", refusing to delete!' % topdir)
    for root, dirs, files in os.walk(topdir, topdown = False):
        for name in files:
            os.remove(os.path.join(root, name))
author	Paul Eggleton <paul.eggleton@linux.intel.com>	2015-04-17 15:26:59 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2015-04-19 13:37:31 +0100
commit	72d88f29da1ece634028420317233a45ff8e015b (patch)
tree	78cbedae538c7895ca33c7f7ba734a05d5bedabf
parent	f9b160571f795dc9d9d42ad7e85969ec54b86430 (diff)
download	poky-72d88f29da1ece634028420317233a45ff8e015b.tar.gz

diff --git a/bitbake/lib/bb/tests/utils.py b/bitbake/lib/bb/tests/utils.py index 507de2de3c..6e09858e51 100644 --- a/bitbake/lib/bb/tests/utils.py +++ b/bitbake/lib/bb/tests/utils.py
@@ -21,6 +21,7 @@
21		21
22	import unittest	22	import unittest
23	import bb	23	import bb
		24	import os
24		25
25	class VerCmpString(unittest.TestCase):	26	class VerCmpString(unittest.TestCase):
26		27
@@ -88,3 +89,19 @@ class VerCmpString(unittest.TestCase):
88		89
89	# Check that clearly invalid operator raises an exception	90	# Check that clearly invalid operator raises an exception
90	self.assertRaises(bb.utils.VersionStringException, bb.utils.vercmp_string_op, '0', '0', '$')	91	self.assertRaises(bb.utils.VersionStringException, bb.utils.vercmp_string_op, '0', '0', '$')
		92
		93
		94	class Path(unittest.TestCase):
		95	def test_unsafe_delete_path(self):
		96	checkitems = [('/', True),
		97	('//', True),
		98	('///', True),
		99	(os.getcwd().count(os.sep) * ('..' + os.sep), True),
		100	(os.environ.get('HOME', '/home/test'), True),
		101	('/home/someone', True),
		102	('/home/other/', True),
		103	('/home/other/subdir', False),
		104	('', False)]
		105	for arg1, correctresult in checkitems:
		106	result = bb.utils._check_unsafe_delete_path(arg1)
		107	self.assertEqual(result, correctresult, '_check_unsafe_delete_path("%s") != %s' % (arg1, correctresult))


diff --git a/bitbake/lib/bb/utils.py b/bitbake/lib/bb/utils.py index 5ac9bcfbd4..c97f3ef81f 100644 --- a/bitbake/lib/bb/utils.py +++ b/bitbake/lib/bb/utils.py
@@ -601,11 +601,30 @@ def build_environment(d):
601	if export:	601	if export:
602	os.environ[var] = d.getVar(var, True) or ""	602	os.environ[var] = d.getVar(var, True) or ""
603		603
		604	def _check_unsafe_delete_path(path):
		605	"""
		606	Basic safeguard against recursively deleting something we shouldn't. If it returns True,
		607	the caller should raise an exception with an appropriate message.
		608	NOTE: This is NOT meant to be a security mechanism - just a guard against silly mistakes
		609	with potentially disastrous results.
		610	"""
		611	extra = ''
		612	# HOME might not be /home/something, so in case we can get it, check against it
		613	homedir = os.environ.get('HOME', '')
		614	if homedir:
		615	extra = '\|%s' % homedir
		616	if re.match('(/\|//\|/home\|/home/[^/]*%s)$' % extra, os.path.abspath(path)):
		617	return True
		618	return False
		619
604	def remove(path, recurse=False):	620	def remove(path, recurse=False):
605	"""Equivalent to rm -f or rm -rf"""	621	"""Equivalent to rm -f or rm -rf"""
606	if not path:	622	if not path:
607	return	623	return
608	if recurse:	624	if recurse:
		625	for name in glob.glob(path):
		626	if _check_unsafe_delete_path(path):
		627	raise Exception('bb.utils.remove: called with dangerous path "%s" and recurse=True, refusing to delete!' % path)
609	# shutil.rmtree(name) would be ideal but its too slow	628	# shutil.rmtree(name) would be ideal but its too slow
610	subprocess.call(['rm', '-rf'] + glob.glob(path))	629	subprocess.call(['rm', '-rf'] + glob.glob(path))
611	return	630	return
@@ -619,6 +638,8 @@ def remove(path, recurse=False):
619	def prunedir(topdir):	638	def prunedir(topdir):
620	# Delete everything reachable from the directory named in 'topdir'.	639	# Delete everything reachable from the directory named in 'topdir'.
621	# CAUTION: This is dangerous!	640	# CAUTION: This is dangerous!
		641	if _check_unsafe_delete_path(topdir):
		642	raise Exception('bb.utils.prunedir: called with dangerous path "%s", refusing to delete!' % topdir)
622	for root, dirs, files in os.walk(topdir, topdown = False):	643	for root, dirs, files in os.walk(topdir, topdown = False):
623	for name in files:	644	for name in files:
624	os.remove(os.path.join(root, name))	645	os.remove(os.path.join(root, name))