M #: Hardening bash scripts

2025-03-16 22:50:10 +03:00 · 2020-05-25 17:58:07 +02:00 · 2020-05-25 17:58:07 +02:00 · 2f02eded88
commit 2f02eded88
parent bf2c596ab7 9a0b149a08
4 changed files with 43 additions and 4 deletions
--- a/src/datastore_mad/remotes/docker_downloader.sh
+++ b/src/datastore_mad/remotes/docker_downloader.sh
@ -107,7 +107,7 @@ set -e -o pipefail
 #  format: image format e.g. raw or qcow2
 #  distro: base image distro to install contents
 #-------------------------------------------------------------------------------
-id=`uuidgen`
+id=`echo "$RANDOM-$RANDOM-$RANDOM-$RANDOM-$RANDOM"`
 sid=`echo $id | cut -d '-' -f 1`

 url=`echo $MARKET_URL | grep -oP "^"docker://"\K.*"`
--- a/src/mad/sh/create_docker_image.sh
+++ b/src/mad/sh/create_docker_image.sh
@ -51,7 +51,7 @@ if [ ! -f "$tarball" ]; then
 fi

 # Check dockerdir is different than / and the directory name is an uuid
-regex_uuid="^\{?[A-F0-9a-f]{8}-[A-F0-9a-f]{4}-[A-F0-9a-f]{4}-[A-F0-9a-f]{4}-[A-F0-9a-f]{12}\}?$"
+regex_uuid="^\{?[0-9]+-[0-9]+-[0-9]+-[0-9]+-[0-9]+\}?$"
 if [ ! -d $dockerdir ] || [[ ! $(basename $dockerdir) =~ $regex_uuid ]]; then
    exit -1
 fi
--- a/src/vmm_mad/remotes/lib/firecracker/one-clean-firecracker-domain
+++ b/src/vmm_mad/remotes/lib/firecracker/one-clean-firecracker-domain
@ -16,7 +16,28 @@
 # limitations under the License.                                             #
 #--------------------------------------------------------------------------- #

-source /var/tmp/one/scripts_common.sh
+# Parameters are times (seconds) and monitoring command (or function).
+# Executes monitoring command until it is successful (VM is no longer
+# running) or the timeout is reached.
+function retry
+{
+    times=$1
+    function=$2
+
+    count=1
+
+    ret=$($function)
+    error=$?
+
+    while [ $count -lt $times -a "$error" != "0" ]; do
+        sleep 1
+        count=$(( $count + 1 ))
+        ret=$($function)
+        error=$?
+    done
+
+    [ "x$error" = "x0" ]
+}

 # exit when any command fails
 set -e
@ -37,7 +58,20 @@ done

 shift $(($OPTIND - 1))

-if [ -z "$CGROUP_PATH" ] || [ -z "$VM_NAME" ]; then
+# Check $CGROUP_PATH is an existing directory
+if [ ! -d "$CGROUP_PATH" ]; then
+    exit -1
+fi
+
+# Check $VM_NAME have the right format
+regex='^one-[0-9]+$'
+if ! [[ "$VM_NAME" ~= $regex ]]; then
+    exit -1
+fi
+
+# Check $CGROUP_TO is an integer
+regex_num='^[0-9]+$'
+if ! [[ "$CGROUP_TO" =~ $regex_num ]]; then
    exit -1
 fi

--- a/src/vmm_mad/remotes/lib/firecracker/one-prepare-firecracker-domain
+++ b/src/vmm_mad/remotes/lib/firecracker/one-prepare-firecracker-domain
@ -55,6 +55,11 @@ if ! [[ "$CPU_VAL" =~ $regex_num ]]; then
    exit -1
 fi

+# Check $SYSDS_PATH/$VM_ID is a directory and not a symlink
+if [ ! -d "$SYSDS_PATH/$VM_ID" ] || [ -L "$SYSDS_PATH/$VM_ID" ]; then
+    exit -1
+fi
+
 ###############################################################################
 # Map the jailer chroot path to the OpenNebula VM location
 ###############################################################################