1
0
mirror of https://github.com/ostreedev/ostree.git synced 2025-01-11 09:18:20 +03:00
ostree/cfg.mk
Colin Walters 2b78df25f4 tests: Add a test case for path traversal in a dirtree
I was reading about a recent security issue with both EMC and VMWare:
https://arstechnica.com/information-technology/2018/01/emc-vmware-security-bugs-throw-gasoline-on-cloud-security-fire/

It's a classic path traversal problem, and that made me think more about our
handling of this in libostree.  Fortunately of course, not being new to
this rodeo, long ago I *did* consider path traversal.  Inside the pull
code, we call `ot_util_filename_validate()`.  Also, `fsck` does this too.

I have further followups here, but let's add some test cases for this. I crafted
a repository with a `../` in a dirtree object by patching libostree to inject
it, and that's included as a tarball.

This patch covers the two cases where we do already have checks; pulling
via HTTP, and in `fsck`.

Closes: 
Approved by: jlebon
2018-01-12 19:38:34 +00:00

43 lines
1.3 KiB
Makefile

export VC_LIST_EXCEPT_DEFAULT=^(docs/.*|git.mk|lib/.*|m4/.*|md5/.*|build-aux/.*|src/gettext\.h|.*ChangeLog|buildutil/.*)$$
local-checks-to-skip = \
sc_const_long_option \
sc_error_message_uppercase \
sc_file_system \
sc_immutable_NEWS \
sc_copyright_check \
sc_makefile_path_separator_check \
sc_require_config_h \
sc_require_config_h_first \
sc_two_space_separator_in_usage \
sc_useless_cpp_parens \
\
sc_prohibit_atoi_atof \
sc_prohibit_strcmp \
sc_cast_of_alloca_return_value \
sc_cast_of_x_alloc_return_value \
sc_prohibit_S_IS_definition \
\
sc_program_name \
sc_bindtextdomain \
sc_prohibit_path_max_allocation \
sc_trailing_blank \
sc_glnx_prefix_error_colon:
@prohibit='\<glnx_prefix_error *\(.*: ",' halt="don't add trailing : for glnx_prefix_error" \
$(_sc_search_regexp)
sc_glnx_errno_prefix_colon:
@prohibit='\<glnx_throw_errno_prefix *\(.*: ",' halt="don't add trailing : for glnx_throw_errno_prefix" \
$(_sc_search_regexp)
sc_glnx_no_fd_close:
@prohibit='\<glnx_fd_close int' halt="Use glnx_autofd, not glnx_fd_close" \
$(_sc_search_regexp)
#SHELL=bash -x
show-vc-list-except:
@$(VC_LIST_EXCEPT)
VC_LIST_ALWAYS_EXCLUDE_REGEX = ^ABOUT-NLS|cfg.mk|maint.mk|*.gpg|*.sig|.xz|.gz$$