Merge branch 'more-security-fixes' into 'master'

More security fixes See merge request fdroid/fdroidserver!471
2024-11-20 13:50:12 +01:00 · 2018-03-05 09:10:57 +00:00 · 2018-03-05 09:10:57 +00:00 · 67d386d925
commit 67d386d925
parent 654b3cb9dc 8f30c892c5
4 changed files with 64 additions and 2 deletions
--- a/fdroidserver/checkupdates.py
+++ b/fdroidserver/checkupdates.py
@ -429,6 +429,9 @@ def checkupdates_app(app):
        msg = 'Invalid update check method'

    if version and vercode and app.VercodeOperation:
+        if not common.VERCODE_OPERATION_RE.match(app.VercodeOperation):
+            raise MetaDataException(_('Invalid VercodeOperation: {field}')
+                                    .format(field=app.VercodeOperation))
        oldvercode = str(int(vercode))
        op = app.VercodeOperation.replace("%c", oldvercode)
        vercode = str(eval(op))
--- a/fdroidserver/common.py
+++ b/fdroidserver/common.py
@ -61,6 +61,8 @@ from .asynchronousfilereader import AsynchronousFileReader
 # has to be manually set in test_aapt_version()
 MINIMUM_AAPT_VERSION = '26.0.0'

+VERCODE_OPERATION_RE = re.compile(r'^([ 0-9/*+-]|%c)+$')
+
 # A signature block file with a .DSA, .RSA, or .EC extension
 CERT_PATH_REGEX = re.compile(r'^META-INF/.*\.(DSA|EC|RSA)$')
 APK_NAME_REGEX = re.compile(r'^([a-zA-Z][\w.]*)_(-?[0-9]+)_?([0-9a-f]{7})?\.apk')
@ -1011,6 +1013,10 @@ class vcs_gitsvn(vcs):
            import requests
            r = requests.head(remote)
            r.raise_for_status()
+            location = r.headers.get('location')
+            if location and not location.startswith('https://'):
+                raise VCSException(_('Invalid redirect to non-HTTPS: {before} -> {after} ')
+                                   .format(before=remote, after=location))

            gitsvn_args.extend(['--', remote, self.local])
            p = self.git(gitsvn_args)
@ -1112,7 +1118,7 @@ class vcs_hg(vcs):

    def gotorevisionx(self, rev):
        if not os.path.exists(self.local):
-            p = FDroidPopen(['hg', 'clone', '--ssh', 'false', '--', self.remote, self.local],
+            p = FDroidPopen(['hg', 'clone', '--ssh', '/bin/false', '--', self.remote, self.local],
                            output=False)
            if p.returncode != 0:
                self.clone_failed = True
@ -1126,7 +1132,7 @@ class vcs_hg(vcs):
                    raise VCSException("Unexpected output from hg status -uS: " + line)
                FDroidPopen(['rm', '-rf', '--', line[2:]], cwd=self.local, output=False)
            if not self.refreshed:
-                p = FDroidPopen(['hg', 'pull', '--ssh', 'false'], cwd=self.local, output=False)
+                p = FDroidPopen(['hg', 'pull', '--ssh', '/bin/false'], cwd=self.local, output=False)
                if p.returncode != 0:
                    raise VCSException("Hg pull failed", p.output)
                self.refreshed = True
--- a/fdroidserver/lint.py
+++ b/fdroidserver/lint.py
@ -222,6 +222,11 @@ def check_update_check_data_url(app):
                    yield _('UpdateCheckData must use HTTPS URL: {url}').format(url=url)


+def check_vercode_operation(app):
+    if app.VercodeOperation and not common.VERCODE_OPERATION_RE.match(app.VercodeOperation):
+        yield _('Invalid VercodeOperation: {field}').format(field=app.VercodeOperation)
+
+
 def check_ucm_tags(app):
    lastbuild = get_lastbuild(app.builds)
    if (lastbuild is not None
@ -529,6 +534,7 @@ def main():
        app_check_funcs = [
            check_regexes,
            check_update_check_data_url,
+            check_vercode_operation,
            check_ucm_tags,
            check_char_limits,
            check_old_links,
--- a/tests/lint.TestCase
+++ b/tests/lint.TestCase
@ -19,6 +19,7 @@ if localmodule not in sys.path:

 import fdroidserver.common
 import fdroidserver.lint
+import fdroidserver.metadata


 class LintTest(unittest.TestCase):
@ -69,6 +70,52 @@ class LintTest(unittest.TestCase):
            logging.debug(warn)
        self.assertTrue(anywarns)

+    def test_check_vercode_operation(self):
+        config = dict()
+        fdroidserver.common.fill_config_defaults(config)
+        fdroidserver.common.config = config
+        fdroidserver.lint.config = config
+
+        app = fdroidserver.metadata.App()
+        app.Name = 'Bad App'
+        app.Summary = 'We pwn you'
+        app.Description = 'These are some back'
+
+        good_fields = [
+            '6%c',
+            '%c - 1',
+            '%c + 10',
+            '%c*10',
+            '%c*10 + 3',
+            '%c*10 + 8',
+            '%c + 2 ',
+            '%c + 3',
+            '%c + 7',
+        ]
+        bad_fields = [
+            'open("/etc/passwd")',
+            '%C + 1',
+            '%%c * 123',
+            '123 + %%',
+            '%c % 7',
+        ]
+
+        anywarns = False
+        for good in good_fields:
+            app.VercodeOperation = good
+            for warn in fdroidserver.lint.check_vercode_operation(app):
+                anywarns = True
+                logging.debug(warn)
+            self.assertFalse(anywarns)
+
+        for bad in bad_fields:
+            anywarns = False
+            app.VercodeOperation = bad
+            for warn in fdroidserver.lint.check_vercode_operation(app):
+                anywarns = True
+                logging.debug(warn)
+            self.assertTrue(anywarns)
+

 if __name__ == "__main__":
    parser = optparse.OptionParser()