VercodeOperation: only allow simple math expresssions and %c

fdroidserver/checkupdates.py

@@ -429,6 +429,9 @@ def checkupdates_app(app):
         msg = 'Invalid update check method'
 
     if version and vercode and app.VercodeOperation:
+        if not common.VERCODE_OPERATION_RE.match(app.VercodeOperation):
+            raise MetaDataException(_('Invalid VercodeOperation: {field}')
+                                    .format(field=app.VercodeOperation))
         oldvercode = str(int(vercode))
         op = app.VercodeOperation.replace("%c", oldvercode)
         vercode = str(eval(op))

fdroidserver/common.py

@@ -61,6 +61,8 @@ from .asynchronousfilereader import AsynchronousFileReader
 # has to be manually set in test_aapt_version()
 MINIMUM_AAPT_VERSION = '26.0.0'
 
+VERCODE_OPERATION_RE = re.compile(r'^([ 0-9/*+-]|%c)+$')
+
 # A signature block file with a .DSA, .RSA, or .EC extension
 CERT_PATH_REGEX = re.compile(r'^META-INF/.*\.(DSA|EC|RSA)$')
 APK_NAME_REGEX = re.compile(r'^([a-zA-Z][\w.]*)_(-?[0-9]+)_?([0-9a-f]{7})?\.apk')

fdroidserver/lint.py

@@ -222,6 +222,11 @@ def check_update_check_data_url(app):
                     yield _('UpdateCheckData must use HTTPS URL: {url}').format(url=url)
 
 
+def check_vercode_operation(app):
+    if app.VercodeOperation and not common.VERCODE_OPERATION_RE.match(app.VercodeOperation):
+        yield _('Invalid VercodeOperation: {field}').format(field=app.VercodeOperation)
+
+
 def check_ucm_tags(app):
     lastbuild = get_lastbuild(app.builds)
     if (lastbuild is not None
@@ -529,6 +534,7 @@ def main():
         app_check_funcs = [
             check_regexes,
             check_update_check_data_url,
+            check_vercode_operation,
             check_ucm_tags,
             check_char_limits,
             check_old_links,

tests/lint.TestCase

@@ -19,6 +19,7 @@ if localmodule not in sys.path:
 
 import fdroidserver.common
 import fdroidserver.lint
+import fdroidserver.metadata
 
 
 class LintTest(unittest.TestCase):
@@ -69,6 +70,52 @@ class LintTest(unittest.TestCase):
             logging.debug(warn)
         self.assertTrue(anywarns)
 
+    def test_check_vercode_operation(self):
+        config = dict()
+        fdroidserver.common.fill_config_defaults(config)
+        fdroidserver.common.config = config
+        fdroidserver.lint.config = config
+
+        app = fdroidserver.metadata.App()
+        app.Name = 'Bad App'
+        app.Summary = 'We pwn you'
+        app.Description = 'These are some back'
+
+        good_fields = [
+            '6%c',
+            '%c - 1',
+            '%c + 10',
+            '%c*10',
+            '%c*10 + 3',
+            '%c*10 + 8',
+            '%c + 2 ',
+            '%c + 3',
+            '%c + 7',
+        ]
+        bad_fields = [
+            'open("/etc/passwd")',
+            '%C + 1',
+            '%%c * 123',
+            '123 + %%',
+            '%c % 7',
+        ]
+
+        anywarns = False
+        for good in good_fields:
+            app.VercodeOperation = good
+            for warn in fdroidserver.lint.check_vercode_operation(app):
+                anywarns = True
+                logging.debug(warn)
+            self.assertFalse(anywarns)
+
+        for bad in bad_fields:
+            anywarns = False
+            app.VercodeOperation = bad
+            for warn in fdroidserver.lint.check_vercode_operation(app):
+                anywarns = True
+                logging.debug(warn)
+            self.assertTrue(anywarns)
+
 
 if __name__ == "__main__":
     parser = optparse.OptionParser()