From 1f3b31b4df8a7d4775602859633f38b34ae176ef Mon Sep 17 00:00:00 2001 From: Maniack Crudelis Date: Thu, 16 Apr 2020 02:18:06 +0200 Subject: [PATCH] Use ynh_secure_remove properly... --- scripts/_common.sh | 89 ------------------------------ scripts/_ynh_secure_remove.sh | 100 ++++++++++++++++++++++++++++++++++ scripts/upgrade | 16 +++--- 3 files changed, 109 insertions(+), 96 deletions(-) create mode 100644 scripts/_ynh_secure_remove.sh diff --git a/scripts/_common.sh b/scripts/_common.sh index 712aaec..87ad26e 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -131,92 +131,3 @@ ynh_remove_uwsgi_service () { ynh_secure_remove --file="/etc/systemd/system/uwsgi-app@$app.service.d" fi } - -#================================================= -# OTHER HELPERS -#================================================= - -# Remove a file or a directory securely -# -# usage: ynh_secure_remove --file=path_to_remove [--regex=regex to append to $file] [--non_recursive] [--dry_run] -# | arg: -f, --file - File or directory to remove -# | arg: -r, --regex - Regex to append to $file to filter the files to remove -# | arg: -n, --non_recursive - Perform a non recursive rm and a non recursive search with the regex -# | arg: -l, --dry_run - Do not remove, only list the files to remove -# -# Requires YunoHost version 2.6.4 or higher. -ynh_secure_remove () { - # Declare an array to define the options of this helper. - local legacy_args=frnl - declare -Ar args_array=( [f]=file= [r]=regex= [n]=non_recursive [l]=dry_run ) - local file - local regex - local dry_run - local non_recursive - # Manage arguments with getopts - ynh_handle_getopts_args "$@" - regex=${regex:-} - dry_run=${dry_run:-0} - non_recursive=${non_recursive:-0} - - local forbidden_path=" -/var/www \ -/home/yunohost.app" - - # Fail if no argument is provided to the helper. - if [ -z "$file" ] - then - ynh_print_warn --message="ynh_secure_remove called with no argument --file, ignoring." - return 0 - fi - - if [ -n "$regex" ] - then - if [ $non_recursive -eq 1 ]; then - local recursive="-maxdepth 1" - else - local recursive="" - fi - # Use find to list the files in $file and grep to filter with the regex - files_to_remove="$(find -P "$file" $recursive -name ".." -prune -o -print | grep --extended-regexp "$regex")" - else - files_to_remove="$file" - fi - - # Check each file before removing it - while read file_to_remove - do - if [ -n "$file_to_remove" ] - then - # Check all forbidden path before removing anything - # First match all paths or subpaths in $forbidden_path - if [[ "$forbidden_path" =~ "$file_to_remove" ]] || \ - # Match all first level paths from / (Like /var, /root, etc...) - [[ "$file_to_remove" =~ ^/[[:alnum:]]+$ ]] || \ - # Match if the path finishes by /. Because it seems there is an empty variable - [ "${file_to_remove:${#file_to_remove}-1}" = "/" ] - then - ynh_print_err --message="Not deleting '$file_to_remove' because this path is forbidden !!!" - - # If the file to remove exists - elif [ -e "$file_to_remove" ] - then - if [ $dry_run -eq 1 ] - then - echo "File to remove: $file_to_remove" - else - if [ $non_recursive -eq 1 ]; then - local recursive="" - else - local recursive="--recursive" - fi - - # Remove a file or a directory - rm --force $recursive "$file_to_remove" - fi - else - ynh_print_info --message="'$file_to_remove' wasn't deleted because it doesn't exist." - fi - fi - done <<< "$(echo "$files_to_remove")" -} diff --git a/scripts/_ynh_secure_remove.sh b/scripts/_ynh_secure_remove.sh new file mode 100644 index 0000000..9acaff7 --- /dev/null +++ b/scripts/_ynh_secure_remove.sh @@ -0,0 +1,100 @@ +#!/bin/bash + +#================================================= +# EXPERIMENTAL HELPERS +#================================================= + +# Remove a file or a directory securely +# +# usage: ynh_secure_remove --file=path_to_remove [--regex=regex to append to $file] [--non_recursive] [--dry_run] +# | arg: -f, --file - File or directory to remove +# | arg: -r, --regex - Regex to append to $file to filter the files to remove +# | arg: -n, --non_recursive - Perform a non recursive rm and a non recursive search with the regex +# | arg: -d, --dry_run - Do not remove, only list the files to remove +# +# Requires YunoHost version 2.6.4 or higher. +ynh_secure_remove () { + # Declare an array to define the options of this helper. + local legacy_args=frnd + declare -Ar args_array=( [f]=file= [r]=regex= [n]=non_recursive [d]=dry_run ) + local file + local regex + local dry_run + local non_recursive + # Manage arguments with getopts + ynh_handle_getopts_args "$@" + regex=${regex:-} + dry_run=${dry_run:-0} + non_recursive=${non_recursive:-0} + + local forbidden_path=" +/var/www \ +/home/yunohost.app" + + # Fail if no argument is provided to the helper. + if [ -z "$file" ] + then + ynh_print_warn --message="ynh_secure_remove called with no argument --file, ignoring." + return 0 + fi + + if [ -n "$regex" ] + then + if [ -e "$file" ] + then + if [ $non_recursive -eq 1 ]; then + local recursive="-maxdepth 1" + else + local recursive="" + fi + # Use find to list the files in $file and grep to filter with the regex + files_to_remove="$(find -P "$file" $recursive -name ".." -prune -o -print | grep --extended-regexp "$regex")" + else + ynh_print_info --message="'$file' wasn't deleted because it doesn't exist." + return 0 + fi + else + files_to_remove="$file" + fi + + # Check each file before removing it + while read file_to_remove + do + if [ -n "$file_to_remove" ] + then + # Check all forbidden path before removing anything + # First match all paths or subpaths in $forbidden_path + if [[ "$forbidden_path" =~ "$file_to_remove" ]] || \ + # Match all first level paths from / (Like /var, /root, etc...) + [[ "$file_to_remove" =~ ^/[[:alnum:]]+$ ]] || \ + # Match if the path finishes by /. Because it seems there is an empty variable + [ "${file_to_remove:${#file_to_remove}-1}" = "/" ] + then + ynh_print_err --message="Not deleting '$file_to_remove' because this path is forbidden !!!" + + # If the file to remove exists + elif [ -e "$file_to_remove" ] + then + if [ $dry_run -eq 1 ] + then + ynh_print_warn --message="File to remove: $file_to_remove" + else + if [ $non_recursive -eq 1 ]; then + local recursive="" + else + local recursive="--recursive" + fi + + # Remove a file or a directory + rm --force $recursive "$file_to_remove" + fi + else + # Ignore non existent files with regex, as we likely remove the parent directory before its content is listed. + if [ -z "$regex" ] + then + ynh_print_info --message="'$file_to_remove' wasn't deleted because it doesn't exist." + fi + fi + fi + done <<< "$(echo "$files_to_remove")" +} diff --git a/scripts/upgrade b/scripts/upgrade index 060a36f..ea5b370 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -6,8 +6,9 @@ # IMPORT GENERIC HELPERS #================================================= -source /usr/share/yunohost/helpers source _common.sh +source /usr/share/yunohost/helpers +source _ynh_secure_remove.sh #================================================= # LOAD SETTINGS @@ -124,13 +125,14 @@ ynh_system_user_create --username=$app ynh_script_progression --message="Upgrading Searx..." --weight=7 # Clean venv if it still on python2 -test -e $final_path/bin/python3 || ( - ynh_secure_remove --file=$final_path/lib/ --regex 'python[^/.]*' - ynh_secure_remove --file=$final_path/lib64/ --regex 'python[^/.]*' +if [ ! -e $final_path/bin/python3 ] +then + ynh_secure_remove --file=$final_path/lib/ --regex='python[^/.]*' + ynh_secure_remove --file=$final_path/lib64/ --regex='python[^/.]*' ynh_secure_remove --file=$final_path/share/python-wheels -) -ynh_secure_remove --file $final_path/lib/python2.7/site-packages/setuptools -ynh_secure_remove --file $final_path/lib/python2.7/site-packages/ --regex 'setuptools-[^/.]*' +fi +ynh_secure_remove --file=$final_path/lib/python3/site-packages/setuptools +ynh_secure_remove --file=$final_path/lib/python3/site-packages/ --regex='setuptools-[^/.]*' python3 -m venv --system-site-packages "$final_path" set +u; source $final_path/bin/activate; set -u pip3 install -U setuptools