From fdf9798024a2c7f6c6cfc4199434376d0bcc3f7f Mon Sep 17 00:00:00 2001
From: Bartek Grzybowski <b.grzybowski@partner.samsung.com>
Date: Mon, 18 Mar 2019 16:09:51 +0100
Subject: Sanitize input arguments validation

This patch ensures non-positional parameters
are given past positional args. So far mixing
them led to malicious script behaviour.

Change-Id: Idf2b6a57d0cd8561e74e467f68ddc5d086e7a0c0
Issue-ID: OOM-1621
Signed-off-by: Bartek Grzybowski <b.grzybowski@partner.samsung.com>
---
 build/package.sh | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

(limited to 'build')

diff --git a/build/package.sh b/build/package.sh
index c527db2e..a3c1ded2 100755
--- a/build/package.sh
+++ b/build/package.sh
@@ -31,6 +31,12 @@ crash () {
     exit "${exit_code}"
 }
 
+crash_arguments () {
+    echo "Missing some mandatory arguments!"
+    usage
+    exit 1
+}
+
 usage () {
     echo "Usage:"
     echo "   ./$(basename $0) <project_name> <version> <packaging_target_dir> [--conf <file>] [--force]"
@@ -200,16 +206,21 @@ APPLICATION_FILES_IN_PACKAGE="ansible/application"
 # adjusted accordingly.
 HELM_CHARTS_DIR_IN_PACKAGE="${APPLICATION_FILES_IN_PACKAGE}/helm_charts"
 
-if [ "$#" -lt 3 ]; then
-    echo "Missing some mandatory arguments!"
-    usage
-    exit 1
+if [ $# -eq 0 ]; then
+    crash_arguments
 fi
 
 CONF_FILE=""
 FORCE_REMOVE=0
+arg_ind=0
 for arg in "$@"; do
   shift
+  ((arg_ind+=1))
+  if [[ ${arg} =~ ^[-]{1,2}[a-zA-Z-]+$ && ${arg_ind} -lt 4 ]]; then
+      echo "Non-positional parameters should follow mandatory arguments!"
+      usage
+      exit 1
+  fi
   case "$arg" in
     -c|--conf)
         CONF_FILE="$1" ;;
@@ -217,6 +228,9 @@ for arg in "$@"; do
         FORCE_REMOVE=1 ;;
     *)
         set -- "$@" "$arg"
+        if [ "$#" -lt 3 ]; then
+	    crash_arguments
+        fi ;;
   esac
 done
 
-- 
cgit 1.2.3-korg