PR#4444: additional validation for sigkey value
Merges #4444 https://pagure.io/koji/pull-request/4444 Fixes: #4443 https://pagure.io/koji/issue/4443 Don't allow slash in sigkey value
This commit is contained in:
Mike McLean
commit
fb3fd87966
2 changed files with 30 additions and 7 deletions
|
|
@ -8273,7 +8273,7 @@ def add_rpm_sig(an_rpm, sighdr, sigkey=None):
|
||||||
if not os.path.isdir(builddir):
|
if not os.path.isdir(builddir):
|
||||||
raise koji.GenericError("No such directory: %s" % builddir)
|
raise koji.GenericError("No such directory: %s" % builddir)
|
||||||
if sigkey is not None:
|
if sigkey is not None:
|
||||||
verify_name_internal(sigkey)
|
validate_sigkey_value(sigkey)
|
||||||
|
|
||||||
# verify sigmd5 matches rpm and pick sigkey if needed
|
# verify sigmd5 matches rpm and pick sigkey if needed
|
||||||
rawhdr = koji.RawHeader(sighdr)
|
rawhdr = koji.RawHeader(sighdr)
|
||||||
|
|
@ -8324,10 +8324,25 @@ def add_rpm_sig(an_rpm, sighdr, sigkey=None):
|
||||||
sigkey=sigkey, sighash=sighash, build=binfo, rpm=rinfo)
|
sigkey=sigkey, sighash=sighash, build=binfo, rpm=rinfo)
|
||||||
|
|
||||||
|
|
||||||
|
def validate_sigkey_value(sigkey):
|
||||||
|
convert_value(sigkey, cast=str, check_only=True)
|
||||||
|
if sigkey == '':
|
||||||
|
# special case for the unsigned sig header
|
||||||
|
return
|
||||||
|
if '/' in sigkey or sigkey.startswith('.'):
|
||||||
|
# not allowed because the value is used in a path
|
||||||
|
raise koji.GenericError("Invalid sigkey value")
|
||||||
|
if sigkey != sigkey.lower():
|
||||||
|
# we require lowercase because koji has historically forced lowercase for this value
|
||||||
|
# e.g. in query_rpm_sigs
|
||||||
|
raise koji.GenericError("Invalid sigkey value. Must be lowercase")
|
||||||
|
verify_name_internal(sigkey)
|
||||||
|
|
||||||
|
|
||||||
def rename_rpm_sig(rpminfo, oldkey, newkey):
|
def rename_rpm_sig(rpminfo, oldkey, newkey):
|
||||||
"""Change the sigkey for an rpm signature"""
|
"""Change the sigkey for an rpm signature"""
|
||||||
|
|
||||||
verify_name_internal(newkey)
|
validate_sigkey_value(newkey)
|
||||||
rinfo = get_rpm(rpminfo, strict=True)
|
rinfo = get_rpm(rpminfo, strict=True)
|
||||||
nvra = "%(name)s-%(version)s-%(release)s.%(arch)s" % rinfo
|
nvra = "%(name)s-%(version)s-%(release)s.%(arch)s" % rinfo
|
||||||
if rinfo['external_repo_id']:
|
if rinfo['external_repo_id']:
|
||||||
|
|
|
||||||
|
|
@ -146,15 +146,23 @@ class TestAddRPMSig(unittest.TestCase):
|
||||||
def test_add_rpm_sig_bad_sigkey(self):
|
def test_add_rpm_sig_bad_sigkey(self):
|
||||||
"""bad sigkey failure case"""
|
"""bad sigkey failure case"""
|
||||||
sighdr = 'SIG HEADER 99'
|
sighdr = 'SIG HEADER 99'
|
||||||
self.isdir.side_effect = [True]
|
self.isdir.return_value = True
|
||||||
self.get_rpm.side_effect = [{'build_id': 100, 'external_repo_id': None}]
|
self.get_rpm.return_value = {'build_id': 100, 'external_repo_id': None}
|
||||||
|
|
||||||
|
badkeys = [
|
||||||
|
'white space',
|
||||||
|
'badchar!',
|
||||||
|
'.hidden',
|
||||||
|
'sub/dir',
|
||||||
|
'hasUPPERcase',
|
||||||
|
]
|
||||||
|
for sigkey in badkeys:
|
||||||
with self.assertRaises(koji.GenericError):
|
with self.assertRaises(koji.GenericError):
|
||||||
kojihub.add_rpm_sig(1, sighdr, sigkey='foo/bar !')
|
kojihub.add_rpm_sig(1, sighdr, sigkey=sigkey)
|
||||||
|
|
||||||
self.assertEqual(len(self.inserts), 0)
|
self.assertEqual(len(self.inserts), 0)
|
||||||
self.open.assert_not_called()
|
self.open.assert_not_called()
|
||||||
self.isdir.assert_called_once()
|
self.isdir.assert_called()
|
||||||
|
|
||||||
|
|
||||||
class TestScanHeaderOnly(unittest.TestCase):
|
class TestScanHeaderOnly(unittest.TestCase):
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue