[0/2] fetch2: harden deb/ipk unpack command argument

Message ID	20260518145909.1132755-1-anders.heimer@est.tech
Headers	show Return-Path: <anders.heimer@est.tech> ip: 52.101.70.20, mailfrom: anders.heimer@est.tech) From: Anders Heimer <anders.heimer@est.tech> To: bitbake-devel@lists.openembedded.org CC: Anders Heimer <anders.heimer@est.tech> Subject: [PATCH 0/2] fetch2: harden deb/ipk unpack command argument Date: Mon, 18 May 2026 16:59:07 +0200 Message-ID: <20260518145909.1132755-1-anders.heimer@est.tech> Content-Transfer-Encoding: quoted-printable Content-Type: text/plain MIME-Version: 1.0
Series	fetch2: harden deb/ipk unpack command argument \| expand [0/2] fetch2: harden deb/ipk unpack command argument [1/2] fetch2: validate deb/ipk data member names [2/2] fetch2: validate striplevel parameter

Message ID

20260518145909.1132755-1-anders.heimer@est.tech

Headers

From: Anders Heimer <anders.heimer@est.tech>
To: bitbake-devel@lists.openembedded.org
CC: Anders Heimer <anders.heimer@est.tech>
Subject: [PATCH 0/2] fetch2: harden deb/ipk unpack command argument
Date: Mon, 18 May 2026 16:59:07 +0200
Message-ID: <20260518145909.1132755-1-anders.heimer@est.tech>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 1bepG6XvRxOJEN7Avz/MRtJD7k8iMOsdOYP9XQJHDBE0/vqHPftzjrsn0JnNLlXgVEvbGT63fHGxQmAa25o6yeMmguqD6pe44khukjXXe1Axgm1BLRHGUPHr8avXhWI1DjCq7m9onYNYNpf1Qxaa9CIgPpxX4oFwWSMoTwEMWlV4PGFx5MefjhDv+JNaVta9x9uJJDt+rLXvmcbsfc4z5FcnMZ6XW3A0CQNBejv36arRE790iiGS3njAC1TZz2tTFFlJvuA+k1NJUTdCkWdY2iYS3SuMaTERwQjcnPaZZVR5gMDk/6Njre0v52Oa/gevugRXyfUc+WJCdqV1INBJPCkGVf43w/8JVoueHrefHsyL4O6eJ70PNB3nugKbrHF6bkRfM/nl0Hwt3UJB2eq3e3rQC/2lEpzTe1ucmRlQV5Ka+kbdFfC/jIV/6koGFDuAymk0P64FpiKV/NFXcGIh9Tkx3YunBW/+KK1kc02Bq4ivyR4PKQorrD8M8eQatW9sRjBqGABGgVpbW/lX1DNAbDdgg4I7Wtjvk2u4A+zTVuqRdKlGsVOos2mpzbJbZJOXZqSgavt4Y/MQcnkcC4RItYnB8C26EpWCq+SeVBDYdrL5yrrTluiLGC7AFj8vJJwjgj4IKJlplt1/IcxGe9ZfshQ3VIPgqXM1Bxb9az0RQYcgujrF04fcKBQwpwjJupkmY/xMQeG8xOuwLICEhkIvCcTC9S8+6lEMWES2PYsEYdHbxj+gOsYNWoOG1l974O86uOav9CeRI1wRCJfY6A0NM1ZvdfNk7SVHQY2/umtZv5GVWCMBjWhONWu7HHOOD/3Ll3s6zcd8iLje5yQq0oVRKwQ9uwTBJEKFLItd33utFFh/eLOMWdqqlQKpuUHpaKeOB9wsLY7z02fkYJXUQ5nZoVkz+WzKhwaCU2VoKEFyTs7j7dkLZfaC4c0ImZA/XlxZgDpDG9ChyeThkPdhOKUOmBiujLSjBW5PYMP/jogOmwRF/f6v49DQEN7+yFTvmzpPmnJzXeGDxnq5cLAX9YvYcBcq3FCNeBY+UD+JcUl2FkB8UgzfTMENV7cmY/KoeoCerhEzBfGzZxQQDLn/nHHcw9MI89Dw6XUKQZ5cG527ruxwct8GP4PrOiJLLjJ9pexRZRMKTkR4It96sQ99s/8clfR2OwWRqu0TxuK77RlcJCfuCp6vvg0mFazEIz40rSecL32Q9L9pp4vUwNM8bDSM1pcvqQsbrQQLQBNLYCvCUQKAg4va+ZEreaowL0HoU/+uE0mcraXbbNYV6TziB+aui6keFVYNY3hu5D3VNGt8IYlpAsSmhKqdFxt57bKB2gtZsvcuO2Fle+t1my2KoR6Ljq3Ap4cVnHwPfzoM0lCmEQWwYzw230fRPF040/NnD6kovQnb8I8BQFs8HclKglx6ls3XuTrjT8RakVaLP64O20a4OiagXzSzHg+cC8Q88TH44g8IAbH4ERHHj1dYFy5xalH2TXvuPyzhlwrLm287+QzBNgwj4x5AND4KGekUdIjDuFkHFlgjhZl9l8VUFfbnWzC/YUOzf1Tp9WNKaIjg1EQFYTjS/8QSsz2UHuWdBZoTNnBHcYcvaTJeiph2dJkWJnQqCOs6aIDXJ0EdMo2ez7E5UrXdHay4BPhITNOi+Elf7NtHJhjWle/1YmX+eOK+pEGAkdENavPttDY4aWHafog94XxS8bNdMOsZ1LV6YS1N/lW/Rd0NPCvzVGhyVqpbqQ==
X-OriginatorOrg: est.tech
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 a540e2a2-f935-41b3-709f-08deb4ee0643
X-MS-Exchange-CrossTenant-AuthSource: DB9P189MB1641.EURP189.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 May 2026 14:59:13.4543
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d2585e63-66b9-44b6-a76e-4f4b217d97fd
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 YdNd4GNFAZ+s37cnWIwH43+4Q4e+Ekcnig/CGQSDqDS1lFlAvZBBFpHG6kvZneqtQsLKnT2UkRUXgtIKtrgsNg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DU0P189MB3274
List-Id: <bitbake-devel.lists.openembedded.org>
X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com
 [45.33.107.173] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <bitbake-devel@lists.openembedded.org>; Mon, 18 May 2026 14:59:22 -0000
X-Groupsio-URL: https://lists.openembedded.org/g/bitbake-devel/message/19539

Series

fetch2: harden deb/ipk unpack command argument | expand

Message

Anders Heimer May 18, 2026, 2:59 p.m. UTC

Hi,

  This series hardens fetch2 unpack handling in two small, separate steps.

  The first patch fixes deb/ipk unpack handling by selecting the data archive
  member only from the set of supported data member names. This avoids passing
  unsupported ar member names through to the shell command. It also quotes the
  package path used by the deb/ipk unpack command.

  The second patch is separate hardening for the striplevel parameter,
  which is appended to tar arguments before the unpack command is run. It
  validates striplevel as a decimal component count before using it.

  Regression coverage is added to FetcherLocalTest for supported deb/ipk data
  members, unsupported data member names, quoted package filenames, and invalid
  striplevel values.

  Tests run:
      BB_SKIP_NETTESTS=yes bin/bitbake-selftest bb.tests.fetch.FetcherLocalTest


Anders Heimer (2):
  fetch2: validate deb/ipk data member names
  fetch2: validate striplevel parameter

 lib/bb/fetch2/__init__.py | 15 +++++++---
 lib/bb/tests/fetch.py     | 63 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 74 insertions(+), 4 deletions(-)