From patchwork Mon May 18 14:59:08 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anders Heimer X-Patchwork-Id: 88311 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8036BCD4F4A for ; Mon, 18 May 2026 14:59:22 +0000 (UTC) Received: from AS8PR04CU009.outbound.protection.outlook.com (AS8PR04CU009.outbound.protection.outlook.com [52.101.70.20]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.10317.1779116357389699772 for ; Mon, 18 May 2026 07:59:18 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@est.tech header.s=selector1 header.b=Kvet3/uS; spf=pass (domain: est.tech, ip: 52.101.70.20, mailfrom: anders.heimer@est.tech) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=FSU+i/tKvNThIXYm3HsRMGQpGWuneLxAefX4Rm57ygzNfWM/omibT3boNQSpLdqyDPtl8vDj5C8HzJHKUn1Qou8QxsukHvF8ZAmJ64SHP1ALk7m/9RvzKvcHNmWcrsefRqegFzEutkSdVFtN2yMdtcm4YsCXbdw2ZKck0zUfss9X0c+YYzjviA4tnxkf7gfdum22r+TLyPPu3c2FtYmM5cju3Y3AM4cHWVydtDgT05SVpVFj9yM9iV7qZ6Xtgc9qjYvysbSkDiJd4All5J6SFRVQjsAKeAXiX7oG2ipesDy7aPt0gu28+gZkxE2iSjI3paXyQzI69pXcGEDsMA7DBA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0S06YRm87dN4J52cQtOravWliOfXOYCxzo2/aoBobTc=; b=m04LaawgEpVNrCokXGB6EfjOax5JBFO/YyZNRrR7Y/fdnY5BtPAm7CfUfex5fMtgYpW7XVtni1JxCrYCBkDV+0a7JLevJ8jhGcSZhEo+QHAdwaUduUw0k8G0+o4+QXfyMD3+zjO4cZxGCwzMDse5xF7FjRlMe3Dv273KEB/RQySgJQdA1dWpbedQ5lVBnAipEJ/l0gkVcjMiwdFYTr2lq88HPpLoxtzaZw+LBsWZsvgxOM9qM7Nbx/Yb84PdktinzCarDSJMS80KOZWZvNU+po8ERPcqKx1XPCIs4Y0PSwkGclkyQAuO9tXM5GWsZrXVitt26eujdJ3ZzTQ2NSK1Hw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=est.tech; dmarc=pass action=none header.from=est.tech; dkim=pass header.d=est.tech; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=est.tech; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0S06YRm87dN4J52cQtOravWliOfXOYCxzo2/aoBobTc=; b=Kvet3/uSYVNZZqXD2JqcnTrbm22iAKlWwiHmjGXHjoHDyqHxN2CUT5sO4C2d1dfKT7eFoqNjvkJH00luRLowpZYWt30enUWRehLZQAs5pjl9wrLA47HbNP0e/IgVsMbuD6KVaRe0ZBfrGeAEbV3jCDbY/59nlc8Ev79IsEhuir0s/My6ke+vYAIsfDH8UTpyYzSOlUGQ4Gto7NWY/07SF7sYr5080cioYtoVqFwm2C27hU4olkaD5Xz9RSiFIP6oLQV1H7qXR7I0Cw+LAKe9E7rYDHspbaL2RoFranT7yToFxR+pn3/gby+YN0cji8WGPTG0mWC56/8im7erMzEItw== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=est.tech; Received: from DB9P189MB1641.EURP189.PROD.OUTLOOK.COM (2603:10a6:10:2ac::9) by DU0P189MB3274.EURP189.PROD.OUTLOOK.COM (2603:10a6:10:59f::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.25.23; Mon, 18 May 2026 14:59:16 +0000 Received: from DB9P189MB1641.EURP189.PROD.OUTLOOK.COM ([fe80::90da:b700:f102:5c82]) by DB9P189MB1641.EURP189.PROD.OUTLOOK.COM ([fe80::90da:b700:f102:5c82%6]) with mapi id 15.21.0025.022; Mon, 18 May 2026 14:59:16 +0000 From: Anders Heimer To: bitbake-devel@lists.openembedded.org CC: Anders Heimer Subject: [PATCH 1/2] fetch2: validate deb/ipk data member names Date: Mon, 18 May 2026 16:59:08 +0200 Message-ID: <20260518145909.1132755-2-anders.heimer@est.tech> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260518145909.1132755-1-anders.heimer@est.tech> References: <20260518145909.1132755-1-anders.heimer@est.tech> X-ClientProxiedBy: DU7PR01CA0042.eurprd01.prod.exchangelabs.com (2603:10a6:10:50e::26) To DB9P189MB1641.EURP189.PROD.OUTLOOK.COM (2603:10a6:10:2ac::9) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB9P189MB1641:EE_|DU0P189MB3274:EE_ X-MS-Office365-Filtering-Correlation-Id: a6ad05e6-be93-43c0-0e75-08deb4ee07df X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|366016|1800799024|3023799003|11063799003|56012099003|22082099003|18002099003; X-Microsoft-Antispam-Message-Info: /eenJYS+lrwpjGWYk+JdSZnwbZE1iNEO0xmm5rP21Zqk2GcV6Xcz3u1OnwFh5k5VAXphuiC/0AtldQ3AwbNWw70n+OguhQ3Wh3CuOvkPNbKXZ+dTcNBu2DVGPOGW2zlz0Ht8RXMVe/GQkgYuernXdV+Qwa9nZ8HkCT7prhgPFzkYT4fStXdmWQZK9mNjZyLLnSHprznOMlYtxORv4zcfMMiZIJmSZ8jwioHaJC2XvZlBizYQyxy+fn5P6/qqcq2Tz0S3dVhfWTc7d9b0/0m6XqFQL8qBRYT37ZAkFohQcYqa9qbe1lNVPRVCXOPrma8YBMzm+eJk3g1H7JeaPmqKPkCx/Wae7v8shjquAfJzfUHL6Jvc8iluSeB9Hxu3ElGaYfl7nau5HAtKm2deLfu1b7LCc+5fmWy4td3RpJYtoj3TiuXJDx2wyWpwUBlxIlh9p6cLJdoaWjikYlMa1GxyUQmD/bpQriObgeGCjqwHKA/rqC71PEZteX+NmsjRD9Vp2t1pI2PHwkuhnFEaBEeJw2f87Oe8AHKyXDzF1wtKXsHTvc5IFyigdRiUpzvLjIMpRMFNZsislMJ83PtSEGrvUPCCwmW7aIKwQsaA2LtV0FYslKyuFE8GQYDvyrRovSQkTamlxSaX65D78Zv+ru8mmneRhc+23KhE9H2peqTy1YdR/9CVJtnLUEjXbYFH41nMnCVBXksctEumAWM4K4cG1w== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DB9P189MB1641.EURP189.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(376014)(366016)(1800799024)(3023799003)(11063799003)(56012099003)(22082099003)(18002099003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 2G0SofC0KuiKf0ifRAziChzDhEv3V+WBg6lpetUj6v1jGPNPyxDsMaUgQn5RKFMTZKWyWI9U2gEjD3oUrOYwFeiM0HLPABmSiVzj5C7/wx2/aABxf5uMP/YsD3qnM/OaPSluzFEJ3YXkhAyPYKsV/EJtYCt9lQXMFANggUpTGQLUNqAzbhCpAu4MYBhdQqHNWBUAIRfyQ+63P+9xzFfKDi107crA/wUE9GxC/ttz1+MK7Vs5R5jrKZf9fQ1YdD04hICbk8ObLyuw5qHoAaa/MrbcRCyacbhanyfao7ac+4PzsKwmxQAmuRSSKo22CQtENRUoI7no07W0kI4o8LOTFkzAzz1H6Hqey141OC+MRXzlWQbqICdTiRHf5wGspOqNk0HvQLM7HNTWdlHmZe+cOYj4aD3w2+RDQo0jx7wrpUCxxsy/WluhZBGfnfBhDGoThKcegRTg6P3ut6V0sP+ehvsxap85WWaMv55pdem/oVL6wJZ+kEFgp66kqagkNIcHr/D5C4beCcdA7X1EB09+MG6M6ghyIrMzAp9qpPnlJtF4r32OWWTgaQu6XGP3pfD6oWt91MaNvdYeSIDmdPRhTKjC3y6jGUchB6330Ilz6ZW0iSH0/u6EI0vthYT6VwBq8oWEYVLocsHE24EQ8BtFeNa5dfobh9SqDP/kgbWCnWHAfaWcDRo+ph9atn4nU28u1lEFZpxfCbgDwd8Qd1e/XDvSYsInnRo7WdJcArIQ+npTXapI2XxAgm2pa5WvAuMt1MlYf3W6tdFaBxdF/ffHwDX5I5mhGm7oLL8my5o4aMsBjwVqaAVfiTBJd03m/xgsdSspZ/JtuvHgbmU/L/9I1O7EtrunCFYmF+TJeLEnLrr2v05L0iVaq6PNrxFr7769NZNEa6HFPjJYAQ5FxeFXNxrWbv0D/DULuqoasWkv/mFQqEicA0C+VqIzGsahqKQZJhdP3EGqvwQ6YVwKkjpvMmTjaHda3JFS2DFMF9e+723DHU9mCDic7iJ+Fw6S+0/2OKoWrJ2sYbHQeHwjP2SB2pGAK14Ihzy0zqUsdE59Cp5WhDAKJNwpAkW9E5S7sOQXUyaMU7jkJ+7smTowHlUdVqFMQ4JX17BhKDjz9SWbBsDUjn+f4BTVw2rqsF91Juz8GICyRr54CjgN1MlsE5nYOJyvyB9e3Ga3a1Rd/0wmMgRMFIaxopI+kCIUNr4OsbiguLPjguJoag3LL1dHUFKtXWPHsTd9mZaWHB0zCo+VK/Fk0e7ZcbbdR6ehQ+QNbSkHkEMOKpEbl6bIsU6K26lNULJoF/wx4SWh/SffZbeUP1tzjVKvfcMcnqBppQYbXrjqCgpi0UJ2fxSV2qDDfaTnzwwhMahHhowDkdd0TfKNFVieOyjRHidRrHr+0Z/HPgLhHPoj/XT8zhuqASkmNUswmAPpp5J654q9rg3DEboHu2OpxBXX7/TlpSodHff1LPyE37vva0qaCe73hc1TPeITh3vPEkGl+sSuYf5JLXVLFxBorPe6RjzbhyO2ioqGFn6bO+KsMqr6cRIsUEm+s3VUByGtKEAqHGazJeuvIwA5FLhHsOAZXvHAFPIuMEVaDNegjqwT28HFvewaWvR0nwHD90G7YzOVcCfrRIVxxx/Hw6YYH6MhsqAJEYT2Y93B5Xka/d/qVUNgGX5/bIl7ysg8TJUZ81Ya0E1mGsbWQuFmKQKfTOGYdo4i7iVvxMhKgzX6v5Y6QI/+JgCVy/ew+Ys38w== X-OriginatorOrg: est.tech X-MS-Exchange-CrossTenant-Network-Message-Id: a6ad05e6-be93-43c0-0e75-08deb4ee07df X-MS-Exchange-CrossTenant-AuthSource: DB9P189MB1641.EURP189.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 May 2026 14:59:16.1411 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: d2585e63-66b9-44b6-a76e-4f4b217d97fd X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 2wddUTPN4s6JiEBnD0lL49agnF9OliQbKei/YsQCbHfiN1CFteYsRRUJ8kMeMVNo6Hx7D7wfr9TNau9iedPqOw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DU0P189MB3274 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 18 May 2026 14:59:22 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/bitbake-devel/message/19540 The deb/ipk unpack path selects a data archive member from 'ar -t' output and then passes that member name to a shell command. Previously, any member beginning with data.tar. was selected. Only select known deb/ipk data archive member names when datafile is created. Quote the package path used in the shell command as it can come from the local fetch path. Add local fetcher regression coverage for quoted package filenames, valid compressed data members, and unsupported or unsafe data member names. Signed-off-by: Anders Heimer --- lib/bb/fetch2/__init__.py | 10 +++++--- lib/bb/tests/fetch.py | 53 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 60 insertions(+), 3 deletions(-) diff --git a/lib/bb/fetch2/__init__.py b/lib/bb/fetch2/__init__.py index b6cb4c530..dc93e64a9 100644 --- a/lib/bb/fetch2/__init__.py +++ b/lib/bb/fetch2/__init__.py @@ -23,6 +23,7 @@ import collections import subprocess import pickle import errno +import shlex import bb.utils import bb.checksum import bb.process @@ -1592,16 +1593,19 @@ class FetchMethod(object): elif file.endswith('.deb') or file.endswith('.ipk'): output = subprocess.check_output(['ar', '-t', file], preexec_fn=subprocess_setup) datafile = None + valid_datafiles = ('data.tar', 'data.tar.gz', 'data.tar.xz', + 'data.tar.zst', 'data.tar.bz2', 'data.tar.lzma') if output: for line in output.decode().splitlines(): - if line.startswith('data.tar.') or line == 'data.tar': + if line in valid_datafiles: datafile = line break else: - raise UnpackError("Unable to unpack deb/ipk package - does not contain data.tar* file", urldata.url) + raise UnpackError("Unable to unpack deb/ipk package - does not contain supported data.tar* file", urldata.url) else: raise UnpackError("Unable to unpack deb/ipk package - could not list contents", urldata.url) - cmd = 'ar x %s %s && %s -p -f %s && rm %s' % (file, datafile, tar_cmd, datafile, datafile) + quoted_datafile = shlex.quote(datafile) + cmd = 'ar x %s %s && %s -p -f %s && rm %s' % (shlex.quote(file), quoted_datafile, tar_cmd, quoted_datafile, quoted_datafile) # If 'subdir' param exists, create a dir and use it as destination for unpack cmd if 'subdir' in urldata.parm: diff --git a/lib/bb/tests/fetch.py b/lib/bb/tests/fetch.py index 969e5f876..bece59e62 100644 --- a/lib/bb/tests/fetch.py +++ b/lib/bb/tests/fetch.py @@ -16,6 +16,7 @@ import tempfile import collections import os import signal +import subprocess import tarfile from bb.fetch2 import URI import bb @@ -740,6 +741,34 @@ class FetcherLocalTest(FetcherTest): bb.process.run('tar cjf archive.tar.bz2 -C dir .', cwd=self.localsrcdir) self.d.setVar("FILESPATH", self.localsrcdir) + def make_ar_package(self, package_name, data_member="data.tar"): + if not shutil.which("ar"): + self.skipTest("ar not installed") + + workdir = tempfile.mkdtemp(dir=self.tempdir) + payload = os.path.join(workdir, "payload") + with open(payload, "w") as f: + f.write("payload\n") + + data_path = os.path.join(workdir, data_member) + mode = "w:gz" if data_member.endswith(".gz") else "w" + with tarfile.open(data_path, mode) as archive: + archive.add(payload, arcname="payload") + + with open(os.path.join(workdir, "debian-binary"), "w") as f: + f.write("2.0\n") + + control = os.path.join(workdir, "control") + with open(control, "w") as f: + f.write("Package: fetch-test\nVersion: 1\nArchitecture: all\n") + with tarfile.open(os.path.join(workdir, "control.tar"), "w") as archive: + archive.add(control, arcname="control") + + package_path = os.path.join(self.localsrcdir, package_name) + subprocess.check_call(["ar", "r", package_path, "debian-binary", "control.tar", data_member], + cwd=workdir, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) + return package_name + def fetchUnpack(self, uris): fetcher = bb.fetch.Fetch(uris, self.d) fetcher.download() @@ -813,6 +842,30 @@ class FetcherLocalTest(FetcherTest): tree = self.fetchUnpack(['file://archive.tar.bz2;subdir=bar;striplevel=1']) self.assertEqual(tree, ['bar/c', 'bar/d', 'bar/subdir/e']) + def test_local_deb_quoted_filename(self): + package = self.make_ar_package("archive$(id).deb") + tree = self.fetchUnpack(['file://%s' % package]) + self.assertEqual(tree, ['payload']) + + def test_local_ipk_gz_data_member(self): + package = self.make_ar_package("archive.ipk", data_member="data.tar.gz") + tree = self.fetchUnpack(['file://%s' % package]) + self.assertEqual(tree, ['payload']) + + def test_local_deb_rejects_unknown_data_member_suffix(self): + package = self.make_ar_package("archive.deb", data_member="data.tar.foo") + with self.assertRaises(bb.fetch2.UnpackError) as context: + self.fetchUnpack(['file://%s' % package]) + + self.assertIn("does not contain supported data.tar* file", str(context.exception)) + + def test_local_deb_rejects_unsafe_data_member(self): + package = self.make_ar_package("archive.deb", data_member="data.tar.xz;id") + with self.assertRaises(bb.fetch2.UnpackError) as context: + self.fetchUnpack(['file://%s' % package]) + + self.assertIn("does not contain supported data.tar* file", str(context.exception)) + def dummyGitTest(self, suffix): # Create dummy local Git repo src_dir = tempfile.mkdtemp(dir=self.tempdir, From patchwork Mon May 18 14:59:09 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anders Heimer X-Patchwork-Id: 88310 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 748B8CD4F49 for ; Mon, 18 May 2026 14:59:22 +0000 (UTC) Received: from AS8PR04CU009.outbound.protection.outlook.com (AS8PR04CU009.outbound.protection.outlook.com [52.101.70.2]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.10319.1779116360836601888 for ; Mon, 18 May 2026 07:59:21 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@est.tech header.s=selector1 header.b=QJrYQ0MY; spf=pass (domain: est.tech, ip: 52.101.70.2, mailfrom: anders.heimer@est.tech) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=iDQXxoAVwdCnLXU6pUVDEeFLXIN3uOFI45HNurdtf0ko4U0DAAUX5YOyj5z2tao+vV8HSNjJ2bweuAEdWdtN6QKjaDonNmHipyCjklyoPpr3XHVtOqmQbXB0Xx0JSMYEiX6JumDo8xGZnmK0JoBvLCxHeB96ijCa1QEp3ozhaEruKu5LBgW7uooFZNPS+eUFEECM3vzgO08FR9V0Fw92JRq7Xf2bzKv8gDs7Va+0Txjtlj49Y1LcYOPAf+sONMKGpermTBtA+HHKPIaFNxvUPGBf+MZHMZuSPWoeHmJLi3sV+RKyGo+LL10CROPIEp2ghg34maeqfh2GEV+x5Cmghg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=NiBez47QIRB/uNLu7eMg5dslz3LxOArhDy+a5jIJszo=; b=geZWnudYlB/aiDQbrSLj7zG3s3lRu6s+tsVMKXa85HtN/UfT7glJwPyFZqiiA1V/KAyL2zv1Tei7zg3IwOlaxPCnI/69+FOnSUl+Bq+qBi8hBnQKMD332HFi6Gr3n5uLljpFWCVgoLXpMzdyZZqvevuBTekt4ZgtNN2pUdvEsYgrafL4D5TY+vJRV/XrJNKqv8kKxsWzVezAWMV64zw5mC0mXgtz+uWTgbbp61cmy5iyWBwcdTHAl8n/idrvT/dPN7BJ1Tzzpjd2ww+fBAPFG/eh9udvIGmcPx4xXkM911YYH3NC5nKLjg15HTYyHt2DNjcyH+q+UkCbzi1yRmVguQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=est.tech; dmarc=pass action=none header.from=est.tech; dkim=pass header.d=est.tech; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=est.tech; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NiBez47QIRB/uNLu7eMg5dslz3LxOArhDy+a5jIJszo=; b=QJrYQ0MYZeWhqcNkgUGhXAcbHF6UEwmFmzLdAd0cuaiVNAuTvICuP24J4sdPeRWeZUK58TGWAsdEacax3n2O6Q5Sy2kz1LriQEhMK8g2gKazkY+baYfqtZBszmDl0IrWGoMTxeo1/WZnaMR/vUZduCqpner3+kArhRUL/pPnb7+I1pZoH4Yzg8pPw2ce1fldH7kSMPYa7O2FMafX4Pl9y4ZxfHbbUUOra2ya8LlYKGth3Jki3mw0/3SYmPFlCURedgLln3qVEscRP7TGT0XazM/O2y93gNvzmh2Kvf538+gj7NjuhZs85iEB0MInL5uTxbnaAhIb+qqV6i9NacQBjA== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=est.tech; Received: from DB9P189MB1641.EURP189.PROD.OUTLOOK.COM (2603:10a6:10:2ac::9) by DU0P189MB3274.EURP189.PROD.OUTLOOK.COM (2603:10a6:10:59f::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.25.23; Mon, 18 May 2026 14:59:18 +0000 Received: from DB9P189MB1641.EURP189.PROD.OUTLOOK.COM ([fe80::90da:b700:f102:5c82]) by DB9P189MB1641.EURP189.PROD.OUTLOOK.COM ([fe80::90da:b700:f102:5c82%6]) with mapi id 15.21.0025.022; Mon, 18 May 2026 14:59:18 +0000 From: Anders Heimer To: bitbake-devel@lists.openembedded.org CC: Anders Heimer Subject: [PATCH 2/2] fetch2: validate striplevel parameter Date: Mon, 18 May 2026 16:59:09 +0200 Message-ID: <20260518145909.1132755-3-anders.heimer@est.tech> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260518145909.1132755-1-anders.heimer@est.tech> References: <20260518145909.1132755-1-anders.heimer@est.tech> X-ClientProxiedBy: DUZPR01CA0033.eurprd01.prod.exchangelabs.com (2603:10a6:10:468::8) To DB9P189MB1641.EURP189.PROD.OUTLOOK.COM (2603:10a6:10:2ac::9) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB9P189MB1641:EE_|DU0P189MB3274:EE_ X-MS-Office365-Filtering-Correlation-Id: bf4cf05d-c03c-447f-8f4d-08deb4ee095b X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|366016|1800799024|11063799003|56012099003|22082099003|18002099003; X-Microsoft-Antispam-Message-Info: 39AIuSuuyBO1GreNCDSoukmo1TpYKwpYupQJO2qehQzpaGYVXO/N9U60G264uS014AUQOnv/82mZXtUmD8K0Ykg651lbKSS2O0Ym2rnMkQ/euPuAYDAEr9UVYfeWrH8oZr4vv64l+zNgohxX5hyF6cNqRR5l3NmudOQxDcmrd4bZShFULN4LAIjetYFQUtLpRcFhB73fMT7pZiEIZr47PlbwE6lYKEIBdjAiQsuN+hTjNtT3uKrT6h6KpVpMcCmpQAY1Xs+nEl6Ar1Ne0FRbXSy8d62a+g+5b4xnF+udWrwv4rAicT3eyAnx8EydfN53yKS8w5u7XLNFmhogbS7Y7LIHSfmMPmGwf40HWVFV5UfdTSBcDAm3JNt9hj37U3FjUXX4T+ariJ/cnk2UZeQaox5qyNyRPmpNMmFDp7Zc4OvRdnEaxlcu9ItaPIxdbjDeoBOkPcbzp2NV8LOnxxS7K7B3+rTLMpmBB4zJJAICY8BDSPEhDPrzx2a3DDj15B6clQfLnVco43hsJAT/4iTJg9gldVvi2agXb0L3FK/ErnzOs5wF1JrKZu6EFRGoXrOp7TjrIAiVNRs4fMRNMhbcwUnjclz97Hlu10XmWpCGchg1O3Ur9py9J4KaByLHPudGQ5bkdmoPG+T9giRRviA8IHCD1gxaKSiBKxhNBJYTdS6MfsDos3CJM1rVR5kxMSDhZt4OFTdx0fOFV1qHHFM+Hw== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DB9P189MB1641.EURP189.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(376014)(366016)(1800799024)(11063799003)(56012099003)(22082099003)(18002099003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 5jDYmp0NLQ53kjav1Nl8y6MA499sgg+eG+msn4Y3PTc5bwf44nczFMpkoxmD48sfooMfnAYCqZ0av7Ca8ysP+ESg/O1SROGQjOJ5zR9heaeIYwyO4kJfG3HKGl+93Fezp+xQs5xDMAKDpBBUX3YjUd2bNFqY//fi25tDZbQp/F7seyF1FQS+G7/H00dbvHDkGNGml5Z0eH8RwVg9ynRk43ZCfPqBw7nRGTu0kZhXBLA/XSF1LLEaoCq6iSJvLYKah9ugE5KQ0e7DNE+WveS/6DffXdiye2vmc8T6X4pMvT6d5QW7GPwNPutC9k1cbY1x5wDMN4ZhZ+PNqRNqIHhOH8YRj9gOO520rscxobX70UwuEMM7Mo2aqgLEIVVebXoFpOQ2X+7eJORrMgbvwXtZ/rDsbQ+WPoaoIpo6lsL77Nx3IcNyMehMrQlyZa6JqKdXEah9mUAgFjjZ/S56JmmCNP8S4nx6fTJhAVGkYgeDDfvqpph96iO1xgRhFoydZt063/+G/q44Sm2gi/jxluEp/MJk2O4JFJuTJBz1vR6NIDDh//e9Oy1aknkw9Dkz0TkZWdv+84uawYA7QgJ1t+sQ0Tfj4jspxCFEa/LY9KeqgompKIa4Ckw/WfSPODE9M8lTfttU76QP/jcyiPzCkHkHhQ8xLV8gaj5U6Oj9yboFgtdmW8RHIIyjmFl59ninCTMSsv/OUU7W4uFd+xae1VYE2gmhoOQWC9yTPYC+btn6cJdI2aS/tJZNjyQER04Bs964R2z2ZH45XegPnIx9/b5VMtiANPbwwnPcfaWCTw11yWm3h8TgT2ZvB1Ey5+iS6CoE3QTk0wZpKZFY7Wu7HhR1LcelGUSZaJ3N4iuaMPJE3a+amPBjHoMiSdVcVXg0kdSoiOgy0WicoLz/D5CzZELq6tLFDBMZ9MnIBH5XoC+veggiatVzL9LTjisoX4fjsBeAJBltYvI4FAuxJ1LzWfP/HyYvmHwBpmae5ulteuMut+5ffxtBYjBGlrd3mF1Fpd6w3ZFEj1UtxXmUFBqiHP7RfJEwz3A5IDPGHe4iwrO9AF4vpJunNbpKlGCzm7H+F3Mw+XNxWSuav+TCtNCWPOl3GXeLk9voFJskhDyCWEoWArubzsVH2gI3B30p0freJS43cuPR7vhbWaeAs5FT0/GfRStqzMBaP8zQblcDocRM1zq/hL99TKaJJDWcOqx+8JpMykt8UTTw+e+bub8f1yPuR7oV04IaBFwRZZlmA/k4lHcDg7RKSE83JR8o9DY40Yt2TtXZkxn4Ee8kkhS/Nv23SJhr5j0auEtsgs/swNwhFHZonQokjaWMAa6ShPklt1fJ+GFmAAW0RTydIrNOs4mF54GfoOfN8esFtSvwwYlYXNLdo7uEPOeznK8avLpO3u1NInm309nWkyEulA2/wzdTo0vC+cWUhw/LQ3xkraKmHzMo6UU+gTZo9VKNFSsWzoc5eTFk48Z485VV1Ysyw+0+QKpaa5fbzZukJdia1PZzXEEoSwMgi9bS6fF4QYBQauoghzZBJ/aU8n1OMp0PtH5OCRZ6SIT/EnEswYOc6Hcpj5/mDPpUC/6w46anmuUnwzhrDHWBQFAQxKY5Y6YSlwzBKI98396wYN7wQotc9Wq9am/vTk56q35nEF+6x6Ea0vxKF8Inx+3RW4rJXQM+YXBxKHPz7N/OMHehzSLdRWNf8f5+1NhdsWcqMoOtkdBj1bs07i7xY9rlFFtE6KIPlxRDgg== X-OriginatorOrg: est.tech X-MS-Exchange-CrossTenant-Network-Message-Id: bf4cf05d-c03c-447f-8f4d-08deb4ee095b X-MS-Exchange-CrossTenant-AuthSource: DB9P189MB1641.EURP189.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 May 2026 14:59:18.6322 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: d2585e63-66b9-44b6-a76e-4f4b217d97fd X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: IBFWkXbYwxHIk/bljIv85FyNQ7XmmhUbAi6mQ5l9+fm54b/FbySxCGqtA2SZLufYk8dGVLooJfDBGLWMboQlHA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DU0P189MB3274 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 18 May 2026 14:59:22 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/bitbake-devel/message/19541 The striplevel URL parameter is appended to tar_cmd, which is later run through the shell. Validate it as a decimal count before using it in the tar arguments. Signed-off-by: Anders Heimer --- lib/bb/fetch2/__init__.py | 5 ++++- lib/bb/tests/fetch.py | 10 ++++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/lib/bb/fetch2/__init__.py b/lib/bb/fetch2/__init__.py index dc93e64a9..77fc1b15b 100644 --- a/lib/bb/fetch2/__init__.py +++ b/lib/bb/fetch2/__init__.py @@ -1545,7 +1545,10 @@ class FetchMethod(object): if unpack: tar_cmd = 'tar --extract --no-same-owner' if 'striplevel' in urldata.parm: - tar_cmd += ' --strip-components=%s' % urldata.parm['striplevel'] + striplevel = urldata.parm['striplevel'] + if not striplevel.isdigit(): + raise UnpackError("Invalid striplevel parameter: %s" % striplevel, urldata.url) + tar_cmd += ' --strip-components=%s' % striplevel if file.endswith('.tar'): cmd = '%s -f %s' % (tar_cmd, file) elif file.endswith('.tgz') or file.endswith('.tar.gz') or file.endswith('.tar.Z'): diff --git a/lib/bb/tests/fetch.py b/lib/bb/tests/fetch.py index bece59e62..5850589e0 100644 --- a/lib/bb/tests/fetch.py +++ b/lib/bb/tests/fetch.py @@ -866,6 +866,16 @@ class FetcherLocalTest(FetcherTest): self.assertIn("does not contain supported data.tar* file", str(context.exception)) + def assertInvalidStriplevel(self, value): + with self.assertRaises(bb.fetch2.UnpackError) as context: + self.fetchUnpack(['file://archive.tar;subdir=bar;striplevel=%s' % value]) + self.assertIn("Invalid striplevel parameter", str(context.exception)) + + def test_local_striplevel_rejects_invalid_values(self): + for value in ("abc", "", "-1", "1\n", "1 2"): + with self.subTest(striplevel=repr(value)): + self.assertInvalidStriplevel(value) + def dummyGitTest(self, suffix): # Create dummy local Git repo src_dir = tempfile.mkdtemp(dir=self.tempdir,