From 23f540ec07386d2b12f298c32fd03081e0d2705c Mon Sep 17 00:00:00 2001 From: liang chenye Date: Wed, 18 May 2016 17:13:16 +0800 Subject: [PATCH 1/2] fix #67: verify if config is encoded in utf8 Signed-off-by: liang chenye --- validate.go | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/validate.go b/validate.go index f5a795958..f578623b6 100644 --- a/validate.go +++ b/validate.go @@ -3,11 +3,13 @@ package main import ( "encoding/json" "fmt" + "io/ioutil" "os" "path" "reflect" "regexp" "strings" + "unicode/utf8" "github.com/Sirupsen/logrus" "github.com/codegangsta/cli" @@ -53,15 +55,15 @@ var bundleValidateCommand = cli.Command{ logrus.Fatal(err) } - sf, err := os.Open(path.Join(inputPath, "config.json")) + content, err := ioutil.ReadFile(path.Join(inputPath, "config.json")) if err != nil { logrus.Fatal(err) } - - defer sf.Close() - + if !utf8.Valid(content) { + logrus.Fatalf("'Config.json' is not encoded in UTF-8") + } var spec rspec.Spec - if err = json.NewDecoder(sf).Decode(&spec); err != nil { + if err = json.Unmarshal(content, &spec); err != nil { logrus.Fatal(err) } From 01c8d1dc8b8ca0e8d7e485388837307223a177a4 Mon Sep 17 00:00:00 2001 From: liang chenye Date: Wed, 18 May 2016 19:28:12 +0800 Subject: [PATCH 2/2] verify if cwd is an absolute path and env is valid Signed-off-by: liang chenye --- validate.go | 63 +++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 44 insertions(+), 19 deletions(-) diff --git a/validate.go b/validate.go index f578623b6..df46e3e1c 100644 --- a/validate.go +++ b/validate.go @@ -9,6 +9,7 @@ import ( "reflect" "regexp" "strings" + "unicode" "unicode/utf8" "github.com/Sirupsen/logrus" @@ -55,12 +56,13 @@ var bundleValidateCommand = cli.Command{ logrus.Fatal(err) } - content, err := ioutil.ReadFile(path.Join(inputPath, "config.json")) + configPath := path.Join(inputPath, "config.json") + content, err := ioutil.ReadFile(configPath) if err != nil { logrus.Fatal(err) } if !utf8.Valid(content) { - logrus.Fatalf("'Config.json' is not encoded in UTF-8") + logrus.Fatalf("%q is not encoded in UTF-8", configPath) } var spec rspec.Spec if err = json.Unmarshal(content, &spec); err != nil { @@ -69,9 +71,9 @@ var bundleValidateCommand = cli.Command{ rootfsPath := path.Join(inputPath, spec.Root.Path) if fi, err := os.Stat(rootfsPath); err != nil { - logrus.Fatalf("Cannot find the rootfs: %v", rootfsPath) + logrus.Fatalf("Cannot find the root path %q", rootfsPath) } else if !fi.IsDir() { - logrus.Fatalf("Rootfs: %v is not a directory.", spec.Root.Path) + logrus.Fatalf("root path %q is not a directory.", spec.Root.Path) } bundleValidate(spec, rootfsPath) @@ -91,17 +93,17 @@ func bundleValidate(spec rspec.Spec, rootfs string) { func checkSemVer(version string) { re, _ := regexp.Compile("^(\\d+)?\\.(\\d+)?\\.(\\d+)?$") if ok := re.Match([]byte(version)); !ok { - logrus.Fatalf("%s is not a valid version format, please read 'SemVer v2.0.0'", version) + logrus.Fatalf("%q is not a valid version format, please read 'SemVer v2.0.0'", version) } } func checkMounts(mounts []rspec.Mount, rootfs string) { for _, mount := range mounts { - rootfsPath := path.Join(rootfs, mount.Destination) - if fi, err := os.Stat(rootfsPath); err != nil { - logrus.Fatalf("Cannot find the mount point: %v", rootfsPath) + destPath := path.Join(rootfs, mount.Destination) + if fi, err := os.Stat(destPath); err != nil { + logrus.Fatalf("Cannot find the mount destination %q", destPath) } else if !fi.IsDir() { - logrus.Fatalf("Mount point: %v is not a directory.", rootfsPath) + logrus.Fatalf("Mount destination %q is not a directory.", destPath) } } } @@ -124,23 +126,33 @@ func checkPlatform(platform rspec.Platform) { return } } - logrus.Fatalf("Combination of '%s' and '%s' is invalid.", platform.OS, platform.Arch) + logrus.Fatalf("Combination of %q and %q is invalid.", platform.OS, platform.Arch) } } - logrus.Fatalf("Operation system '%s' of the bundle is not supported yet.", platform.OS) + logrus.Fatalf("Operation system %q of the bundle is not supported yet.", platform.OS) } func checkProcess(process rspec.Process, rootfs string) { + if !path.IsAbs(process.Cwd) { + logrus.Fatalf("cwd %q is not an absolute path", process.Cwd) + } + + for _, env := range process.Env { + if !envValid(env) { + logrus.Fatalf("env %q should be in the form of 'key=value'. The left hand side must consist solely of letters, digits, and underscores '_'.", env) + } + } + for index := 0; index < len(process.Capabilities); index++ { capability := process.Capabilities[index] if !capValid(capability) { - logrus.Fatalf("%s is not valid, man capabilities(7)", process.Capabilities[index]) + logrus.Fatalf("capability %q is not valid, man capabilities(7)", process.Capabilities[index]) } } for index := 0; index < len(process.Rlimits); index++ { if !rlimitValid(process.Rlimits[index].Type) { - logrus.Fatalf("Rlimit %v is invalid.", process.Rlimits[index]) + logrus.Fatalf("rlimit type %q is invalid.", process.Rlimits[index].Type) } } @@ -164,13 +176,13 @@ func checkLinux(spec rspec.Linux, rootfs string) { for index := 0; index < len(spec.Namespaces); index++ { if !namespaceValid(spec.Namespaces[index]) { - logrus.Fatalf("Namespace %s is invalid.", spec.Namespaces[index]) + logrus.Fatalf("namespace %v is invalid.", spec.Namespaces[index]) } } for index := 0; index < len(spec.Devices); index++ { if !deviceValid(spec.Devices[index]) { - logrus.Fatalf("Device %s is invalid.", spec.Devices[index].Path) + logrus.Fatalf("device %v is invalid.", spec.Devices[index]) } } @@ -187,17 +199,17 @@ func checkLinux(spec rspec.Linux, rootfs string) { case "shared": case "rshared": default: - logrus.Fatalf("rootfs-propagation must be empty or one of private|rprivate|slave|rslave|shared|rshared") + logrus.Fatalf("rootfsPropagation must be empty or one of \"private|rprivate|slave|rslave|shared|rshared\"") } } func checkSeccomp(s rspec.Seccomp) { if !seccompActionValid(s.DefaultAction) { - logrus.Fatalf("Seccomp.DefaultAction is invalid.") + logrus.Fatalf("seccomp defaultAction %q is invalid.", s.DefaultAction) } for index := 0; index < len(s.Syscalls); index++ { if !syscallValid(s.Syscalls[index]) { - logrus.Fatalf("Syscall action is invalid.") + logrus.Fatalf("syscall %v is invalid.", s.Syscalls[index]) } } for index := 0; index < len(s.Architectures); index++ { @@ -214,9 +226,22 @@ func checkSeccomp(s rspec.Seccomp) { case rspec.ArchMIPSEL64: case rspec.ArchMIPSEL64N32: default: - logrus.Fatalf("Seccomp.Architecture [%s] is invalid", s.Architectures[index]) + logrus.Fatalf("seccomp architecture %q is invalid", s.Architectures[index]) + } + } +} + +func envValid(env string) bool { + items := strings.Split(env, "=") + if len(items) < 2 { + return false + } + for _, ch := range strings.TrimSpace(items[0]) { + if !unicode.IsDigit(ch) && !unicode.IsLetter(ch) && ch != '_' { + return false } } + return true } func capValid(capability string) bool {