<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html> <head> <!-- Generated by HsColour, http://code.haskell.org/~malcolm/hscolour/ --> <title>src/Darcs/CommandsAux.hs</title> <link type='text/css' rel='stylesheet' href='hscolour.css' /> </head> <body> <pre><a name="line-1"></a><span class='hs-comment'>-- Copyright (C) 2006 Tommy Pettersson <ptp@lysator.liu.se></span> <a name="line-2"></a><span class='hs-comment'>--</span> <a name="line-3"></a><span class='hs-comment'>-- This program is free software; you can redistribute it and/or modify</span> <a name="line-4"></a><span class='hs-comment'>-- it under the terms of the GNU General Public License as published by</span> <a name="line-5"></a><span class='hs-comment'>-- the Free Software Foundation; either version 2, or (at your option)</span> <a name="line-6"></a><span class='hs-comment'>-- any later version.</span> <a name="line-7"></a><span class='hs-comment'>--</span> <a name="line-8"></a><span class='hs-comment'>-- This program is distributed in the hope that it will be useful,</span> <a name="line-9"></a><span class='hs-comment'>-- but WITHOUT ANY WARRANTY; without even the implied warranty of</span> <a name="line-10"></a><span class='hs-comment'>-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the</span> <a name="line-11"></a><span class='hs-comment'>-- GNU General Public License for more details.</span> <a name="line-12"></a><span class='hs-comment'>--</span> <a name="line-13"></a><span class='hs-comment'>-- You should have received a copy of the GNU General Public License</span> <a name="line-14"></a><span class='hs-comment'>-- along with this program; see the file COPYING. If not, write to</span> <a name="line-15"></a><span class='hs-comment'>-- the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,</span> <a name="line-16"></a><span class='hs-comment'>-- Boston, MA 02110-1301, USA.</span> <a name="line-17"></a> <a name="line-18"></a><span class='hs-comment'>{-# LANGUAGE CPP #-}</span> <a name="line-19"></a> <a name="line-20"></a><span class='hs-cpp'>#include "gadts.h"</span> <a name="line-21"></a> <a name="line-22"></a><span class='hs-keyword'>module</span> <span class='hs-conid'>Darcs</span><span class='hs-varop'>.</span><span class='hs-conid'>CommandsAux</span> <span class='hs-layout'>(</span> <span class='hs-varid'>checkPaths</span><span class='hs-layout'>,</span> <span class='hs-varid'>maliciousPatches</span><span class='hs-layout'>,</span> <span class='hs-varid'>hasMaliciousPath</span><span class='hs-layout'>,</span> <a name="line-23"></a> <span class='hs-varid'>isMaliciousPath</span><span class='hs-layout'>,</span> <span class='hs-varid'>isMaliciousSubPath</span><span class='hs-layout'>,</span> <a name="line-24"></a> <span class='hs-layout'>)</span> <span class='hs-keyword'>where</span> <a name="line-25"></a><span class='hs-keyword'>import</span> <span class='hs-conid'>Darcs</span><span class='hs-varop'>.</span><span class='hs-conid'>Flags</span> <span class='hs-layout'>(</span> <span class='hs-conid'>DarcsFlag</span><span class='hs-layout'>(</span> <span class='hs-conid'>RestrictPaths</span><span class='hs-layout'>,</span> <span class='hs-conid'>DontRestrictPaths</span> <span class='hs-layout'>)</span> <span class='hs-layout'>)</span> <a name="line-26"></a><span class='hs-keyword'>import</span> <span class='hs-conid'>Darcs</span><span class='hs-varop'>.</span><span class='hs-conid'>Patch</span> <span class='hs-layout'>(</span> <span class='hs-conid'>Patchy</span><span class='hs-layout'>,</span> <span class='hs-varid'>listTouchedFiles</span> <span class='hs-layout'>)</span> <a name="line-27"></a><span class='hs-keyword'>import</span> <span class='hs-conid'>Darcs</span><span class='hs-varop'>.</span><span class='hs-conid'>Witnesses</span><span class='hs-varop'>.</span><span class='hs-conid'>Ordered</span> <span class='hs-layout'>(</span> <span class='hs-conid'>FL</span><span class='hs-layout'>,</span> <span class='hs-varid'>mapFL</span> <span class='hs-layout'>)</span> <a name="line-28"></a><span class='hs-keyword'>import</span> <span class='hs-conid'>Darcs</span><span class='hs-varop'>.</span><span class='hs-conid'>Witnesses</span><span class='hs-varop'>.</span><span class='hs-conid'>Sealed</span> <span class='hs-layout'>(</span> <span class='hs-conid'>Sealed2</span><span class='hs-layout'>(</span><span class='hs-keyglyph'>..</span><span class='hs-layout'>)</span><span class='hs-layout'>,</span> <span class='hs-varid'>unseal2</span> <span class='hs-layout'>)</span> <a name="line-29"></a><span class='hs-keyword'>import</span> <span class='hs-conid'>Darcs</span><span class='hs-varop'>.</span><span class='hs-conid'>Global</span> <span class='hs-layout'>(</span> <span class='hs-varid'>darcsdir</span> <span class='hs-layout'>)</span> <a name="line-30"></a><span class='hs-keyword'>import</span> <span class='hs-conid'>Data</span><span class='hs-varop'>.</span><span class='hs-conid'>List</span> <span class='hs-layout'>(</span> <span class='hs-varid'>intersect</span> <span class='hs-layout'>)</span> <a name="line-31"></a><span class='hs-keyword'>import</span> <span class='hs-conid'>System</span><span class='hs-varop'>.</span><span class='hs-conid'>FilePath</span> <span class='hs-layout'>(</span> <span class='hs-varid'>splitDirectories</span><span class='hs-layout'>,</span> <span class='hs-varid'>isRelative</span> <span class='hs-layout'>)</span> <a name="line-32"></a> <a name="line-33"></a><span class='hs-comment'>-- * File paths</span> <a name="line-34"></a><span class='hs-comment'>{- <a name="line-35"></a> Darcs will operate on files and directories with the invoking user's <a name="line-36"></a> privileges. The paths for these files and directories are stored in <a name="line-37"></a> patches, which darcs receives in various ways. Even though darcs will not <a name="line-38"></a> create patches with "unexpected" file paths, there are no such guarantees <a name="line-39"></a> for received patches. A spoofed patch could inflict changes on any file <a name="line-40"></a> or directory which the invoking user is privileged to modify. <a name="line-41"></a> <a name="line-42"></a> There is no one single "apply" function that can check paths, so each <a name="line-43"></a> command is responsible for not applying patches without first checking <a name="line-44"></a> them with one of these function when appropriate. <a name="line-45"></a>-}</span> <a name="line-46"></a> <a name="line-47"></a><a name="checkPaths"></a><span class='hs-comment'>{- | <a name="line-48"></a> A convenience function to call from all darcs command functions before <a name="line-49"></a> applying any patches. It checks for malicious paths in patches, and <a name="line-50"></a> prints an error message and fails if it finds one. <a name="line-51"></a>-}</span> <a name="line-52"></a><span class='hs-definition'>checkPaths</span> <span class='hs-keyglyph'>::</span> <span class='hs-conid'>Patchy</span> <span class='hs-varid'>p</span> <span class='hs-keyglyph'>=></span> <span class='hs-keyglyph'>[</span><span class='hs-conid'>DarcsFlag</span><span class='hs-keyglyph'>]</span> <span class='hs-keyglyph'>-></span> <span class='hs-conid'>FL</span> <span class='hs-varid'>p</span> <span class='hs-conid'>C</span><span class='hs-layout'>(</span><span class='hs-varid'>x</span> <span class='hs-varid'>y</span><span class='hs-layout'>)</span> <span class='hs-keyglyph'>-></span> <span class='hs-conid'>IO</span> <span class='hs-conid'>()</span> <a name="line-53"></a><span class='hs-definition'>checkPaths</span> <span class='hs-varid'>opts</span> <span class='hs-varid'>patches</span> <a name="line-54"></a> <span class='hs-keyglyph'>=</span> <span class='hs-keyword'>if</span> <span class='hs-varid'>check_is_on</span> <span class='hs-varop'>&&</span> <span class='hs-varid'>or</span> <span class='hs-layout'>(</span><span class='hs-varid'>mapFL</span> <span class='hs-varid'>hasMaliciousPath</span> <span class='hs-varid'>patches</span><span class='hs-layout'>)</span> <a name="line-55"></a> <span class='hs-keyword'>then</span> <span class='hs-varid'>fail</span> <span class='hs-varop'>$</span> <span class='hs-varid'>unlines</span> <span class='hs-varop'>$</span> <span class='hs-keyglyph'>[</span><span class='hs-str'>"Malicious path in patch:"</span><span class='hs-keyglyph'>]</span> <span class='hs-varop'>++</span> <a name="line-56"></a> <span class='hs-layout'>(</span><span class='hs-varid'>map</span> <span class='hs-layout'>(</span><span class='hs-keyglyph'>\</span><span class='hs-varid'>s</span> <span class='hs-keyglyph'>-></span> <span class='hs-str'>" "</span> <span class='hs-varop'>++</span> <span class='hs-varid'>s</span><span class='hs-layout'>)</span> <span class='hs-varop'>$</span> <span class='hs-varid'>concat</span> <span class='hs-varop'>$</span> <span class='hs-varid'>mapFL</span> <span class='hs-varid'>maliciousPaths</span> <span class='hs-varid'>patches</span><span class='hs-layout'>)</span> <span class='hs-varop'>++</span> <a name="line-57"></a> <span class='hs-keyglyph'>[</span><span class='hs-str'>""</span><span class='hs-layout'>,</span> <span class='hs-str'>"If you are sure this is ok then you can run again with the --dont-restrict-paths option."</span><span class='hs-keyglyph'>]</span> <a name="line-58"></a> <span class='hs-comment'>-- TODO: print patch(es)</span> <a name="line-59"></a> <span class='hs-comment'>-- NOTE: should use safe Doc printer, this can be evil chars</span> <a name="line-60"></a> <span class='hs-keyword'>else</span> <span class='hs-varid'>return</span> <span class='hs-conid'>()</span> <a name="line-61"></a> <span class='hs-keyword'>where</span> <a name="line-62"></a> <span class='hs-varid'>check_is_on</span> <span class='hs-keyglyph'>=</span> <span class='hs-conid'>DontRestrictPaths</span> <span class='hs-varop'>`notElem`</span> <span class='hs-varid'>opts</span> <span class='hs-varop'>||</span> <a name="line-63"></a> <span class='hs-conid'>RestrictPaths</span> <span class='hs-varop'>`elem`</span> <span class='hs-varid'>opts</span> <a name="line-64"></a> <a name="line-65"></a><a name="maliciousPatches"></a><span class='hs-comment'>-- | Filter out patches that contains some malicious file path</span> <a name="line-66"></a><span class='hs-definition'>maliciousPatches</span> <span class='hs-keyglyph'>::</span> <span class='hs-conid'>Patchy</span> <span class='hs-varid'>p</span> <span class='hs-keyglyph'>=></span> <span class='hs-keyglyph'>[</span><span class='hs-conid'>Sealed2</span> <span class='hs-varid'>p</span><span class='hs-keyglyph'>]</span> <span class='hs-keyglyph'>-></span> <span class='hs-keyglyph'>[</span><span class='hs-conid'>Sealed2</span> <span class='hs-varid'>p</span><span class='hs-keyglyph'>]</span> <a name="line-67"></a><span class='hs-definition'>maliciousPatches</span> <span class='hs-varid'>to_check</span> <span class='hs-keyglyph'>=</span> <span class='hs-varid'>filter</span> <span class='hs-layout'>(</span><span class='hs-varid'>unseal2</span> <span class='hs-varid'>hasMaliciousPath</span><span class='hs-layout'>)</span> <span class='hs-varid'>to_check</span> <a name="line-68"></a> <a name="line-69"></a><a name="hasMaliciousPath"></a><span class='hs-definition'>hasMaliciousPath</span> <span class='hs-keyglyph'>::</span> <span class='hs-conid'>Patchy</span> <span class='hs-varid'>p</span> <span class='hs-keyglyph'>=></span> <span class='hs-varid'>p</span> <span class='hs-conid'>C</span><span class='hs-layout'>(</span><span class='hs-varid'>x</span> <span class='hs-varid'>y</span><span class='hs-layout'>)</span> <span class='hs-keyglyph'>-></span> <span class='hs-conid'>Bool</span> <a name="line-70"></a><span class='hs-definition'>hasMaliciousPath</span> <span class='hs-varid'>patch</span> <span class='hs-keyglyph'>=</span> <a name="line-71"></a> <span class='hs-keyword'>case</span> <span class='hs-varid'>maliciousPaths</span> <span class='hs-varid'>patch</span> <span class='hs-keyword'>of</span> <a name="line-72"></a> <span class='hs-conid'>[]</span> <span class='hs-keyglyph'>-></span> <span class='hs-conid'>False</span> <a name="line-73"></a> <span class='hs-keyword'>_</span> <span class='hs-keyglyph'>-></span> <span class='hs-conid'>True</span> <a name="line-74"></a> <a name="line-75"></a><a name="maliciousPaths"></a><span class='hs-definition'>maliciousPaths</span> <span class='hs-keyglyph'>::</span> <span class='hs-conid'>Patchy</span> <span class='hs-varid'>p</span> <span class='hs-keyglyph'>=></span> <span class='hs-varid'>p</span> <span class='hs-conid'>C</span><span class='hs-layout'>(</span><span class='hs-varid'>x</span> <span class='hs-varid'>y</span><span class='hs-layout'>)</span> <span class='hs-keyglyph'>-></span> <span class='hs-keyglyph'>[</span><span class='hs-conid'>String</span><span class='hs-keyglyph'>]</span> <a name="line-76"></a><span class='hs-definition'>maliciousPaths</span> <span class='hs-varid'>patch</span> <span class='hs-keyglyph'>=</span> <a name="line-77"></a> <span class='hs-keyword'>let</span> <span class='hs-varid'>paths</span> <span class='hs-keyglyph'>=</span> <span class='hs-varid'>listTouchedFiles</span> <span class='hs-varid'>patch</span> <span class='hs-keyword'>in</span> <a name="line-78"></a> <span class='hs-varid'>filter</span> <span class='hs-varid'>isMaliciousPath</span> <span class='hs-varid'>paths</span> <a name="line-79"></a> <a name="line-80"></a><a name="isMaliciousPath"></a><span class='hs-comment'>{-| <a name="line-81"></a> What is a malicious path? <a name="line-82"></a> <a name="line-83"></a> A spoofed path is a malicious path. <a name="line-84"></a> <a name="line-85"></a> 1. Darcs only creates explicitly relative paths (beginning with @\".\/\"@), <a name="line-86"></a> so any not explicitly relative path is surely spoofed. <a name="line-87"></a> <a name="line-88"></a> 2. Darcs normalizes paths so they never contain @\"\/..\/\"@, so paths with <a name="line-89"></a> @\"\/..\/\"@ are surely spoofed. <a name="line-90"></a> <a name="line-91"></a> A path to a darcs repository's meta data can modify \"trusted\" patches or <a name="line-92"></a> change safety defaults in that repository, so we check for paths <a name="line-93"></a> containing @\"\/_darcs\/\"@ which is the entry to darcs meta data. <a name="line-94"></a> <a name="line-95"></a> To do? <a name="line-96"></a> <a name="line-97"></a> * How about get repositories? <a name="line-98"></a> <a name="line-99"></a> * Would it be worth adding a --semi-safe-paths option for allowing <a name="line-100"></a> changes to certain preference files (_darcs\/prefs\/) in sub <a name="line-101"></a> repositories'? <a name="line-102"></a>-}</span> <a name="line-103"></a><span class='hs-definition'>isMaliciousPath</span> <span class='hs-keyglyph'>::</span> <span class='hs-conid'>String</span> <span class='hs-keyglyph'>-></span> <span class='hs-conid'>Bool</span> <a name="line-104"></a><span class='hs-definition'>isMaliciousPath</span> <span class='hs-varid'>fp</span> <span class='hs-keyglyph'>=</span> <a name="line-105"></a> <span class='hs-varid'>not</span> <span class='hs-layout'>(</span><span class='hs-varid'>isExplicitlyRelative</span> <span class='hs-varid'>fp</span><span class='hs-layout'>)</span> <span class='hs-varop'>||</span> <span class='hs-varid'>isGenerallyMalicious</span> <span class='hs-varid'>fp</span> <a name="line-106"></a> <a name="line-107"></a><a name="isMaliciousSubPath"></a><span class='hs-comment'>-- | Warning : this is less rigorous than isMaliciousPath</span> <a name="line-108"></a><span class='hs-comment'>-- but it's to allow for subpath representations that</span> <a name="line-109"></a><span class='hs-comment'>-- don't start with ./</span> <a name="line-110"></a><span class='hs-definition'>isMaliciousSubPath</span> <span class='hs-keyglyph'>::</span> <span class='hs-conid'>String</span> <span class='hs-keyglyph'>-></span> <span class='hs-conid'>Bool</span> <a name="line-111"></a><span class='hs-definition'>isMaliciousSubPath</span> <span class='hs-varid'>fp</span> <span class='hs-keyglyph'>=</span> <a name="line-112"></a> <span class='hs-varid'>not</span> <span class='hs-layout'>(</span><span class='hs-varid'>isRelative</span> <span class='hs-varid'>fp</span><span class='hs-layout'>)</span> <span class='hs-varop'>||</span> <span class='hs-varid'>isGenerallyMalicious</span> <span class='hs-varid'>fp</span> <a name="line-113"></a> <a name="line-114"></a><a name="isGenerallyMalicious"></a><span class='hs-definition'>isGenerallyMalicious</span> <span class='hs-keyglyph'>::</span> <span class='hs-conid'>String</span> <span class='hs-keyglyph'>-></span> <span class='hs-conid'>Bool</span> <a name="line-115"></a><span class='hs-definition'>isGenerallyMalicious</span> <span class='hs-varid'>fp</span> <span class='hs-keyglyph'>=</span> <a name="line-116"></a> <span class='hs-varid'>splitDirectories</span> <span class='hs-varid'>fp</span> <span class='hs-varop'>`contains_any`</span> <span class='hs-keyglyph'>[</span> <span class='hs-str'>".."</span><span class='hs-layout'>,</span> <span class='hs-varid'>darcsdir</span> <span class='hs-keyglyph'>]</span> <a name="line-117"></a> <span class='hs-keyword'>where</span> <a name="line-118"></a> <span class='hs-varid'>contains_any</span> <span class='hs-varid'>a</span> <span class='hs-varid'>b</span> <span class='hs-keyglyph'>=</span> <span class='hs-varid'>not</span> <span class='hs-varop'>.</span> <span class='hs-varid'>null</span> <span class='hs-varop'>$</span> <span class='hs-varid'>intersect</span> <span class='hs-varid'>a</span> <span class='hs-varid'>b</span> <a name="line-119"></a> <a name="line-120"></a><a name="isExplicitlyRelative"></a><span class='hs-definition'>isExplicitlyRelative</span> <span class='hs-keyglyph'>::</span> <span class='hs-conid'>String</span> <span class='hs-keyglyph'>-></span> <span class='hs-conid'>Bool</span> <a name="line-121"></a><span class='hs-definition'>isExplicitlyRelative</span> <span class='hs-layout'>(</span><span class='hs-chr'>'.'</span><span class='hs-conop'>:</span><span class='hs-chr'>'/'</span><span class='hs-conop'>:</span><span class='hs-keyword'>_</span><span class='hs-layout'>)</span> <span class='hs-keyglyph'>=</span> <span class='hs-conid'>True</span> <span class='hs-comment'>-- begins with "./"</span> <a name="line-122"></a><span class='hs-definition'>isExplicitlyRelative</span> <span class='hs-keyword'>_</span> <span class='hs-keyglyph'>=</span> <span class='hs-conid'>False</span> </pre></body> </html>