1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
|
package git
import (
"context"
"fmt"
"io"
"regexp"
"strings"
"github.com/prometheus/client_golang/prometheus"
"gitlab.com/gitlab-org/gitaly/internal/command"
"gitlab.com/gitlab-org/gitaly/internal/git/repository"
)
var invalidationTotal = prometheus.NewCounterVec(
prometheus.CounterOpts{
Name: "gitaly_invalid_commands_total",
Help: "Total number of invalid arguments tried to execute",
},
[]string{"command"},
)
func init() {
prometheus.MustRegister(invalidationTotal)
}
func incrInvalidArg(subcmdName string) {
invalidationTotal.WithLabelValues(subcmdName).Inc()
}
// Cmd is an interface for safe git commands
type Cmd interface {
ValidateArgs() ([]string, error)
IsCmd()
}
// SubCmd represents a specific git command
type SubCmd struct {
Name string // e.g. "log", or "cat-file", or "worktree"
Flags []Option // optional flags before the positional args
Args []string // positional args after all flags
PostSepArgs []string // post separator (i.e. "--") positional args
}
var subCmdNameRegex = regexp.MustCompile(`^[[:alnum:]]+(-[[:alnum:]]+)*$`)
// IsCmd allows SubCmd to satisfy the Cmd interface
func (sc SubCmd) IsCmd() {}
// ValidateArgs checks all arguments in the sub command and validates them
func (sc SubCmd) ValidateArgs() ([]string, error) {
var safeArgs []string
if !subCmdNameRegex.MatchString(sc.Name) {
return nil, &invalidArgErr{
msg: fmt.Sprintf("invalid sub command name %q", sc.Name),
}
}
safeArgs = append(safeArgs, sc.Name)
for _, o := range sc.Flags {
args, err := o.ValidateArgs()
if err != nil {
return nil, err
}
safeArgs = append(safeArgs, args...)
}
for _, a := range sc.Args {
if err := validatePositionalArg(a); err != nil {
return nil, err
}
safeArgs = append(safeArgs, a)
}
if len(sc.PostSepArgs) > 0 {
safeArgs = append(safeArgs, "--")
}
// post separator args do not need any validation
safeArgs = append(safeArgs, sc.PostSepArgs...)
return safeArgs, nil
}
// Option is a git command line flag with validation logic
type Option interface {
IsOption()
ValidateArgs() ([]string, error)
}
// SubSubCmd is a positional argument that appears in the list of options for
// a subcommand.
type SubSubCmd struct {
Name string
}
// IsOption is a method present on all Flag interface implementations
func (SubSubCmd) IsOption() {}
// ValidateArgs returns an error if the command name or options are not
// sanitary
func (sc SubSubCmd) ValidateArgs() ([]string, error) {
if !subCmdNameRegex.MatchString(sc.Name) {
return nil, &invalidArgErr{
msg: fmt.Sprintf("invalid sub-sub command name %q", sc.Name),
}
}
return []string{sc.Name}, nil
}
// ConfigPair is a sub-command option for use with commands like "git config"
type ConfigPair struct {
Key string
Value string
}
// IsOption is a method present on all Flag interface implementations
func (ConfigPair) IsOption() {}
var configKeyRegex = regexp.MustCompile(`^[[:alnum:]]+[-[:alnum:]]*\.(.+\.)*[[:alnum:]]+[-[:alnum:]]*$`)
// ValidateArgs validates the config pair args
func (cp ConfigPair) ValidateArgs() ([]string, error) {
if !configKeyRegex.MatchString(cp.Key) {
return nil, &invalidArgErr{
msg: fmt.Sprintf("config key %q failed regexp validation", cp.Key),
}
}
return []string{cp.Key, cp.Value}, nil
}
// Flag is a single token optional command line argument that enables or
// disables functionality (e.g. "-L")
type Flag struct {
Name string
}
// IsOption is a method present on all Flag interface implementations
func (Flag) IsOption() {}
// ValidateArgs returns an error if the flag is not sanitary
func (f Flag) ValidateArgs() ([]string, error) {
if !flagRegex.MatchString(f.Name) {
return nil, &invalidArgErr{
msg: fmt.Sprintf("flag %q failed regex validation", f.Name),
}
}
return []string{f.Name}, nil
}
// ValueFlag is an optional command line argument that is comprised of pair of
// tokens (e.g. "-n 50")
type ValueFlag struct {
Name string
Value string
}
// IsOption is a method present on all Flag interface implementations
func (ValueFlag) IsOption() {}
// ValidateArgs returns an error if the flag is not sanitary
func (vf ValueFlag) ValidateArgs() ([]string, error) {
if !flagRegex.MatchString(vf.Name) {
return nil, &invalidArgErr{
msg: fmt.Sprintf("value flag %q failed regex validation", vf.Name),
}
}
return []string{vf.Name, vf.Value}, nil
}
var flagRegex = regexp.MustCompile(`^(-|--)[[:alnum:]]`)
type invalidArgErr struct {
msg string
}
func (iae *invalidArgErr) Error() string { return iae.msg }
// IsInvalidArgErr relays if the error is due to an argument validation failure
func IsInvalidArgErr(err error) bool {
_, ok := err.(*invalidArgErr)
return ok
}
func validatePositionalArg(arg string) error {
if strings.HasPrefix(arg, "-") {
return &invalidArgErr{
msg: fmt.Sprintf("positional arg %q cannot start with dash '-'", arg),
}
}
return nil
}
// SafeCmd creates a git.Command with the given args and Repository. It
// validates the arguments in the command before executing.
func SafeCmd(ctx context.Context, repo repository.GitRepo, globals []Option, sc Cmd) (*command.Command, error) {
args, err := combineArgs(globals, sc)
if err != nil {
return nil, err
}
return unsafeCmd(ctx, repo, args...)
}
// SafeBareCmd creates a git.Command with the given args, stdin/stdout/stderr,
// and env. It validates the arguments in the command before executing.
func SafeBareCmd(ctx context.Context, stdin io.Reader, stdout, stderr io.Writer, env []string, globals []Option, sc Cmd) (*command.Command, error) {
args, err := combineArgs(globals, sc)
if err != nil {
return nil, err
}
return unsafeBareCmd(ctx, stdin, stdout, stderr, env, args...)
}
// SafeStdinCmd creates a git.Command with the given args and Repository that is
// suitable for Write()ing to. It validates the arguments in the command before
// executing.
func SafeStdinCmd(ctx context.Context, repo repository.GitRepo, globals []Option, sc SubCmd) (*command.Command, error) {
args, err := combineArgs(globals, sc)
if err != nil {
return nil, err
}
return unsafeStdinCmd(ctx, repo, args...)
}
// SafeCmdWithoutRepo works like Command but without a git repository. It
// validates the arguments in the command before executing.
func SafeCmdWithoutRepo(ctx context.Context, globals []Option, sc SubCmd) (*command.Command, error) {
args, err := combineArgs(globals, sc)
if err != nil {
return nil, err
}
return unsafeCmdWithoutRepo(ctx, args...)
}
func combineArgs(globals []Option, sc Cmd) (_ []string, err error) {
var args []string
defer func() {
if err != nil && IsInvalidArgErr(err) && len(args) > 0 {
incrInvalidArg(args[0])
}
}()
for _, g := range globals {
gargs, err := g.ValidateArgs()
if err != nil {
return nil, err
}
args = append(args, gargs...)
}
scArgs, err := sc.ValidateArgs()
if err != nil {
return nil, err
}
return append(args, scArgs...), nil
}
|
